CN110855599A - Multi-tenant access control method and device and computer readable storage medium - Google Patents

Multi-tenant access control method and device and computer readable storage medium Download PDF

Info

Publication number
CN110855599A
CN110855599A CN201810950695.8A CN201810950695A CN110855599A CN 110855599 A CN110855599 A CN 110855599A CN 201810950695 A CN201810950695 A CN 201810950695A CN 110855599 A CN110855599 A CN 110855599A
Authority
CN
China
Prior art keywords
attribute information
access control
visitor
tenant
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810950695.8A
Other languages
Chinese (zh)
Other versions
CN110855599B (en
Inventor
童遥
李华
申光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201810950695.8A priority Critical patent/CN110855599B/en
Priority to PCT/CN2019/100754 priority patent/WO2020038273A1/en
Publication of CN110855599A publication Critical patent/CN110855599A/en
Application granted granted Critical
Publication of CN110855599B publication Critical patent/CN110855599B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/104Grouping of entities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention discloses a multi-tenant access control method, which comprises the following steps: acquiring user information of an accessor from an access request message, and determining a tenant and a task group to which the accessor belongs based on the user information of the accessor; wherein the tenant is used for indicating a user set; the task group is used for indicating a tenant set; if the tenant to which the visitor belongs is matched with a preset tenant for accessing resources and/or the task group to which the visitor belongs is matched with a preset task group for accessing resources, acquiring an access control strategy related to the visitor; and judging whether the visitor is allowed to access or not based on the access control strategy. The embodiment of the invention also discloses a multi-tenant access control device and a computer storage medium.

Description

Multi-tenant access control method and device and computer readable storage medium
Technical Field
The embodiment of the invention relates to the technical field of data security, in particular to a multi-tenant access control method and device and a computer readable storage medium.
Background
The cloud computing service can lease the instances to different tenants, so that a plurality of tenants share data resources, and the effects of reducing enterprise cost and improving enterprise efficiency are achieved. However, the tenant uses its service through the access shared data platform, but does not want its own data to be accessed by other tenants, so how to implement access control of multi-tenant security is an urgent problem to be solved.
At present, most of Access Control models are Role-Based Access Control (RBAC) models, but the allocation of system resources and Role grades in the traditional RBAC model are global, so that resources of different tenants cannot be effectively isolated in the related art; in addition, in practical application, the role of the tenant dynamically changes according to the actual situation, and the role of the traditional RBAC model is fixedly allocated, so that the requirement of increasing the role type in the system cannot be met; finally, various tenants exist in the cloud computing service, the requirements of each tenant are different, and the related technology cannot classify resources to different users, and cannot meet the individual requirements of the tenants.
Disclosure of Invention
To solve the foregoing technical problem, embodiments of the present invention desirably provide a multi-tenant access control method and apparatus, and a computer-readable storage medium.
The technical scheme of the invention is realized as follows:
in a first aspect, a method for controlling access of multiple tenants is provided, where the method includes:
acquiring user information of an accessor from an access request message, and determining a tenant and a task group to which the accessor belongs based on the user information of the accessor; wherein the tenant is used for indicating a user set; the task group is used for indicating a tenant set;
if the tenant to which the visitor belongs is matched with a preset tenant for accessing resources and/or the task group to which the visitor belongs is matched with a preset task group for accessing resources, acquiring an access control strategy related to the visitor;
and judging whether the visitor is allowed to access or not based on the access control strategy.
In a second aspect, a multi-tenant access control apparatus is provided, the apparatus comprising:
the acquisition unit is used for acquiring the user information of the visitor from the access request message;
a determining unit, configured to determine, based on user information of the visitor, a tenant and a task group to which the visitor belongs; wherein the tenant is used for indicating a user set; the task group is used for indicating a tenant set;
the acquisition unit is further configured to determine that when the tenant to which the visitor belongs matches a preset tenant for accessing resources and/or the task group to which the visitor belongs matches a preset task group for accessing resources, an access control policy related to the visitor is acquired;
and the processing unit is used for judging whether the visitor is allowed to access or not based on the access control strategy.
In a third aspect, a multi-tenant access control apparatus is provided, the apparatus comprising: a processor and a memory configured to store a computer program capable of running on the processor,
wherein the processor is configured to perform the steps of the method of the first aspect when executing the computer program.
In a fourth aspect, a computer storage medium is provided, in which computer-executable instructions are stored, and the computer-executable instructions are configured to perform the steps of the business rule updating method provided in the first aspect or the second aspect.
The embodiment of the invention provides a multi-tenant access control method and device and a computer readable storage medium, firstly, acquiring user information of an accessor from an access request message, and determining a tenant and a task group to which the accessor belongs based on the user information; if the tenant and/or task group to which the visitor belongs is matched with a preset tenant and/or preset task group for accessing resources, acquiring an access control strategy related to the visitor; finally, whether to allow the access request is judged based on the access control strategy. Therefore, whether the tenant or task group corresponding to the visitor is matched with the preset tenant and/or preset task group corresponding to the resource is judged, whether the user is an authorized object is judged quickly, and the safety of access control and the effectiveness of system access are improved; in addition, the access users are divided into different tenants and task groups, and different access control strategies are distributed for the visitors, the tenants to which the visitors belong and the task groups to which the visitors belong, so that resources among different task groups are effectively isolated; finally, the authority can correspond to different user levels, namely the user level, the combination level and the task group level, so that the flexibility and the expandability of the access control system are enhanced.
Drawings
Fig. 1 is a schematic flowchart of a multi-tenant access control method according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating another multi-tenant access control method according to an embodiment of the present invention;
fig. 3 is a schematic system architecture diagram of a multi-tenant access control method according to an embodiment of the present invention;
fig. 4 is a schematic structural component diagram of a multi-tenant access control device according to an embodiment of the present invention;
fig. 5 is a schematic diagram illustrating a hardware structure of a multi-tenant access control device according to an embodiment of the present invention.
Detailed Description
So that the manner in which the features and aspects of the embodiments of the present invention can be understood in detail, a more particular description of the embodiments of the invention, briefly summarized above, may be had by reference to the embodiments, some of which are illustrated in the appended drawings.
An embodiment of the present invention provides a multi-tenant access control method, which is shown in fig. 1 and includes the following steps:
step 101, obtaining user information of the visitor from the access request message, and determining a tenant and a task group to which the visitor belongs based on the user information of the visitor.
Wherein the tenant is used for indicating a user set; the task group is used for indicating a tenant set.
In other embodiments of the present invention, step 101 obtains user information of the visitor from the access request message, and determines, based on the user information, that the tenant and task group to which the visitor belongs may be implemented by a data server; here, the data server may be a server that provides data resources.
The visitor refers to a user who accesses resources in the data server; the data server extracts user information from an access request sent by an accessor; here, the user information may be a code capable of uniquely identifying the user, such as a user Identification number (ID), represented using a binary code. Further, the data server can determine the tenant and task group to which the visitor belongs through the user information.
Generally, a cloud data center leases entities to different tenants, each tenant has a member of the tenant, and the members access resources leased to the tenants through a specified account; here, the members of the tenant are users; that is, a tenant is a collection of users. Illustratively, when the tenant is a business, the user is an employee within the business.
In addition, a task group refers to a collection of tenants having the same or similar attributes. Preferably, the data server can allocate tenants with similar service ranges or the same attribute to the same task group according to the attribute characteristics of the tenants.
In other embodiments of the present invention, each user has its corresponding tenant and task group, and the data server may find the tenant and task group to which the visitor belongs according to the obtained user information of the visitor.
And 102, if the tenant to which the visitor belongs is matched with a preset tenant for accessing resources and/or the task group to which the visitor belongs is matched with a preset task group for accessing resources, acquiring an access control strategy related to the visitor.
Here, in step 102, if the tenant to which the visitor belongs matches a preset tenant to which the resource is accessed, and/or the task group to which the visitor belongs matches a preset task group to which the resource is accessed, obtaining the access control policy corresponding to the visitor, the tenant to which the visitor belongs, and the task group to which the visitor belongs may be implemented by a data server.
In other embodiments of the present invention, the data server may preset a corresponding tenant or task group for the resource. And if the tenant or the task group to which the visitor belongs is not matched with the tenant or the task group preset by the resources, the visitor is denied access to the resources.
In other embodiments of the present invention, obtaining the access control policy related to the visitor may include obtaining the access control policy corresponding to the visitor, a tenant to which the visitor belongs, and a task group to which the visitor belongs. Here, users, tenants, and task groups all have their own corresponding access control policies, and different users, different tenants, and different task groups have different access control policies.
Preferably, before obtaining the access control policy corresponding to the visitor, the tenant to which the visitor belongs, and the task group to which the visitor belongs, the method may include: defining an access control policy for the task group; defining access control strategies for different tenants under a task group; access control policies are defined for different users under the tenant. Generally, a task group includes a plurality of tenants, including a plurality of users; the scope of the task group is large, and thus the authority defined in the access control policy of the task group is the largest, while the access authority of the user is the smallest.
And 103, judging whether the access request is allowed or not based on the access control strategy.
Wherein step 103 determines whether to allow the access request based on the access control policy may be implemented by a data server.
According to the above description, it can be known that the authority is the maximum in the access control policy of the task group; the tenant's access control policy has the next lowest authority, while the user's access control policy has the smallest authority. In this way, the data server can judge the access request information according to the sequence of the authority from large to small, and firstly judges whether the access request information conforms to the access control strategy corresponding to the task group to which the access request information belongs; if the access request information of the visitor does not accord with the access control strategy corresponding to the task group, the access request is rejected; in addition, if the access request information of the visitor conforms to the access control strategy corresponding to the task group, whether the access request information conforms to the access control strategy corresponding to the tenant of the visitor is continuously judged; then, if the access request information does not accord with the access control strategy corresponding to the tenant to which the access request information belongs, the access request is rejected; if the access request information accords with the access control strategy corresponding to the tenant to which the access request information belongs, whether the access request information accords with the access control strategy corresponding to the visitor is continuously judged; if the access control policy corresponding to the visitor is met, executing the access request; and if the access request does not accord with the access control strategy corresponding to the visitor, rejecting the access request.
The embodiment of the invention provides a multi-tenant access control method, which comprises the steps of firstly, obtaining user information of an accessor from an access request message, and determining a tenant and a task group to which the accessor belongs based on the user information; wherein the tenant is used for indicating a user set; the task group is used for indicating a tenant set; if the tenant to which the visitor belongs is matched with a preset tenant for accessing resources and/or the task group to which the visitor belongs is matched with the task group for accessing resources, acquiring an access control strategy related to the visitor; determining whether to allow the access request based on the access control policy. Therefore, whether the tenant or task group corresponding to the visitor is matched with the preset tenant and/or preset task group corresponding to the resource is judged, whether the user is an authorized object is judged quickly, and the safety of access control and the effectiveness of system access are improved; in addition, the access users are divided into different tenants and task groups, and different access control strategies are distributed for the visitors, the tenants to which the visitors belong and the task groups to which the visitors belong, so that resources among different task groups are effectively isolated; finally, the authority can correspond to different user levels, namely the user level, the combination level and the task group level, so that the flexibility and the expandability of the access control system are enhanced.
Based on the foregoing embodiments, an embodiment of the present invention provides a multi-tenant access control, as shown in fig. 2, the method includes the following steps:
step 201, the data server acquires the user information of the visitor from the access request message, and determines the tenant and task group to which the visitor belongs based on the user information of the visitor.
Preferably, before step 201, the embodiment of the present invention further includes: and judging whether the access request is an illegal request. Specifically, a public key certificate in the access request is obtained, and information in the public key certificate is verified; including verification of the digital signature, verification of the validity period of the certificate, and determining whether the certificate is revoked, etc. And if the information in the public key certificate passes the verification, the access request is considered as a legal request. If the information in the public key certificate is not verified, the access request is considered as an illegal request, and then the data server refuses the access request of the visitor.
And when the access request of the visitor is judged to be a legal request, acquiring user information of the visitor from the access request, and determining the tenant and the task group to which the visitor belongs based on the user information.
Step 202, if the tenant to which the visitor belongs is matched with the preset tenant of the access resource and/or the task group to which the visitor belongs is matched with the preset task group of the access resource, extracting subject attribute information, permission attribute information, environment attribute information and object attribute information of the access resource from the access request message.
In other embodiments of the present invention, the data server may preset a corresponding tenant or task group for the resource; it is to be understood that the data server is isolated for the resource. Specifically, after determining the tenant and task group of the visitor in step 201, the data server may match the tenant and/or task group to which the visitor belongs with a preset tenant and/or preset task group for accessing resources, and if matching is successful, the visitor is considered to have a qualification for accessing resources; otherwise, the visitor is not qualified for accessing the resource, and the visitor is refused to access the resource. That is, step 202 corresponds to an authentication process that determines whether the user qualifies to access the resource.
Further, after the tenant and/or task group to which the visitor belongs is judged to be matched with the preset tenant and/or preset task group for accessing the resource, information related to access is extracted from the access request information, and the next judgment is carried out.
In other embodiments of the present invention, the subject attribute information refers to attributes that a visitor who initiatively initiates an access request has, including an identity, a position, an ability, and the like of the visitor, such as information of age, name, occupation, and the like; the authority attribute information refers to the operation on resources, and comprises operation information such as reading, writing, creating, deleting and the like on files or data; the environment attribute information refers to environment information in the access process, and comprises information such as time, security level and the like of access initiated by an accessor; the object attribute information refers to attributes of accessed resources in the system, and comprises information such as resource owner, identity, position, size and the like; wherein, the resource owner refers to the owner of the resource.
Step 203, judging whether the subject attribute information, the authority attribute information and the environment attribute information are matched with the object attribute information.
Here, by matching the attribute information, the permission attribute information, and the environment attribute information with the object attribute information, it is possible to determine whether the user access conforms to the permission corresponding to the resource.
Specifically, the data server compares the subject attribute information with the object attribute information corresponding to the accessed resource, if the comparison result matches, the authentication is successful, and step 204 is executed; if the comparison result does not match, the authentication fails, the operation requested by the visitor is rejected, and step 205 is executed.
For example, the identity information in the subject attribute information of the visitor is the same as the resource owner in the object attribute, or is the same position, and the subject attribute may be considered to match the object attribute.
It should be noted that step 203 may be followed by performing step 204 or 205.
And 204, if the subject attribute information, the authority attribute information and the environment attribute information are matched with the object attribute information, the data server acquires the visitor, the tenant of the visitor and the access control strategy corresponding to the task group of the visitor.
Specifically, the obtaining of the access control policy corresponding to the visitor, the tenant to which the visitor belongs, and the task group to which the visitor belongs includes: acquiring a first sub-access control strategy corresponding to the visitor; acquiring a second sub-access control strategy corresponding to the tenant to which the visitor belongs; and acquiring a third sub-access control strategy corresponding to the task group to which the visitor belongs.
It should be noted that step 206 is executed after step 204.
Step 205, if the subject attribute information, the permission attribute information and the environment attribute information are not matched with the object attribute information, refusing the authorized access.
Here, if the subject attribute information, the right attribute information, the environment attribute information, and the object attribute information do not match, the authentication is considered to be failed, the access request of the visitor is rejected, and the access request of the visitor is ended.
Step 206, the data server judges whether the main body attribute information, the authority attribute information and the environment attribute information accord with the third sub access control strategy.
Here, the third sub-access control policy is an access control policy corresponding to a task group to which the visitor belongs, and has the maximum authority; therefore, in this embodiment, it is first determined whether the access request information conforms to the access control policy corresponding to the task group to which the access request information belongs; specifically, it is determined whether the subject attribute information, the authority attribute information, and the environment attribute information of the visitor conform to the third sub-access control policy. If the main body attribute information, the authority attribute information and the environment attribute information conform to the third sub-access control policy, executing step 207; otherwise, step 210 is performed.
Step 207, if the main body attribute information, the authority attribute information and the environment attribute information conform to the third sub-access control policy, determining whether the main body attribute information, the authority attribute information and the environment attribute information conform to the second sub-access control policy.
Here, the second sub-access control policy is an access control policy corresponding to a tenant to which the visitor belongs, and has a right smaller than that of a third sub-access control policy corresponding to a task group to which the visitor belongs. Therefore, in this embodiment, after determining that the access request information of the visitor conforms to the third sub-access control policy, it is continuously determined whether the access request information conforms to the second sub-access control policy corresponding to the tenant to which the visitor belongs. Specifically, whether the main body attribute information, the authority attribute information and the environment attribute information accord with the second sub-access control strategy is judged; if the main body attribute information, the authority attribute information and the environment attribute information conform to the second sub-access control policy, executing step 208; otherwise, step 211 is executed.
And 208, if the main body attribute information, the authority attribute information and the environment attribute information accord with the second sub-access control strategy, judging whether the main body attribute information, the authority attribute information and the environment attribute information accord with the first sub-access control strategy.
Here, the first sub-access control policy is an access control policy corresponding to the visitor user, and has a right smaller than the third sub-access control policy and the second sub-access control policy; therefore, in this embodiment, when it is determined that the access request information of the visitor conforms to the second sub-access control policy, it is determined whether the access request information conforms to the first sub-access control policy. Specifically, whether the main body attribute information, the authority attribute information and the environment attribute information accord with a first sub-access control strategy is judged; if the main body attribute information, the authority attribute information and the environment attribute information are judged to be in accordance with the first sub access control strategy, executing step 209; otherwise, step 212 is performed.
And 209, if the main body attribute information, the authority attribute information and the environment attribute information accord with the first sub-access control strategy, authorizing access.
Here, the access request information of the visitor satisfies the first sub-access control policy, the second sub-access control policy, and the third sub-access control policy one by one, and thus, the access request of the visitor is authorized if the user is considered to meet the access requirement.
Specifically, the legal authority set of the visitor is compared with the resource requirement authority set to obtain the legal access authority of the visitor. If the legal authority set of the visitor contains the resource requirement authority set, creating a session object and allowing the session object to access the resource; otherwise, the user is denied access. And after the user finishes the access, closing the session and releasing the system resources.
And 210, if the main body attribute information, the authority attribute information and the environment attribute information do not accord with the third sub-access control strategy, refusing authorized access.
Here, if the main attribute information, the right attribute information, and the environment attribute information do not conform to the third sub-access control policy, the authorized access of the user is directly denied, and the access request is ended.
And step 211, if the subject attribute information, the authority attribute information and the environment attribute information do not accord with the second sub-access control strategy, refusing authorized access.
Here, if the main attribute information, the right attribute information, and the environment attribute information do not conform to the second sub-access control policy, the authorized access of the user is directly denied, and the access request is ended.
And 212, if the main body attribute information, the authority attribute information and the environment attribute information do not accord with the first sub-access control strategy, refusing authorized access.
Here, if the subject attribute information, the right attribute information, and the environment attribute information do not conform to the first sub-access control policy, the authorized access of the user is directly denied, and the access request is ended.
It should be noted that, for the explanation of the same or related steps in this embodiment as in other embodiments, reference may be made to the description in other embodiments, and details are not described here again.
The embodiment of the invention provides a multi-tenant access control method, which comprises the steps of firstly, obtaining user information of an accessor from an access request message, and determining a tenant and a task group to which the accessor belongs based on the user information; if the tenant to which the visitor belongs is matched with a preset tenant for accessing resources and/or the task group to which the visitor belongs is matched with a preset task group for accessing resources, acquiring an access control strategy related to the visitor; finally, whether to allow the access request is judged based on the access control strategy. Therefore, whether the tenant or task group corresponding to the visitor is matched with the preset tenant and/or preset task group corresponding to the resource is judged, whether the user is an authorized object is judged quickly, and the safety of access control and the effectiveness of system access are improved; in addition, the access users are divided into different tenants and task groups, and different access control strategies are distributed for the visitors, the tenants to which the visitors belong and the task groups to which the visitors belong, so that resources among different task groups are effectively isolated; finally, the authority can correspond to different user levels, namely the user level, the combination level and the task group level, so that the flexibility and the expandability of the access control system are enhanced.
The multi-tenant access control method provided by the embodiment of the invention can be applied to the system architecture of fig. 3, and the system architecture can comprise a message receiving module, a tenant management module, a policy decision module, an attribute authority module and a policy management module.
Here, the message receiving module is configured to receive an access request of an accessor, and determine whether the access request is an illegal request. Specifically, a public key certificate in the access request is obtained, and information in the public key certificate is verified; including verification of the digital signature, verification of the validity period of the certificate, and determining whether the certificate is revoked, etc. If the information in the public key certificate passes the verification, the information receiving module considers the access request as a legal request. If the information in the public key certificate is not verified, the access request is considered as an illegal request, and the access request of the visitor is rejected.
And the tenant management module is used for receiving the access information of the visitor sent by the message receiving module, acquiring the user information of the visitor from the access request message, and determining the tenant and the task group to which the visitor belongs based on the user information. And if the tenant to which the visitor belongs is matched with the preset tenant for accessing the resources and/or the task group to which the visitor belongs is matched with the preset task group for accessing the resources, sending the access request message to an attribute authority module.
The attribute authority module is used for receiving the access request message sent by the tenant management module, extracting subject attribute information, authority attribute information, environment attribute information and object attribute information of access resources of an accessor from the access request message and converting the request information into access request information based on attributes; the attribute-based access request information includes: subject attribute information, permission attribute information, environment attribute information of the visitor, and object attribute information of the accessed resource. And sends the attribute-based access request information back to the tenant management module.
The tenant management module is also used for receiving the access request information based on the attribute sent by the attribute authority module.
And the policy judgment module is used for receiving the access request information based on the attribute sent by the tenant management module and acquiring a first sub-access control policy corresponding to the visitor, a second sub-access control policy corresponding to the tenant to which the visitor belongs and a third sub-access control policy corresponding to the task group to which the visitor belongs from the policy management module.
Further, the policy determination module acquires subject attribute information, permission attribute information, environment attribute information and object attribute information from the attribute-based access request message, determines whether the subject attribute information, the permission attribute information and the environment attribute information are matched with the object attribute information, and if so, determines the access request of the visitor in sequence according to the access control policy. The specific sequence is that whether the access request message meets the third sub-access policy is judged first, whether the access request message meets the second sub-access policy is judged subsequently, and whether the access request message meets the first sub-access policy is judged finally. And sending the judgment result to a message receiving module.
Here, the tenant management module is further configured to receive the determination result sent by the policy determination module; and comparing the legal authority set of the visitor with the resource requirement authority set to obtain the legal access authority of the visitor. If the legal authority set of the visitor contains the resource requirement authority set, creating a session object and allowing the session object to access the resource; otherwise, the user is denied access. And after the user finishes the access, closing the session and releasing the system resources.
And the strategy management module is responsible for managing and maintaining the access strategy.
In order to implement the method according to the embodiment of the present invention, an embodiment of the present invention further provides a multi-tenant access control apparatus, which may apply the data server in the foregoing embodiment. As shown in fig. 4, the apparatus includes:
an obtaining unit 41, configured to obtain user information of the visitor from the access request message;
a determining unit 42, configured to determine, based on the user information, a tenant and a task group to which the visitor belongs; wherein the tenant is used for indicating a user set; the task group is used for indicating a tenant set;
the obtaining unit 41 is further configured to determine that when the tenant to which the visitor belongs matches a preset tenant for accessing resources, and/or the task group to which the visitor belongs matches a preset task group for accessing resources, obtain an access control policy related to the visitor;
a processing unit 43, configured to determine whether to allow the visitor to perform access based on the access control policy.
In another embodiment of the present invention, the obtaining unit 41 is further configured to extract subject attribute information, permission attribute information, environment attribute information, and object attribute information of the access resource from the access request message; if the subject attribute information, the authority attribute information and the environment attribute information are matched with the object attribute information, acquiring an access control strategy related to the visitor;
the processing unit 43 is further configured to deny an authorized access if the subject attribute information, the permission attribute information, and the environment attribute information are not matched with the object attribute information.
In other embodiments of the present invention, the obtaining unit 41 is specifically configured to obtain a first sub-access control policy corresponding to the visitor; acquiring a second sub-access control strategy corresponding to the tenant to which the visitor belongs; and acquiring a third sub-access control strategy corresponding to the task group to which the visitor belongs.
In other embodiments of the present invention, the apparatus further comprises a determining unit 44;
the judging unit 44 is configured to, if the body attribute information, the right attribute information, and the environment attribute information conform to the third sub-access control policy, judge whether the body attribute information, the right attribute information, and the environment attribute information conform to the second sub-access control policy; if the main body attribute information, the authority attribute information and the environment attribute information accord with the second sub-access control strategy, judging whether the main body attribute information, the authority attribute information and the environment attribute information accord with the first sub-access control strategy or not;
the processing unit 43 is further configured to authorize access if the subject attribute information, the permission attribute information, and the environment attribute information meet a first sub-access control policy.
In other embodiments of the present invention, the processing unit 43 is further configured to deny an authorized access if the subject attribute information, the permission attribute information, and the environment attribute information do not conform to the third sub-access control policy.
In other embodiments of the present invention, the processing unit 43 is further configured to deny an authorized access if the subject attribute information, the permission attribute information, and the environment attribute information do not conform to the second sub-access control policy.
Based on the implementation of each unit in the multi-tenant access control device, in order to implement the multi-tenant access control method provided in the embodiment of the present invention, an embodiment of the present invention further provides a multi-tenant access control device, as shown in fig. 5, where the device 50 includes: a processor 51 and a memory 52 configured to store computer programs capable of running on the processor,
wherein the processor 51 is configured to perform the method steps in the previous embodiments when running the computer program.
In practice, of course, the various components of the device 50 are coupled together by a bus system 53, as shown in FIG. 5. It will be appreciated that the bus system 53 is used to enable communications among the components. The bus system 53 includes a power bus, a control bus, and a status signal bus in addition to the data bus. For clarity of illustration, however, the various buses are labeled as bus system 53 in fig. 5.
In an exemplary embodiment, the present invention further provides a computer readable storage medium, such as a memory 52, comprising a computer program, which is executable by a processor 51 of the multi-tenant access control device 50 to perform the steps of the foregoing method. The computer-readable storage medium may be a Memory such as a magnetic random access Memory (FRAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a flash Memory (FlashMemory), a magnetic surface Memory, an optical disk, or a Compact Disc Read-Only Memory (CD-ROM).
The technical schemes described in the embodiments of the present invention can be combined arbitrarily without conflict.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of a hardware embodiment, a software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention.

Claims (10)

1. A multi-tenant access control method, the method comprising:
acquiring user information of an accessor from an access request message, and determining a tenant and a task group to which the accessor belongs based on the user information of the accessor; wherein the tenant is used for indicating a user set; the task group is used for indicating a tenant set;
if the tenant to which the visitor belongs is matched with a preset tenant for accessing resources and/or the task group to which the visitor belongs is matched with a preset task group for accessing resources, acquiring an access control strategy related to the visitor;
and judging whether the visitor is allowed to access or not based on the access control strategy.
2. The method of claim 1, wherein prior to obtaining the access control policy associated with the visitor, further comprising:
extracting subject attribute information, authority attribute information, environment attribute information and object attribute information of the access resource of the visitor from the access request message;
if the subject attribute information, the authority attribute information and the environment attribute information are matched with the object attribute information, acquiring an access control strategy related to the visitor;
and if the subject attribute information, the permission attribute information and the environment attribute information are not matched with the object attribute information, refusing authorized access.
3. The method of claim 1 or 2, wherein the obtaining the access control policy associated with the visitor comprises:
acquiring a first sub-access control strategy corresponding to the visitor;
acquiring a second sub-access control strategy corresponding to the tenant to which the visitor belongs;
and acquiring a third sub-access control strategy corresponding to the task group to which the visitor belongs.
4. The method of claim 3, wherein the determining whether to allow the access request based on the access control policy information comprises:
if the main body attribute information, the authority attribute information and the environment attribute information accord with the third sub-access control strategy, judging whether the main body attribute information, the authority attribute information and the environment attribute information accord with the second sub-access control strategy or not;
if the main body attribute information, the authority attribute information and the environment attribute information accord with the second sub-access control strategy, judging whether the main body attribute information, the authority attribute information and the environment attribute information accord with the first sub-access control strategy or not;
and if the main body attribute information, the authority attribute information and the environment attribute information are in accordance with the first sub-access control strategy, authorizing access.
5. The method of claim 4, further comprising:
and if the main body attribute information, the authority attribute information and the environment attribute information do not accord with the third sub-access control strategy, refusing authorized access.
6. The method of claim 4, further comprising:
and if the main body attribute information, the authority attribute information and the environment attribute information do not accord with the second sub-access control strategy, refusing authorized access.
7. An apparatus for multi-tenant access control, the apparatus comprising:
the acquisition unit is used for acquiring the user information of the visitor from the access request message;
a determining unit, configured to determine, based on user information of the visitor, a tenant and a task group to which the visitor belongs; wherein the tenant is used for indicating a user set; the task group is used for indicating a tenant set;
the acquisition unit is further configured to determine that when the tenant to which the visitor belongs matches a preset tenant for accessing resources and/or the task group to which the visitor belongs matches a preset task group for accessing resources, an access control policy related to the visitor is acquired;
and the processing unit is used for judging whether the visitor is allowed to access or not based on the access control strategy.
8. The apparatus of claim 7, wherein:
the acquisition unit is further configured to extract subject attribute information, permission attribute information, environment attribute information, and object attribute information of an access resource of an accessor from the access request message; if the subject attribute information, the authority attribute information and the environment attribute information are matched with the object attribute information, acquiring an access control strategy related to the visitor;
and the processing unit is also used for judging whether the subject attribute information, the authority attribute information and the environment attribute information are not matched with the object attribute information or not, and refusing authorized access.
9. An apparatus for multi-tenant access control, the apparatus comprising: a processor and a memory configured to store a computer program capable of running on the processor,
wherein the processor is configured to perform the steps of the method of any one of claims 1 to 6 when running the computer program.
10. A computer storage medium having stored therein computer-executable instructions configured to perform the multi-tenant access control method provided in any of claims 1 through 6.
CN201810950695.8A 2018-08-20 2018-08-20 Multi-tenant access control method and device and computer readable storage medium Active CN110855599B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201810950695.8A CN110855599B (en) 2018-08-20 2018-08-20 Multi-tenant access control method and device and computer readable storage medium
PCT/CN2019/100754 WO2020038273A1 (en) 2018-08-20 2019-08-15 Multi-tenant access control method and device and computer-readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810950695.8A CN110855599B (en) 2018-08-20 2018-08-20 Multi-tenant access control method and device and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN110855599A true CN110855599A (en) 2020-02-28
CN110855599B CN110855599B (en) 2022-10-21

Family

ID=69592241

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810950695.8A Active CN110855599B (en) 2018-08-20 2018-08-20 Multi-tenant access control method and device and computer readable storage medium

Country Status (2)

Country Link
CN (1) CN110855599B (en)
WO (1) WO2020038273A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112308377A (en) * 2020-09-30 2021-02-02 北京沃东天骏信息技术有限公司 Resource allocation method and device based on multiple tenants
CN113259137A (en) * 2021-07-15 2021-08-13 广东电网有限责任公司江门供电局 Power grid access control method, system and storage medium based on user attributes
CN113722725A (en) * 2020-12-24 2021-11-30 京东数字科技控股股份有限公司 Resource data acquisition method and system
CN114157482A (en) * 2021-12-02 2022-03-08 建信金融科技有限责任公司 Service access control method, device, control equipment and storage medium
CN114462069A (en) * 2022-04-12 2022-05-10 北京天维信通科技有限公司 Multi-level tenant resource access management method, system, intelligent terminal and storage medium

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112465476A (en) * 2020-12-17 2021-03-09 中国农业银行股份有限公司 Access control method, device, equipment and medium
CN115086234B (en) * 2022-05-09 2024-04-26 阿里巴巴(中国)有限公司 Message processing method, system, equipment and storage medium
CN116032570A (en) * 2022-12-15 2023-04-28 中国联合网络通信集团有限公司 Network access management method, device, electronic equipment and storage medium
CN117371030A (en) * 2023-09-27 2024-01-09 上海嗨普智能信息科技股份有限公司 Multi-tenant limited access object storage method and management system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102571821A (en) * 2012-02-22 2012-07-11 浪潮电子信息产业股份有限公司 Cloud security access control model
US9361366B1 (en) * 2008-06-03 2016-06-07 Salesforce.Com, Inc. Method and system for controlling access to a multi-tenant database system using a virtual portal
CN107204978A (en) * 2017-05-24 2017-09-26 北京邮电大学 A kind of access control method and device based on multi-tenant cloud environment
CN108259422A (en) * 2016-12-29 2018-07-06 中兴通讯股份有限公司 A kind of multi-tenant access control method and device
CN108304715A (en) * 2017-12-28 2018-07-20 上海你我贷互联网金融信息服务有限公司 A kind of access control method of the multi-tenant based on strategy

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9887961B2 (en) * 2015-05-22 2018-02-06 International Business Machines Corporation Multi-tenant aware dynamic host configuration protocol (DHCP) mechanism for cloud networking
CN107104931A (en) * 2016-02-23 2017-08-29 中兴通讯股份有限公司 A kind of access control method and platform
CN107707522A (en) * 2017-08-14 2018-02-16 北京奇安信科技有限公司 A kind of authority control method and device based on cloud agency

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9361366B1 (en) * 2008-06-03 2016-06-07 Salesforce.Com, Inc. Method and system for controlling access to a multi-tenant database system using a virtual portal
CN102571821A (en) * 2012-02-22 2012-07-11 浪潮电子信息产业股份有限公司 Cloud security access control model
CN108259422A (en) * 2016-12-29 2018-07-06 中兴通讯股份有限公司 A kind of multi-tenant access control method and device
CN107204978A (en) * 2017-05-24 2017-09-26 北京邮电大学 A kind of access control method and device based on multi-tenant cloud environment
CN108304715A (en) * 2017-12-28 2018-07-20 上海你我贷互联网金融信息服务有限公司 A kind of access control method of the multi-tenant based on strategy

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112308377A (en) * 2020-09-30 2021-02-02 北京沃东天骏信息技术有限公司 Resource allocation method and device based on multiple tenants
CN112308377B (en) * 2020-09-30 2023-09-26 北京沃东天骏信息技术有限公司 Multi-tenant-based resource allocation method and device
CN113722725A (en) * 2020-12-24 2021-11-30 京东数字科技控股股份有限公司 Resource data acquisition method and system
CN113259137A (en) * 2021-07-15 2021-08-13 广东电网有限责任公司江门供电局 Power grid access control method, system and storage medium based on user attributes
CN114157482A (en) * 2021-12-02 2022-03-08 建信金融科技有限责任公司 Service access control method, device, control equipment and storage medium
CN114462069A (en) * 2022-04-12 2022-05-10 北京天维信通科技有限公司 Multi-level tenant resource access management method, system, intelligent terminal and storage medium

Also Published As

Publication number Publication date
WO2020038273A1 (en) 2020-02-27
CN110855599B (en) 2022-10-21

Similar Documents

Publication Publication Date Title
CN110855599B (en) Multi-tenant access control method and device and computer readable storage medium
CN109510849B (en) Cloud-storage account authentication method and device
CN108259422B (en) Multi-tenant access control method and device
CN108122109B (en) Electronic credential identity management method and device
US10929545B2 (en) System for providing access to data stored in a distributed trust computing network
CN109587126B (en) User authentication method and system
CN103827811A (en) Managing basic input/output system (BIOS) access
US11089028B1 (en) Tokenization federation service
CN109995791B (en) Data authorization method and system
CN111242248B (en) Personnel information monitoring method, device and computer storage medium
CN112330855A (en) Electronic lock safety management method, equipment and system
CN111881483B (en) Resource account binding method, device, equipment and medium based on blockchain
CN109756446A (en) A kind of access method and system of mobile unit
CN110138767B (en) Transaction request processing method, device, equipment and storage medium
CN112839040A (en) Identity authentication method, apparatus and medium
CN112950201B (en) Node management method and related device applied to block chain system
US9590997B2 (en) System and method for accessing a service
CN112134848A (en) Fusion media cloud self-adaptive access control method, device, terminal and medium
US11589227B2 (en) Multilevel authentication using a mobile device
CN101067837A (en) Information system data processing safety control method and device
CN110912703B (en) Network security-based multi-level key management method, device and system
CN104866774A (en) Method and system for managing account authorities
CN106098070B (en) identity authentication method and network system
CN112187725A (en) Cloud computing resource access method and device, service line service and gateway
CN116842502A (en) Decentralizing identity verification method, system and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant