CN110691061B - Resource access control method and device - Google Patents
Resource access control method and device Download PDFInfo
- Publication number
- CN110691061B CN110691061B CN201810738533.8A CN201810738533A CN110691061B CN 110691061 B CN110691061 B CN 110691061B CN 201810738533 A CN201810738533 A CN 201810738533A CN 110691061 B CN110691061 B CN 110691061B
- Authority
- CN
- China
- Prior art keywords
- rule
- access control
- resource
- operand
- primitive
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses a resource access control method and device. In the method, after receiving an access control decision request for requesting to perform access control strategy decision on a resource access request initiated by an initiator, the method performs access control strategy decision on the resource access request according to an access control strategy and returns an access control decision response. The access control policy comprises one or more access control rules, the one or more access control rules are used for describing rules which should be satisfied when target resource rules and initiator rules are satisfied, each access control rule is described by using at least one access control rule primitive set, the access control rule primitive set comprises one or more rule primitives, and one rule primitive in the access control rule primitive set is used for describing one decision condition in the access control rules.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a resource access control method and apparatus.
Background
The internet of things standardization organization oneM2M is dedicated To developing a series of technical specifications for constructing a common Machine-To-Machine communication (M2M) service layer. The core of oneM2M is data sharing, specifically, through the sharing of data items on resource trees defined within oneM2M Common Services Entity (CSE).
oneM2M enables sharing and interaction of service layer resources by operating on a standardized resource tree, the oneM2M resource tree residing in the CSE defined by the oneM2M system. The form of oneM2M resource tree is shown in FIG. 1, according to the definition in the oneM2M Functional Architecture specification (oneM2M TS-0001: "Functional Architecture"). Create (Create), query (Retrieve), modify (Update), and Delete (Delete) operations may be performed on oneM2M resources.
The resource related to authorization in the resources defined by oneM2M is Access Control Policy resource < Access Control Policy >, in which Access Control Policy (ACP) is defined. < accessControlPolicy > resources are uniquely identified by a resource ID.
The < accessControlPolicy > resource may be assigned directly to oneM2M for certain resource types or indirectly to the target resource through the accessControlPolicy id attribute of the target resource (i.e., other resources specify an access control policy applicable to the resource through the accessControlPolicy id attribute in the resource). The access control policy stored in the < accessControlPolicy > resource describes access control in units of target resources. The various policy rules for the target resource will apply to all attributes and sub-resources of the target resource.
Currently, a Security specification (oneM2M TS-0003: "Security Solutions") in the oneM2M series of specifications provides a high-level description of the oneM2M authorization architecture, specifically provides main components and basic flows of the authorization architecture, but how to describe relevant rules of an access control policy, no specific implementation scheme is provided.
Disclosure of Invention
The embodiment of the application provides a resource access control method and device.
In a first aspect, a method for controlling resource access is provided, the method including: receiving an access control decision request, wherein the access control decision request is used for requesting to carry out access control strategy judgment on a resource access request initiated by an initiator; acquiring an access control strategy; according to the access control strategy, making access control strategy judgment on the resource access request; and returning an access control decision response, wherein the access control decision response carries an access control strategy decision result for the resource access request. The access control policy comprises one or more access control rules, the one or more access control rules are used for describing rules which should be satisfied when target resource rules and initiator rules are satisfied, each access control rule is described by using at least one access control rule primitive set, the access control rule primitive set comprises one or more rule primitives, and one rule primitive in the access control rule primitive set is used for describing one decision condition in the access control rules.
In a possible implementation manner, the access control rule is further described by using a set of context restriction rule primitives, and the set of context restriction rule primitives includes one or more rule primitives for describing whether the access control rule to which the set of context restriction rule primitives belongs is available.
In a possible implementation manner, the access control policy further includes: a target resource rule describing a target resource applicable to the access control policy, the target resource rule being described using one or more rule primitives.
In a possible implementation manner, the access control policy further includes: an initiator rule describing a resource access request initiator applicable to the access control policy, the initiator rule being described using one or more rule primitives.
In one possible implementation, the rule primitive includes: a first operand, a second operand, and logical operators for the first operand and the second operand. The output result of the rule primitive is a logical operation result obtained by the first operand and the second operand based on the logical operator, and the logical operation result includes: true or false; and the logic operation result is true and indicates that the judgment condition described by the rule primitive is met, and the logic operation result is false and indicates that the judgment condition described by the rule primitive is not met.
In one possible implementation, the first operand is represented as a parameter or a set of parameters or as a first function, and the first function is used to obtain the parameter or the set of parameters as the first operand; and/or the second operand is represented as a parameter or a set of parameters or as a second function for fetching a parameter or a set of parameters as the second operand.
In one possible implementation, the first function is configured to obtain a parameter or a parameter set as a first operand, and includes: the first function is used for acquiring parameters or parameter sets serving as first operands from the resource access requests, or acquiring target resource attribute values or attribute value sets serving as the first operands, or acquiring initiator attribute values or attribute value sets serving as the first operands, or acquiring context information serving as the first operands; the second function is used for obtaining a parameter or a parameter set as a second operand, and comprises the following steps: the second function is used for acquiring parameters or parameter sets serving as second operands from the resource access requests, or for acquiring target resource attribute values or attribute value sets serving as the second operands, or for acquiring initiator attribute values or attribute value sets serving as the second operands, or for acquiring context information serving as the second operands.
In one possible implementation, the logical operator is a logical comparison operator or a set operator.
In one possible implementation, there is a logical operation relationship between the plurality of rule primitives, and the logical operation relationship includes: a logical and operational relationship, or a logical or operational relationship.
In one possible implementation, a logical operational relationship exists between the plurality of access control rules.
In a possible implementation manner, the access control rule further includes: the rule affects the identification; the rule impact identifier is used for indicating whether the decision result of the access control rule is allowed or rejected when the output results of all rule primitives in the access control rule are true.
In a second aspect, there is provided a resource access control apparatus, the apparatus comprising: the receiving module is used for receiving an access control decision request, wherein the access control decision request is used for requesting to carry out access control strategy judgment on a resource access request initiated by an initiator; the acquisition module is used for acquiring an access control strategy; the judgment module is used for judging the access control strategy of the resource access request according to the access control strategy; and the sending module is used for returning an access control decision response, and the access control decision response carries an access control strategy judgment result of the resource access request. The access control policy comprises one or more access control rules, the one or more access control rules are used for describing rules which should be satisfied when target resource rules and initiator rules are satisfied, each access control rule is described by using at least one access control rule primitive set, the access control rule primitive set comprises one or more rule primitives, and one rule primitive in the access control rule primitive set is used for describing one decision condition in the access control rules.
In a possible implementation manner, the access control rule is further described by using a set of context restriction rule primitives, and the set of context restriction rule primitives includes one or more rule primitives for describing whether the access control rule to which the set of context restriction rule primitives belongs is available.
In a possible implementation manner, the access control policy further includes: a target resource rule describing a target resource applicable to the access control policy, the target resource rule being described using one or more rule primitives.
In a possible implementation manner, the access control policy further includes: an initiator rule describing a resource access request initiator applicable to the access control policy, the initiator rule being described using one or more rule primitives.
In one possible implementation, the rule primitive includes: a first operand, a second operand, and logical operators for the first operand and the second operand; the output result of the rule primitive is a logical operation result obtained by the first operand and the second operand based on the logical operator, and the logical operation result includes: true or false; and the logic operation result is true and indicates that the judgment condition described by the rule primitive is met, and the logic operation result is false and indicates that the judgment condition described by the rule primitive is not met.
In a third aspect, a communication apparatus is provided, the apparatus comprising: a processor, a memory; the processor is used for reading the program in the memory and executing: receiving an access control decision request, wherein the access control decision request is used for requesting to carry out access control strategy judgment on a resource access request initiated by an initiator; acquiring an access control strategy; according to the access control strategy, making access control strategy judgment on the resource access request; and returning an access control decision response, wherein the access control decision response carries an access control strategy decision result for the resource access request. The access control policy comprises one or more access control rules, the one or more access control rules are used for describing rules which should be satisfied when target resource rules and initiator rules are satisfied, each access control rule is described by using at least one access control rule primitive set, the access control rule primitive set comprises one or more rule primitives, and one rule primitive in the access control rule primitive set is used for describing one decision condition in the access control rules.
In a possible implementation manner, the access control rule is further described by using a set of context restriction rule primitives, and the set of context restriction rule primitives includes one or more rule primitives for describing whether the access control rule to which the set of context restriction rule primitives belongs is available.
In a possible implementation manner, the access control policy further includes: a target resource rule describing a target resource applicable to the access control policy, the target resource rule being described using one or more rule primitives.
In a possible implementation manner, the access control policy further includes: an initiator rule describing a resource access request initiator applicable to the access control policy, the initiator rule being described using one or more rule primitives.
In one possible implementation, the rule primitive includes: a first operand, a second operand, and logical operators for the first operand and the second operand; the output result of the rule primitive is a logical operation result obtained by the first operand and the second operand based on the logical operator, and the logical operation result includes: true or false; and the logic operation result is true and indicates that the judgment condition described by the rule primitive is met, and the logic operation result is false and indicates that the judgment condition described by the rule primitive is not met.
In one possible implementation, the first operand is represented as a parameter or a set of parameters or as a first function, and the first function is used to obtain the parameter or the set of parameters as the first operand; and/or the second operand is represented as a parameter or a set of parameters or as a second function for fetching a parameter or a set of parameters as the second operand.
In one possible implementation, the first function is configured to obtain a parameter or a parameter set as a first operand, and includes: the first function is used for acquiring parameters or parameter sets serving as first operands from the resource access requests, or acquiring target resource attribute values or attribute value sets serving as the first operands, or acquiring initiator attribute values or attribute value sets serving as the first operands, or acquiring context information serving as the first operands; the second function is used for obtaining a parameter or a parameter set as a second operand, and comprises the following steps: the second function is used for acquiring parameters or parameter sets serving as second operands from the resource access requests, or for acquiring target resource attribute values or attribute value sets serving as the second operands, or for acquiring initiator attribute values or attribute value sets serving as the second operands, or for acquiring context information serving as the second operands.
In one possible implementation, the logical operator is a logical comparison operator or a set operator.
In one possible implementation, there is a logical operation relationship between the plurality of rule primitives, and the logical operation relationship includes: a logical and operational relationship, or a logical or operational relationship.
In one possible implementation, a logical operational relationship exists between the plurality of access control rules.
In a possible implementation manner, the access control rule further includes: the rule affects the identification; the rule impact identifier is used for indicating whether the decision result of the access control rule is allowed or rejected when the output results of all rule primitives in the access control rule are true.
In a fourth aspect, there is provided a computer-readable storage medium having stored thereon computer-executable instructions for causing the computer to perform the method of any of the first aspects above.
In the embodiments of the present application, after receiving an access control decision request for requesting an access control policy decision for a resource access request initiated by an initiator, the access control policy decision is performed on the resource access request according to an access control policy, and an access control decision response is returned. The access control policy comprises one or more access control rules, each access control rule is described by using at least one access control rule primitive set, the access control rule primitive set comprises one or more rule primitives, and one rule primitive is used for describing one decision condition in the access control rule. It can be seen that the description manner of the access control rule in the embodiment of the present application is a rule primitive, so that a solution is provided for how to describe the rule in the access control policy.
Drawings
Fig. 1 is a schematic diagram of a oneM2M resource tree in the prior art;
FIG. 2 is a diagram illustrating a system architecture suitable for use in accordance with an embodiment of the present invention;
fig. 3 is a schematic view of a resource access control flow provided in an embodiment of the present application;
fig. 4 is a schematic view of an access control policy decision process in an embodiment of the present application;
fig. 5 is a schematic structural diagram of a resource access control apparatus according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a communication device according to an embodiment of the present application.
Detailed Description
The embodiment of the application provides a resource access control method and a related device thereof. Through the embodiment of the application, a new description mode is provided for the relevant rules of the access control policy.
The embodiment of the application can be applied to a oneM2M system or other systems.
The embodiments of the present application will be described in detail below with reference to the accompanying drawings.
Referring to fig. 2, a schematic diagram of a system architecture applicable to the embodiment of the present application is shown, where the system architecture may include: resource server, resource access control device, access control policy providing device, information providing device. These components may be independent logical entities, or may be independent hardware devices, or several of them may be integrated into one hardware device.
The resource server coexists with the application system requiring access control and is invoked by the application system. The resource server generates an access control decision request according to the resource access request of the resource access initiator, sends the access control decision request to the resource access control device, and then determines whether to execute the resource access request according to an access control decision response returned by the resource access control device.
The resource access control device is responsible for judging whether to grant access to the target resource requested by the access control decision request sent by the resource server according to the access control strategy and returning the judgment result to the resource server through the access control decision response. In this process, the resource access control device may obtain the access control policy from the local, may also obtain the access control policy from the access control policy providing device, and may also obtain information related to the user, the resource, or the environment from the information providing device, such as an IP address of the accessing user, a creator of the resource, a current time, and the like.
Taking the oneM2M system as an example, the resource server may be a Policy Enforcement Point (PEP) entity in the oneM2M system, the access Decision device may be a Policy Decision Point (PDP) entity in the oneM2M system, the access control Policy providing device may be a Policy acquisition Point (PRP) entity in the oneM2M system, and the information providing device may be a Policy Information Point (PIP) entity in the oneM2M system.
In the embodiment of the present application, the access control policy for making an access control policy decision on a resource access request initiated by an initiator is mainly embodied as various rules, and the rules may include the following 3 rules:
(1) target resource rules: and the target resource rule in the access control policy is used for describing the target resource applicable to the access control policy. That is, according to the target resource rule, it can be determined whether the target resource requested to be accessed by the resource access request is allowed to be accessed.
The access control policy decision is performed on the target resource requested to be accessed by the resource access request according to the target resource rule, and the following decision result can be obtained:
the method is applicable to the following steps: indicating that the access control policy applies to the target resource requested by the resource access request, i.e., that the target resource complies with the requirements of the target resource rules, which target resource is allowed to be accessed.
Not applicable: indicating that the access control policy is not applicable to the target resource requested to be accessed by the resource access request, i.e., that the target resource is not compliant with the requirements of the target resource rules, which target resource is not allowed to be accessed.
Further, considering that in the process of deciding the access control policy, an error (such as an error caused by a system anomaly or an error caused by other reasons) may occur, so that it cannot be determined whether the access control policy is applicable to the target resource requested to be accessed by the resource access request, for this case, the following decision result may be obtained: and (4) uncertain. The decision result indicates that an error occurs in the decision process, and whether the access control policy is applicable to the target resource cannot be judged.
(2) Initiator rules: and the initiator rule in the access control policy is used for describing the resource access request initiator applicable to the access control policy. That is, according to the initiator rule, it can be determined whether the initiator of the resource access request is allowed to perform resource access.
The access control strategy judgment is carried out on the resource access request initiator according to the initiator rule, and the following judgment results can be obtained:
the method is applicable to the following steps: it indicates that the access control policy applies to the originator of the resource access request, i.e. the originator of the resource access request is allowed to make resource access.
Not applicable: indicating that the access control policy is not applicable to the originator of the resource access request, i.e. the originator of the resource access request is denied access to the resource.
Further, considering that an error (such as an error caused by a system anomaly or an error caused by other reasons) may occur in the process of deciding the access control policy, so that it cannot be determined whether the access control policy is applicable to the initiator of the resource access request, for this case, the following decision result may also be obtained: and (4) uncertain. The decision result indicates that an error occurs in the decision process, and whether the access control policy is applicable to the initiator of the resource access request cannot be judged.
(3) Access control rules: the access control rules are used to describe other rules that should be satisfied if the target resource rules and the initiator rules are satisfied. That is, in the case where the resource access request satisfies the target resource rule as well as the initiator rule, it can be determined whether the resource access request is permitted or denied according to the access control rule. Alternatively, the access control rules may be defined based on resource attributes, user attributes, context attributes, etc., i.e., the rules that need to be satisfied are described based on these attributes.
The access control policy decision is performed on the resource access request according to the access control rule, and the following decision results can be obtained:
allowing: it is indicated that the access control policy allows the resource access request, i.e. the resource access request complies with the requirements of the access control rules, which resource access request is allowed.
Rejection: indicating that the access control policy does not allow the resource access request, i.e. the resource access request does not comply with the requirements of the abort control rule, the resource access request is denied.
Further, it is also possible to obtain the following decision results: not applicable. The decision result indicates that the access control policy is not applicable to the resource access request. One possible situation in which this decision result occurs is: the access control rule includes a context restriction rule, and if the resource access request is not allowed according to the context restriction rule, the obtained decision result is "not applicable".
Further, considering that an error (such as an error caused by a system anomaly or an error caused by other reasons) may occur in the access control policy decision process, so that whether to allow the resource access request cannot be determined, for this case, the following decision result may also be obtained: and (4) uncertain. The judgment result indicates that an error occurs in the judgment process, and whether the resource access request is allowed or not cannot be judged.
Alternatively, the target resource rules in the access control policy may be described using one or more rule primitives. If a plurality of rule primitives are used for description, a logical operation relationship exists among the plurality of rule primitives, and a judgment result of the target resource rule can be obtained based on a combination result of the plurality of rule primitives according to the logical operation relationship among the plurality of rule primitives.
Wherein a rule primitive may be composed of one or more instructions describing a decision condition. The rule primitive has indivisible properties.
For a rule primitive, the input parameters are input into the rule primitive to carry out logical operation, and an output result can be obtained. The output result of a rule primitive can indicate whether the decision condition described by the rule primitive is met. Specifically, the output result of one rule primitive may include:
true (true): the result of the logical operation indicating the rule primitive is true, i.e., the decision condition described by the rule primitive is met.
False (false): the result of the logical operation indicating a rule primitive is false, i.e., indicates that the decision condition described by the rule primitive is not met.
Further, considering that during the logic operation of the rule primitive, an error (such as an error caused by a system exception or an error caused by another reason) may occur, so that a "true" or "false" output result cannot be obtained, for this case, the following output results may also be obtained: and (4) an error. The output result indicates that an error occurs during the execution of the rule primitive, and a "true" or "false" output result cannot be obtained.
Alternatively, one structure of the rule primitive may be: (operand 1, operator, operand 2).
The operand 1 may be a single numerical value, may be a set including a plurality of numerical values, or may be represented in a functional form. If operand 1 is represented by a function, the return value of the function may be obtained as operand 1 according to the function when the access control policy decides. The return value of the function may be a single parameter value or a set of values of a plurality of parameters. Operand 2 may be a single value or a set of values, or may be represented in a functional form. If operand 2 is represented by a function, the return value of the function may be obtained as operand 2 according to the function when the access control policy decides. The return value of the function may be a single parameter value or a set of values of a plurality of parameters.
Alternatively, the function may be divided into the following two sets of functions:
(1) and acquiring a function set of the resource access request parameters, wherein the functions in the function set can be used for acquiring the parameters carried in the resource access request. For example, the functions in the set of functions may include:
-a function for obtaining a target resource address in a resource access request, which function may be named request.get ("to"), where "to" indicates that a parameter requested by the function is the target resource address, and accordingly, a return value of the function is the target resource address;
-obtaining a function of the operation type requested in the resource access request, which may be named request.get ("operation"), where "operation" indicates that the parameter requested by the function is the operation type required to be performed for the target resource, and accordingly, the return value of the function is the requested operation type, such as Create (Create), query (Retrieve), modify (Update), or Delete (Delete);
get a function of a role in a resource access request, which may be named request.get ("role IDs"), where "role IDs" represents an identification of the initiator role for which the parameter requested by the function is allowed, and accordingly, the return value of the function is the allowed initiator role ID.
(2) A set of functions of the resource attributes is obtained, and the functions in the set of functions can be used for obtaining the attributes of the target resource. For example, the functions in the set of functions may include:
-obtaining a function of the target resource type, which may be named resource.get ("resourceType"), where "resourceType" indicates that the parameter requested by the function is the resource type of the target resource, and accordingly, the return value of the function is the resource type of the target resource;
-a function for obtaining the identity of the target resource, which may be named resource.get ("resource id"), where "resource id" indicates that the parameter requested by the function is the identity of the target resource, and accordingly, the return value of the function is the identity of the target resource;
-obtaining a function of the creation time of the target resource, which may be named resource.
Optionally, the operators in the rule primitives may be classified into the following two categories:
a logical operation operator: based on the logical operation operator, a logical comparison operation of operand 1 and operand 2 can be implemented. For example, the logical operation operator may be: greater than, less than or equal to, etc.
Set operation operator: set comparison operations on operand 1 and operand 2 can be implemented based on set operation operators. For example, based on a set operation operator, it may be determined that: whether operand 1 is equal to operand 2, whether operand 1 is included in operand 2, and the like.
Alternatively, the logical operation relationship between the rule primitives in the target resource rule may be a logical and, in this case, the decision result of the target resource rule may be "applicable" only when the requested target resource meets the decision conditions defined by all the rule primitives in the target resource rule. That is, when the output results of all the rule primitives in the target resource rule are "true", the decision result of the target resource rule is "applicable".
Optionally, the logical operation relationship between the rule primitives in the target resource rule may also be "logical or", in which case, when the requested target resource meets the decision condition defined by at least one rule primitive in the target resource rule, the decision result of the target resource rule may be "applicable". That is, if the output result of one rule primitive in the target resource rule is "true", the decision result of the target resource rule is "applicable".
Optionally, the initiator rules in the access control policy may be described using one or more rule primitives. If a plurality of rule primitives are used for description, a logical operation relationship exists among the plurality of rule primitives, and according to the logical operation relationship among the plurality of rule primitives, a judgment result of an initiator rule can be obtained based on a combination result of the plurality of rule primitives.
The structure of the rule primitive and the like can be referred to the foregoing embodiments, and will not be repeated here.
Alternatively, the logical operation relationship between the rule primitives in the initiator rule may be a logical and, in this case, the resource access request initiator may meet the decision conditions defined by all the rule primitives in the initiator rule, and the decision result of the initiator rule may be "applicable". That is, when the output results of all the rule primitives in the initiator rule are "true", the decision result of the initiator rule is "applicable".
Optionally, the logical operation relationship between the rule primitives in the initiator rule may also be "logical or", in which case, when the resource access request initiator meets the decision condition defined by at least one rule primitive in the initiator rule, the decision result of the initiator rule may be "applicable". That is, as long as the output result of one rule primitive in the initiator rule is "true", the decision result of the initiator rule is "applicable".
The number of access control rules in the access control policy may be one or more. If the access control rule is multiple, a logical operation relationship exists among the multiple access control rules, and according to the logical operation relationship among the multiple access control rules, a unique judgment result based on all the access control rules can be obtained based on a combined result of the multiple access control rules. Alternatively, the logical operation relationship between the access control rules may be permission priority, or negative priority, or other logical operation relationship. Wherein the permission preference indicates: if the decision result of at least one access control rule in all the access control rules is 'allowed', the only decision result based on all the access control rules is 'allowed'; negative priority means: if only one of the access control rules has the judgment result of 'reject', the only judgment result based on all the access control rules is 'reject'.
Optionally, an access control rule is described using at least one set of access control rule primitives, where the set includes one or more rule primitives, and one rule primitive in the set is used to describe a decision condition in the access control rule. The structure of the rule primitive and the like can be referred to the foregoing embodiments, and will not be repeated here.
Alternatively, the logical operation relationship between the rule primitives in the access control rule primitive set may be a logical and, in this case, the decision result based on the set may be applicable only when the resource access request meets the decision condition defined by all the rule primitives in the set. That is, the decision result based on the set is "applicable" only if the output results of all the rule primitives in the set are "true".
Optionally, the logical operation relationship between the rule primitives in the access control rule primitive set may also be "logical or", in which case, when the resource access request meets the decision condition defined by at least one rule primitive in the set, the decision result based on the set may be "applicable". That is, as long as the output result of one rule primitive in the set is "true", the decision result based on the set is "applicable".
Optionally, an access control rule may further include a set of context restriction rule primitives, where the set includes one or more rule primitives, and a rule primitive in the set is used to describe a context decision condition in the access control rule, and based on the condition, it may be determined whether the access control rule is available. The context decision condition may specifically be a decision condition on access time, access location, IP address, etc. The structure of the rule primitive and the like can be referred to the foregoing embodiments, and will not be repeated here.
Alternatively, the logical operation relationship between the rule primitives in the set of context restriction rule primitives may be "logical and", in which case, as long as the output of one rule primitive in the set is "false", the decision result of the corresponding access control rule is "not applicable" or "uncertain".
Optionally, the logical operation relationship between the rule primitives in the context restriction rule primitive set may also be "logical or", in which case, when the outputs of all the rule primitives in the set are "false", the decision result of the corresponding access control rule is "not applicable" or "uncertain".
Alternatively, in one access control rule, it may be default that the decision result of the access control rule is "allowed" when the combination result based on the rule primitives in the access control rule primitive set is "true" and the combination result based on the rule primitives in the context restriction rule primitive set is "true"; it may be default that the decision result of the access control rule is "reject" when the combined result based on the rule primitive in the set of access control rule primitives is "true" and the combined result based on the rule primitive in the set of context restriction rule primitives is "true". Of course, an identifier, which may be called a rule impact identifier, may also be set in the access control rule to indicate whether the decision result of the access control rule is "allowed" or "denied" when the combination result based on the rule primitive in the set of access control rule primitives is "true" and the combination result based on the rule primitive in the set of context restriction rule primitives is "true".
Further, in an access control rule, if the combination result based on the rule primitive in the access control rule primitive set is "error" or the combination result based on the rule primitive in the context restriction rule primitive set is "error", the decision result of the access control rule is "inapplicable" or "uncertain".
Several examples of access control rules are exemplarily shown below in order to better understand the embodiments of the present application.
Example access control rules one:
the access control rule describes: the initiator (AE2, AE3, AE4, AE5) is able to create < container > resources under < CSEBase > \ < AE1> resources. The rule primitives in the access control rule include:
Rule effect=”permit”
rule private merge Rule: "and"
Rule primitive 1:request.get(“to”)==“CSEBase\AE1”//
Rule primitive 2:request.get(“from”)in“AE2,AE3,AE4,AE5”
Rule primitive 3:request.get(“operation”)=={”create”,”retrieve”,”update”}
Rule primitive 4:request.get(“resource type”)==”container”
Rule primitive 5:request.get(“content”)in{“maxNrOfInstances”,“maxByteSize”,“maxInstanceAge”}
Description of the drawings:
the Rule primitive Rule private 1 describes that the target resource is CSEBase \ AE 1. The rule primitive may also be placed in the target resource rule.
The Rule primitive Rule private 2 describes the initiator (AE2, AE3, AE4, AE5) as the applicable resource access request initiator. The rule primitive may also be placed in the initiator rule.
The Rule primitive Rule private 3 describes that the allowed resource operations are: creating, reading and modifying.
The Rule primitive Rule private 4 describes the target resource type allowed for operations as "container".
The Rule primitive Rule private 5 describes that the operable resource attribute is: "maxNrOfInstances", "maxByteSize", "maxInstanceAge".
Example two access control rules:
the access control rule describes: the initiator (CSE2, CSE3, CSE4) can obtain the attribute values of the resource attribute (resourceType) of the < CSEBase > \< AE1> resource.
Rule effect=”permit”
Rule private merge Rule: "and"
Rule primitive 1:request.get(“to”)==“CSEBase\AE1”
Rule primitive 2:request.get(“from”)in“CSE2,CSE3,CSE4”
Rule primitive 3:request.get(“operation”)==”retrieve”
Rule primitive 4:request.get(“content”)in{“resourceType”}
Description of the drawings:
the Rule primitive Rule private 1 describes that the target resource is CSEBase \ AE 1. The rule primitive may also be placed in the target resource rule.
The Rule primitive Rule private 2 describes the initiator (CSE2, CSE3, CSE4) as the applicable resource access request initiator. The rule primitive may also be placed in the initiator rule.
The Rule primitive Rule private 3 describes that the allowed resource operations are: and (6) reading.
The Rule primitive Rule private 4 describes the allowed resource attributes of the operation as: "resourceType".
Example three of an access control rule:
the access control rule describes: Role-Based Access Control (RBAC). The role "Admin" may create an < AE > resource under a < CSEBase > resource.
Rule effect=”permit”
Rule private merge Rule: "and"
Rule effect=”Permit”
Rule primitive 1:request.getParents(“to”)==“CSEBase”
Rule primitive 2:request.get(“from”)in“AE1,AE2,AE3”
Rule primitive 3:request.get(“role ids”)in“admin”
Rule primitive 4:request.get(“operation”)==”create”
Rule primitive 5:request.get(“resource type”)==”AE”
Description of the drawings:
the Rule primitive Rule private 1 describes that the target resource is a sub-resource under CSEBase. The rule primitive may also be placed in the target resource rule.
The Rule primitive Rule private 2 describes the initiator (AE1, AE2, AE3) as the applicable resource access request initiator. The rule primitive may also be placed in the initiator rule.
The Rule primitive Rule private 3 describes the allowed roles as: "admin".
The Rule primitive Rule private 4 describes that the allowed resource operations are: and (4) creating.
The Rule primitive Rule private 5 describes the type of resource allowed to operate as: "AE".
Example four access control rules:
the access control rule describes: Role-Based Access Control (RBAC). The role "Admin" can read the AE IDs and App IDs of < AE > resources created in 2017 under < CSEBase > resources.
Rule effect=”permit”
Rule private merge Rule: "and"
Rule effect=”Permit”
Rule primitive 1:request.getParents(“to”)==“CSEBase”
Rule primitive 2:request.get(“role ids”)in“admin”
Rule primitive 3:request.get(“operation”)==”retrieve”
Rule primitive 4:resource.get(“resourceType”)==”AE”
Rule primitive 5:request.get(“content”)in{“AE-ID”,“App-ID”}
Rule primitive 6:resource.get(“creationTime”)>=2017.01.01&&resource.get(“creationTime”)<=”2017.12.31”
Description of the drawings:
the Rule primitive Rule private 1 describes that the target resource is a sub-resource under CSEBase. The rule primitive may also be placed in the target resource rule.
The Rule primitive Rule private 2 describes the allowed roles as: "admin".
The Rule primitive Rule private 3 describes that the allowed resource operations are: and (6) obtaining.
The Rule primitive Rule private 4 describes the type of resource allowed to operate as: "AE".
The Rule primitive Rule private 5 describes the allowed resource attributes of the operation as: "AE-ID" and "App-ID".
The Rule primitive Rule private 6 describes that the creation time of the resource allowed for operation is between 2017.01.01 and 2017.12.31.
Example access control rule five:
the access control rule describes: access control based on Black lists (Black list). The initiator (AE1, AE2, AE3) cannot read < CSEBase > \< AE1> resources, i.e. the initiator (AE1, AE2, AE3) is on the access-controlled blacklist.
Rule effect=”deny”
Rule private merge Rule: "and"
Rule primitive 1:request.get(“to”)==“CSEBase\AE1”
Rule primitive 2:request.get(“from”)in“AE1,AE2,AE3”
Rule primitive 3:request.get(“operation”)==”retrieve”
Description of the drawings:
the Rule primitive Rule private 1 describes that the target resource is: CSEBase \ AE 1.
The Rule primitive Rule private 2 describes the initiator (AE1, AE2, AE3) as the applicable resource access request initiator.
The Rule primitive Rule private 3 describes that the allowed resource operations are: and (6) reading.
The Rule primitive Rule effect ═ deny' describes that when the Rule primitives Rule private 1, Rule private 2 and Rule private 3 are satisfied, the decision result is "reject".
Referring to fig. 3, a schematic view of a resource access control flow provided in the embodiment of the present application is shown. This flow may be performed by the resource access control device in the system architecture shown in fig. 2.
As shown, the process may include:
s301: and receiving an access control decision request, wherein the access control decision request is used for requesting to carry out access control strategy judgment on a resource access request initiated by an initiator.
In this step, the initiator sends a resource access request to request access to the target resource. The resource access request may be intercepted by a resource server. And the resource server generates an access control decision request according to the resource access request and sends the access control decision request to the resource access control device so as to request the resource access control device to perform access control decision on the resource access request.
S302: an access control policy is obtained.
The access control policy comprises one or more access control rules, the one or more access control rules are used for describing rules which are satisfied when a target resource rule and an initiator rule are satisfied, each access control rule is described by using at least one access control rule primitive set, the access control rule primitive set comprises one or more rule primitives, and one rule primitive in the access control rule primitive set is used for describing one access control condition in the access control rules. For the related description of the access control rule, reference may be made to the foregoing embodiments, which are not repeated here.
Optionally, the access control rule is further described by using a set of context restriction rule primitives, where the set of context restriction rule primitives includes one or more rule primitives for describing whether the access control rule to which the set of context restriction rule primitives belongs is available.
Optionally, the access control policy further includes: a target resource rule describing a target resource applicable to the access control policy, the target resource rule being described using one or more rule primitives.
Optionally, the access control policy further includes: an initiator rule describing a resource access request initiator applicable to the access control policy, the initiator rule being described using one or more rule primitives.
The structure and related description of the rule primitive in the access control policy described above can be referred to the foregoing embodiments, and are not repeated here.
In specific implementation, the resource access control device may obtain the resource access control policy from the local, or may obtain the resource access control policy from the access control policy providing device. Further, the resource access control device may also acquire related information, such as resource attributes, context information, and the like, from the information providing device.
S303: and according to the access control strategy, performing access control strategy judgment on the resource access request.
In this step, the resource access control device may perform access control decision according to the order of the target resource rule, the initiator rule, and the access control rule, and only when the decision results of the target resource rule and the initiator rule are both "applicable", the decision is performed on the access control rule, and the decision result of the access control rule is taken as the decision result of the access control policy. If one of the judgment result of the target resource rule and the judgment result of the initiator rule is 'inapplicable', the judgment result of the access control policy is 'inapplicable'. Fig. 4 exemplarily shows an access control policy decision flow.
S304: and returning an access control decision response, wherein the access control decision response carries an access control strategy decision result of the resource access request.
In this step, the resource access control device may send the access control policy decision result to the resource server through the access control policy response, and the resource server may perform resource access according to the access control policy decision result or reject the resource access request of the initiator.
Referring to fig. 4, an access control policy decision process provided for the embodiment of the present application may include, as shown in the figure:
s401: and judging whether the target resource requested to be accessed by the resource access request is matched with the target resource rule or not according to the target resource rule, if not, turning to S402, and if so, turning to S403.
The input parameters for decision-making based on the target resource rule may include the address of the target resource accessed by the initiator.
As an example, the decision process of the target resource rule may include: first, whether the target resource rule is empty is judged. If the target resource rule is empty, the default target resource rule is indicated to be applicable to any target resource, so that the judgment result of the target resource rule is applicable, namely the target resource is matched with the target resource rule; otherwise, acquiring a target resource address in the resource access request, and judging whether the target resource address is in an allowed resource address range described by the target resource rule, wherein if the target resource address is in the allowed resource address range described by the target resource rule, the judgment result of the target resource rule is applicable, and if the target resource address is not in the allowed target resource address range described by the target resource rule, the judgment result of the target resource rule is inapplicable.
Optionally, if an error occurs in the target resource rule decision process, the decision result of the target resource is "uncertain".
S402: the decision result of the access control policy is set to "inapplicable", that is, the access control policy is not applicable to the target resource requested by the resource access request.
S403: and judging whether the initiator of the resource access request is matched with the initiator rule or not according to the initiator rule, if not, turning to S404, and if so, turning to S404.
The input parameters for making a decision based on the initiator rule may include an initiator identification.
As an example, the decision process of the initiator rule may include: firstly, judging whether an initiator rule is empty or not, if so, indicating that the default initiator rule is applicable to any initiator, so that the judgment result of the initiator rule is applicable, namely the initiator of the resource request is matched with the initiator rule; otherwise, acquiring an initiator identifier in the resource access request, and judging whether the initiator identifier is in an allowed initiator range described by the initiator rule; if the initiator identifier is within the allowed initiator range described by the initiator rule, the judgment result of the initiator rule is 'applicable'; if the initiator flag is not within the allowed initiator range described by the initiator rule, the determination result of the initiator rule is "not applicable".
Further, if an error occurs in the process of determining the initiator rule, the determination result of the initiator rule is "uncertain".
S404: the decision result of the access control policy is set to "inapplicable", that is, the access control policy is not applicable to the initiator of the resource access request.
S405: and judging whether the resource access request is matched with the access control rule according to the access control rule, if so, switching to S406, and otherwise, switching to S407 or S408 according to the condition.
As an example, the decision process of the access control rule may include:
firstly, judging whether a context restriction rule primitive set exists in an access control rule, if so, judging the available state of the access control rule according to a rule primitive in the context restriction rule primitive set, if the access control rule is judged to be available, then judging the subsequent access control rule, if the access control rule is judged to be unavailable, turning to S407, setting the judgment result of the access control policy to be 'inapplicable', and if the available state of the access control rule is judged to be uncertain, setting the judgment result of the access control policy to be 'uncertain'; if the access control rule does not have the context restriction rule primitive set, the judgment result based on the context restriction rule primitive set is considered to be true, and subsequent access control rule judgment is carried out.
In the process of making a decision based on the context restriction rule primitive set, if the combined result of the rule primitives in the rule primitive set is "true", it indicates that the access control rule is available, and if the combined result of the rule primitives in the rule primitive set is "false", it indicates that the access control rule is unavailable. Further, if an error occurs in the decision process, it indicates that the available state of the access control rule is "uncertain".
In the process of making a decision based on the access control rule, according to the access control rule primitive set in the access control rule, if the merging result of the rule primitives in the rule primitive set is judged to be "true", the procedure proceeds to S406, where the decision result of the access control rule is "allowed", and if the merging result of the rule primitives in the rule primitive set is judged to be "false", the procedure proceeds to S408, where the decision result of the access control rule is "denied", and if an error occurs in the decision process, the decision result of the access control rule is "uncertain".
Further, if there are a plurality of access control rules, a decision is made for each access control rule to obtain a decision result of the access control rule, and then a final decision result based on all the access control rules is determined based on a rule merging algorithm according to the decision result of each access control rule. Wherein the rule merging algorithm may include allowing precedence or negating precedence.
From the above description, it can be seen that one or more of the target resource rules, initiator rules, and access control rules in the access control policy can be described using rule primitives. Thus a solution is given for how to describe the rules in the access control policy.
By describing the rules in the access control policy using the rule primitives, the access control policy can be easily extended. Complex rule definitions may also be supported since multiple rule primitives may be used. For example, the following rules are not supported in the prior art: "initiator AE with role a accesses target resources" because the description of the initiator is based on either the initiator identity or the role, and cannot support the combined use of the two, i.e. the access control policy in the prior art only supports a single rule, i.e. only one rule within one access control policy, and therefore cannot describe somewhat complex access control rules. In the embodiment of the application, a plurality of rule primitives are used for describing the rules in the access control policy, so that more complex rules can be supported.
Further, the access control policy in the prior art is only applicable to describing the white list, i.e. the case of allowing access, but cannot describe the black list, i.e. the case of not allowing access. In the embodiment of the present application, the description of the blacklist can be implemented.
Optionally, in some embodiments, at least one rule primitive is used to describe a decision condition that an attribute or a sub-resource under a resource needs to satisfy, so that compared with the prior art that only an access control policy can be applied to the whole resource, the granularity of the access control policy can be reduced, so that the access control policy can be applied to a component under the resource, for example, the attribute or the sub-resource under the resource, thereby improving the granularity of access control, improving flexibility, and reducing the risk of information leakage.
Based on the same technical concept, the embodiment of the present application further provides a resource access control device, and the resource access control device can implement the resource access control method described in the foregoing embodiment.
Fig. 5 is a schematic structural diagram of a resource access control apparatus according to an embodiment of the present application. The apparatus may include: a receiving module 501, an obtaining module 502, a judging module 503, and a sending module 504.
The receiving module 501 is configured to receive an access control decision request, where the access control decision request is used to request an access control policy decision for a resource access request initiated by an initiator.
The obtaining module 502 is configured to obtain an access control policy. The access control policy comprises one or more access control rules, the one or more access control rules are used for describing rules which should be satisfied when target resource rules and initiator rules are satisfied, each access control rule is described by using at least one access control rule primitive set, the access control rule primitive set comprises one or more rule primitives, and one rule primitive in the access control rule primitive set is used for describing one decision condition in the access control rules.
The decision module 503 is configured to perform an access control policy decision on the resource access request according to the access control policy.
The sending module 504 is configured to return an access control decision response, where the access control decision response carries an access control policy decision result for the resource access request.
Optionally, the access control rule is further described by using a set of context restriction rule primitives, where the set of context restriction rule primitives includes one or more rule primitives for describing whether the access control rule to which the set of context restriction rule primitives belongs is available.
Optionally, the access control policy further includes: a target resource rule describing a target resource applicable to the access control policy, the target resource rule being described using one or more rule primitives.
Optionally, the access control policy further includes: an initiator rule describing a resource access request initiator applicable to the access control policy, the initiator rule being described using one or more rule primitives.
Optionally, the rule primitive includes: a first operand, a second operand, and logical operators for the first operand and the second operand; the output result of the rule primitive is a logical operation result obtained by the first operand and the second operand based on the logical operator, and the logical operation result includes: true or false; and the logic operation result is true and indicates that the judgment condition described by the rule primitive is met, and the logic operation result is false and indicates that the judgment condition described by the rule primitive is not met.
In the resource access control device, the description related to the access control policy and the rule primitive may be referred to the foregoing embodiments, and will not be repeated here.
Based on the same technical concept, embodiments of the present application further provide a communication device, which can implement the resource access control method described in the foregoing embodiments.
Referring to fig. 6, a schematic structural diagram of a communication device according to an embodiment of the present application is provided. As shown, the communication device may include: a processor 601, a memory 602, and a bus interface 604. Further, the communication device may also include a network interface 603.
The processor 601 is responsible for managing the bus architecture and general processing, and the memory 602 may store data used by the processor 601 in performing operations. The network interface 603 is used for receiving and transmitting data under the control of the processor 601.
The bus architecture may include any number of interconnected buses and bridges, with one or more processors, represented by processor 601, and various circuits of memory, represented by memory 602, being linked together. The bus architecture may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. The bus interface 604 provides an interface. The processor 601 is responsible for managing the bus architecture and general processing, and the memory 602 may store data used by the processor 601 in performing operations.
The process disclosed by the embodiment of the invention can be applied to the processor 601 or implemented by the processor 601. In implementation, the steps of the process flow may be performed by instructions in the form of hardware, integrated logic circuits, or software in the processor 601. The processor 601 may be a general purpose processor, a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or the like that implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present invention. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of a method disclosed in connection with the embodiments of the present invention may be directly implemented by a hardware processor, or may be implemented by a combination of hardware and software modules in the processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in the memory 602, and the processor 601 reads the information in the memory 602 and completes the steps of the signal processing flow in combination with the hardware thereof.
Specifically, the processor 601 is configured to read the program in the memory 602 and execute the resource access control flow described in the foregoing embodiment.
Based on the same technical concept, the embodiment of the application also provides a computer readable storage medium. The computer-readable storage medium stores computer-executable instructions for causing the computer to execute the resource access control flow in the foregoing embodiments.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.
Claims (25)
1. A method for controlling access to resources, comprising:
receiving an access control decision request, wherein the access control decision request is used for requesting to carry out access control strategy judgment on a resource access request initiated by an initiator;
acquiring an access control strategy; the access control policy comprises one or more access control rules, the one or more access control rules are used for describing rules which are satisfied when a target resource rule and an initiator rule are satisfied, each access control rule is described by using at least one access control rule primitive set, the access control rule primitive set comprises one or more rule primitives, and one rule primitive in the access control rule primitive set is used for describing one decision condition in the access control rule;
according to the access control strategy, making access control strategy judgment on the resource access request;
returning an access control decision response, wherein the access control decision response carries an access control strategy decision result for the resource access request;
the rule primitive includes: a first operand, a second operand, and logical operators for the first operand and the second operand;
the output result of the rule primitive is a logical operation result obtained by the first operand and the second operand based on the logical operator, and the logical operation result includes: true or false; and the logic operation result is true and indicates that the judgment condition described by the rule primitive is met, and the logic operation result is false and indicates that the judgment condition described by the rule primitive is not met.
2. The method of claim 1, wherein the access control rule is further described using a set of context restriction rule primitives, the set of context restriction rule primitives including one or more rule primitives for describing whether an access control rule to which the set of context restriction rule primitives belongs is available.
3. The method of claim 1, wherein the access control policy further comprises: a target resource rule describing a target resource applicable to the access control policy, the target resource rule being described using one or more rule primitives.
4. The method of claim 1, wherein the access control policy further comprises: an initiator rule describing a resource access request initiator applicable to the access control policy, the initiator rule being described using one or more rule primitives.
5. The method of claim 1, wherein:
the first operand is represented as a parameter or a parameter set or as a first function, and the first function is used for acquiring the parameter or the parameter set as the first operand; and/or the presence of a gas in the gas,
the second operand is represented as a parameter or a set of parameters or as a second function for fetching the parameter or set of parameters as the second operand.
6. The method of claim 5, wherein:
the first function is used for acquiring a parameter or a parameter set as a first operand, and comprises the following steps:
the first function is used for acquiring parameters or parameter sets serving as first operands from the resource access requests, or acquiring target resource attribute values or attribute value sets serving as the first operands, or acquiring initiator attribute values or attribute value sets serving as the first operands, or acquiring context information serving as the first operands;
the second function is used for obtaining a parameter or a parameter set as a second operand, and comprises the following steps:
the second function is used for acquiring parameters or parameter sets serving as second operands from the resource access requests, or for acquiring target resource attribute values or attribute value sets serving as the second operands, or for acquiring initiator attribute values or attribute value sets serving as the second operands, or for acquiring context information serving as the second operands.
7. The method of claim 1, wherein the logical operator is a logical comparison operator or a set operator.
8. The method of any of claims 1-4, wherein there is a logical operational relationship between the plurality of rule primitives, the logical operational relationship comprising: a logical and operational relationship, or a logical or operational relationship.
9. The method of any of claims 1 to 4, wherein a logical operational relationship exists between the plurality of access control rules.
10. The method of any of claims 1 to 4, wherein the access control rule further comprises: the rule affects the identification;
the rule impact identifier is used for indicating whether the decision result of the access control rule is allowed or rejected when the output results of all rule primitives in the access control rule are true.
11. A resource access control apparatus, comprising:
the receiving module is used for receiving an access control decision request, wherein the access control decision request is used for requesting to carry out access control strategy judgment on a resource access request initiated by an initiator;
the acquisition module is used for acquiring an access control strategy; the access control policy comprises one or more access control rules, the one or more access control rules are used for describing rules which are satisfied when a target resource rule and an initiator rule are satisfied, each access control rule is described by using at least one access control rule primitive set, the access control rule primitive set comprises one or more rule primitives, and one rule primitive in the access control rule primitive set is used for describing one decision condition in the access control rule;
the judgment module is used for judging the access control strategy of the resource access request according to the access control strategy;
a sending module, configured to return an access control decision response, where the access control decision response carries an access control policy decision result for the resource access request;
the rule primitive includes: a first operand, a second operand, and logical operators for the first operand and the second operand;
the output result of the rule primitive is a logical operation result obtained by the first operand and the second operand based on the logical operator, and the logical operation result includes: true or false; and the logic operation result is true and indicates that the judgment condition described by the rule primitive is met, and the logic operation result is false and indicates that the judgment condition described by the rule primitive is not met.
12. The apparatus of claim 11, wherein the access control rule is further described using a set of context restriction rule primitives, the set of context restriction rule primitives including one or more rule primitives for describing whether an access control rule to which the set of context restriction rule primitives belongs is available.
13. The apparatus of claim 11, wherein the access control policy further comprises: a target resource rule describing a target resource applicable to the access control policy, the target resource rule being described using one or more rule primitives.
14. The apparatus of claim 11, wherein the access control policy further comprises: an initiator rule describing a resource access request initiator applicable to the access control policy, the initiator rule being described using one or more rule primitives.
15. A communications apparatus, comprising: a processor, a memory; the processor is used for reading the program in the memory and executing:
receiving an access control decision request, wherein the access control decision request is used for requesting to carry out access control strategy judgment on a resource access request initiated by an initiator;
acquiring an access control strategy; the access control policy comprises one or more access control rules, the one or more access control rules are used for describing rules which are satisfied when a target resource rule and an initiator rule are satisfied, each access control rule is described by using at least one access control rule primitive set, the access control rule primitive set comprises one or more rule primitives, and one rule primitive in the access control rule primitive set is used for describing one decision condition in the access control rule;
according to the access control strategy, making access control strategy judgment on the resource access request;
returning an access control decision response, wherein the access control decision response carries an access control strategy decision result for the resource access request;
the rule primitive includes: a first operand, a second operand, and logical operators for the first operand and the second operand;
the output result of the rule primitive is a logical operation result obtained by the first operand and the second operand based on the logical operator, and the logical operation result includes: true or false; and the logic operation result is true and indicates that the judgment condition described by the rule primitive is met, and the logic operation result is false and indicates that the judgment condition described by the rule primitive is not met.
16. The apparatus of claim 15, wherein the access control rule is further described using a set of context restriction rule primitives, the set of context restriction rule primitives including one or more rule primitives for describing whether an access control rule to which the set of context restriction rule primitives belongs is available.
17. The apparatus of claim 15, wherein the access control policy further comprises: a target resource rule describing a target resource applicable to the access control policy, the target resource rule being described using one or more rule primitives.
18. The apparatus of claim 15, wherein the access control policy further comprises: an initiator rule describing a resource access request initiator applicable to the access control policy, the initiator rule being described using one or more rule primitives.
19. The apparatus of claim 15, wherein:
the first operand is represented as a parameter or a parameter set or as a first function, and the first function is used for acquiring the parameter or the parameter set as the first operand; and/or the presence of a gas in the gas,
the second operand is represented as a parameter or a set of parameters or as a second function for fetching the parameter or set of parameters as the second operand.
20. The apparatus of claim 19, wherein:
the first function is used for acquiring a parameter or a parameter set as a first operand, and comprises the following steps:
the first function is used for acquiring parameters or parameter sets serving as first operands from the resource access requests, or acquiring target resource attribute values or attribute value sets serving as the first operands, or acquiring initiator attribute values or attribute value sets serving as the first operands, or acquiring context information serving as the first operands;
the second function is used for obtaining a parameter or a parameter set as a second operand, and comprises the following steps:
the second function is used for acquiring parameters or parameter sets serving as second operands from the resource access requests, or for acquiring target resource attribute values or attribute value sets serving as the second operands, or for acquiring initiator attribute values or attribute value sets serving as the second operands, or for acquiring context information serving as the second operands.
21. The apparatus of claim 15, in which the logical operator is a logical comparison operator or a set operator.
22. The apparatus of any one of claims 15 to 18, wherein there is a logical operational relationship between the plurality of rule primitives, the logical operational relationship comprising: a logical and operational relationship, or a logical or operational relationship.
23. The apparatus of any of claims 15 to 18, wherein a logical operational relationship exists between the plurality of access control rules.
24. The apparatus of any of claims 15 to 18, wherein the access control rule further comprises: the rule affects the identification;
the rule impact identifier is used for indicating whether the decision result of the access control rule is allowed or rejected when the output results of all rule primitives in the access control rule are true.
25. A computer-readable storage medium having stored thereon computer-executable instructions for causing a computer to perform the method of any one of claims 1 to 10.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810738533.8A CN110691061B (en) | 2018-07-06 | 2018-07-06 | Resource access control method and device |
| PCT/CN2019/087658 WO2020007132A1 (en) | 2018-07-06 | 2019-05-20 | Resource access control method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810738533.8A CN110691061B (en) | 2018-07-06 | 2018-07-06 | Resource access control method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110691061A CN110691061A (en) | 2020-01-14 |
| CN110691061B true CN110691061B (en) | 2020-12-08 |
Family
ID=69060571
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810738533.8A Active CN110691061B (en) | 2018-07-06 | 2018-07-06 | Resource access control method and device |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN110691061B (en) |
| WO (1) | WO2020007132A1 (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113949664B (en) * | 2020-07-15 | 2023-04-07 | 瑞昱半导体股份有限公司 | Circuit for network device and packet processing method |
| CN114826629A (en) * | 2021-01-22 | 2022-07-29 | 北京京东方技术开发有限公司 | Data sharing method, device, system, server and computer storage medium |
| CN113329011B (en) * | 2021-05-27 | 2022-07-08 | 北京天空卫士网络安全技术有限公司 | Security access control method and device |
| CN114465763A (en) * | 2021-12-24 | 2022-05-10 | 天翼云科技有限公司 | Resource access control method, device and storage medium |
| CN116132198B (en) * | 2023-04-07 | 2023-07-25 | 杭州海康威视数字技术股份有限公司 | Internet of things privacy behavior sensing method and device based on lightweight context semantics |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101876994A (en) * | 2009-12-22 | 2010-11-03 | 中国科学院软件研究所 | Establishing method for multi-layer optimized strategy evaluation engine and implementing method thereof |
| CN103745161A (en) * | 2013-12-23 | 2014-04-23 | 东软集团股份有限公司 | Method and device for controlling access security |
| CN104811465A (en) * | 2014-01-27 | 2015-07-29 | 电信科学技术研究院 | Decision method for access control and equipment |
| CN105577399A (en) * | 2014-10-09 | 2016-05-11 | 中兴通讯股份有限公司 | Network device access control list management method and network device access control list management device |
| CN106326760A (en) * | 2016-08-31 | 2017-01-11 | 清华大学 | Access control rule description method for data analysis |
| CN106973031A (en) * | 2016-01-13 | 2017-07-21 | 电信科学技术研究院 | A kind of resource access control method, apparatus and system |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2631841B1 (en) * | 2012-02-27 | 2015-11-25 | Axiomatics AB | Provisioning authorization claims using attribute-based access-control policies |
| US9948682B2 (en) * | 2015-08-11 | 2018-04-17 | Vescel, Llc | Data resource control through a control policy defining an authorized context for utilization of a protected data resource |
| CN110460978B (en) * | 2014-11-04 | 2021-12-14 | 华为技术有限公司 | Resource access method and device |
-
2018
- 2018-07-06 CN CN201810738533.8A patent/CN110691061B/en active Active
-
2019
- 2019-05-20 WO PCT/CN2019/087658 patent/WO2020007132A1/en active Application Filing
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101876994A (en) * | 2009-12-22 | 2010-11-03 | 中国科学院软件研究所 | Establishing method for multi-layer optimized strategy evaluation engine and implementing method thereof |
| CN103745161A (en) * | 2013-12-23 | 2014-04-23 | 东软集团股份有限公司 | Method and device for controlling access security |
| CN104811465A (en) * | 2014-01-27 | 2015-07-29 | 电信科学技术研究院 | Decision method for access control and equipment |
| CN105577399A (en) * | 2014-10-09 | 2016-05-11 | 中兴通讯股份有限公司 | Network device access control list management method and network device access control list management device |
| CN106973031A (en) * | 2016-01-13 | 2017-07-21 | 电信科学技术研究院 | A kind of resource access control method, apparatus and system |
| CN106326760A (en) * | 2016-08-31 | 2017-01-11 | 清华大学 | Access control rule description method for data analysis |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2020007132A1 (en) | 2020-01-09 |
| CN110691061A (en) | 2020-01-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110691061B (en) | Resource access control method and device | |
| US20210099516A1 (en) | Technologies for transparent function as a service arbitration for edge systems | |
| US11902279B2 (en) | Method, apparatus, system and storage medium for access control policy configuration | |
| CN108768948B (en) | Access right management method, server and computer readable storage medium | |
| CN106973031B (en) | Resource access control method, device and system | |
| US20210185093A1 (en) | Fine grained network security | |
| CN109918924A (en) | The control method and system of dynamic access permission | |
| WO2020156135A1 (en) | Method and device for processing access control policy and computer-readable storage medium | |
| CN110289965B (en) | Application program service management method and device | |
| CN110069911B (en) | Access control method, device, system, electronic equipment and readable storage medium | |
| CN112818309A (en) | Method and device for controlling data access authority and storage medium | |
| CN107306247B (en) | Resource access control method and device | |
| CN111970254B (en) | Access control and configuration method, device, electronic equipment and storage medium | |
| CN115934202A (en) | Data management method, system, data service gateway and storage medium | |
| CN112329065A (en) | Dynamic authority management method, device, terminal and storage medium for block chain nodes | |
| CN113225296B (en) | Authority management method and device | |
| WO2017181775A1 (en) | Distributed authorization management method and device | |
| CN112789596A (en) | Processing method and device for task processing request and block chain node equipment | |
| CN109257201B (en) | License sending method and device | |
| CN112000968A (en) | Access control method and device, storage medium and electronic device | |
| CN113312661B (en) | User authorization system, method and device and electronic equipment | |
| CN116628724A (en) | User access control method, device, equipment and storage medium | |
| CN111988284B (en) | PDP configuration method, device, electronic equipment and storage medium | |
| WO2017076129A1 (en) | Role issuing method, access control method, and relevant device | |
| CN111970162B (en) | Heterogeneous GIS platform service central control system under super-integration framework |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |