CN111475841A - Access control method, related device, equipment, system and storage medium - Google Patents

Access control method, related device, equipment, system and storage medium Download PDF

Info

Publication number
CN111475841A
CN111475841A CN202010264128.4A CN202010264128A CN111475841A CN 111475841 A CN111475841 A CN 111475841A CN 202010264128 A CN202010264128 A CN 202010264128A CN 111475841 A CN111475841 A CN 111475841A
Authority
CN
China
Prior art keywords
target
relationship
relation
access
type
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010264128.4A
Other languages
Chinese (zh)
Other versions
CN111475841B (en
Inventor
刘嘉俊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN202010264128.4A priority Critical patent/CN111475841B/en
Publication of CN111475841A publication Critical patent/CN111475841A/en
Application granted granted Critical
Publication of CN111475841B publication Critical patent/CN111475841B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication

Abstract

The application discloses an access control method, which is applied to a scene of inquiring and accessing a database, and specifically comprises the following steps: acquiring a target data type and a target relation type; determining a target relation cluster from an access control model based on the relation cluster according to the target relation type; determining N target role authorities corresponding to the target relation clusters according to the access control model based on the relation clusters; and if the data types corresponding to the N target role authorities are successfully matched with the target data types, opening a target data interface corresponding to the target data types for the access initiator. The method not only facilitates configuration and maintenance of data access permission, but also can efficiently inquire the corresponding data interface, and improves data access efficiency.

Description

Access control method, related device, equipment, system and storage medium
Technical Field
The present application relates to the field of cloud database technologies, and in particular, to a method, a related apparatus, a device, a system, and a storage medium for access control.
Background
The social network access control strategy refers to a set of complete access control authorization mechanisms established in the social network according to the security requirements of different environments. The access control strategy serving as one of effective means for information protection can ensure that information is accessed by a legal user, prevent information leakage and become an important component of an information protection method in a social network.
At present, a multi-tenant policy-based access control method is proposed, which is to read a corresponding access control policy based on a relationship type between an initiator and an operated object in a multi-tenant scenario, and achieve the purpose of access control in a manner of enumerating permissions between the relationship type and resource nodes.
However, as the scale of the social network is continuously enlarged, the relationship type and the resource node are also complicated, which not only leads to higher maintenance cost of the relationship type and the resource node, but also consumes more time when reading the authority between the relationship type and the resource node.
Disclosure of Invention
The embodiment of the application provides an access control method, a related device, equipment, a system and a storage medium, classification on two layers of relation clustering and role authority is introduced between a relation type and a data type, so that the authority of data access is configured and maintained conveniently, a corresponding data interface can be inquired efficiently, and the efficiency of data access is improved.
In view of the above, a first aspect of the present application provides an access control method, including:
acquiring a target data type and a target relationship type, wherein the target data type represents a data type requested by an access initiator, and the target relationship type represents a relationship type between the access initiator and an access authorizer;
determining a target relation cluster from a relation cluster-based access control model according to a target relation type, wherein the relation cluster-based access control model comprises a corresponding relation among the relation type, the relation cluster, role authority and a data type;
determining N target role authorities corresponding to the target relation clusters according to an access control model based on the relation clusters, wherein N is an integer greater than or equal to 1;
and if the data types corresponding to the N target role authorities are successfully matched with the target data types, opening a target data interface corresponding to the target data types for the access initiator, wherein the target data interface is an interface for the access initiator to access the data corresponding to the access authorizer.
A second aspect of the present application provides an access control apparatus, including:
the system comprises an acquisition module, a storage module and a processing module, wherein the acquisition module is used for acquiring a target data type and a target relation type, the target data type represents a data type requested by an access initiator, and the target relation type represents a relation type between the access initiator and an access authorizer;
the determining module is used for determining a target relation cluster from a relation cluster-based access control model according to the target relation type, wherein the relation cluster-based access control model comprises a corresponding relation among the relation type, the relation cluster, the role authority and the data type;
the determining module is further used for determining N target role authorities corresponding to the target relation clusters according to the access control model based on the relation clusters, wherein N is an integer greater than or equal to 1;
and the control module is used for opening a target data interface corresponding to the target data type for the access initiator if the data types corresponding to the N target role authorities are successfully matched with the target data type, wherein the target data interface is an interface for the access initiator to access the data corresponding to the access authorizer.
In one possible design, in a first implementation of the second aspect of an embodiment of the present application,
the system comprises an acquisition module, a data access module and a service module, wherein the acquisition module is specifically used for receiving a data access request sent by a client, and the data access request carries identity bill information and relationship chain authorization information;
determining a target data type according to the data access request;
if the identity bill information is successfully verified, determining a target relation type according to the relation chain authorization information;
and if the authentication of the identity bill information fails, sending a first authentication message to the client so that the client displays the first authentication message.
In one possible design, in a second implementation of the second aspect of the embodiments of the present application,
the obtaining module is specifically configured to decrypt the relationship chain authorization information to obtain relationship context information, where the relationship context information includes an identifier of an access authorization party and a relationship type set, and the relationship type set includes at least one available relationship type;
and acquiring the target relation type from at least one available relation type according to the identification of the access authority.
In one possible design, in a third implementation manner of the second aspect of the embodiment of the present application, the relationship context information further includes a relationship validity period;
the access control device also comprises a sending module;
the obtaining module is specifically configured to decrypt the relationship chain authorization information to obtain the relationship context information, and if the validity period of the relationship is sufficient for the access time limit condition, perform a step of obtaining a target relationship type from at least one available relationship type according to an identifier of an access authorizer;
and the sending module is used for sending a second verification message to the client if the relation validity period does not meet the access time limit condition so that the client displays the second verification message.
In one possible design, in a fourth implementation of the second aspect of the embodiment of the present application,
a determining module, configured to determine a first correspondence according to an access control model based on relationship clusters, where the first correspondence represents a correspondence between a relationship type and relationship clusters, and each relationship cluster corresponds to at least one relationship type;
and querying the target relation clusters corresponding to the target relation types according to the first corresponding relation.
In one possible design, in a fifth implementation of the second aspect of the embodiments of the present application,
a determining module, configured to determine a second correspondence according to an access control model based on a relationship cluster, where the second correspondence represents a correspondence between a relationship cluster and a role authority, and each relationship cluster corresponds to at least one role authority;
and inquiring N target role authorities corresponding to the target relation clusters according to the second corresponding relation.
In a possible design, in a sixth implementation manner of the second aspect of the embodiment of the present application, the access control apparatus further includes a query module;
the determining module is further configured to determine, according to the access control model based on the relationship cluster, a third correspondence according to the access control model based on the relationship cluster after determining N target role permissions corresponding to the target relationship cluster, where the third correspondence represents a correspondence between role permissions and data types, each role permission corresponds to at least one data type, and each data type corresponds to one data interface;
the query module is used for querying the data type of each target role authority in the N target role authorities according to the third corresponding relation to obtain M data types, wherein M is an integer greater than or equal to 1;
the determining module is further configured to determine that the data types corresponding to the N target role authorities are successfully matched with the target data types if the M data types include the target data type;
the sending module is further configured to send a third verification message to the client if the M data types do not include the target data type, so that the client displays the third verification message.
In one possible design, in a seventh implementation of the second aspect of the embodiments of the present application,
the control module is specifically used for determining a target data interface according to the type of the target data;
and opening the authority of the target data interface to the client so that the client provides the data corresponding to the access authorization party to the access initiator according to the authority of the target data interface.
In one possible design, in an eighth implementation of the second aspect of the embodiments of the present application,
the identity bill information is generated according to a login request sent by the client, wherein the login request carries at least one of identity information, login information and authority information of the access initiator.
In one possible design, in a ninth implementation of the second aspect of the embodiment of the present application,
the relationship chain authorization information is generated according to the relationship context information, wherein the relationship context information comprises an identifier of an access authorization party, a relationship validity period and a relationship type set, and the relationship type set comprises at least one available relationship type.
In one possible design, in a tenth implementation of the second aspect of the embodiment of the present application,
the identity bill information and the relation chain authorization information are information stored on the block chain.
A third aspect of the present application provides an access control node, comprising: a memory, a transceiver, a processor, and a bus system;
wherein, the memory is used for storing programs;
the processor is used for executing the program in the memory and comprises the steps of executing the method of the above aspects;
the bus system is used for connecting the memory and the processor so as to enable the memory and the processor to communicate.
A fourth aspect of the present application provides an access control system comprising at least one access control node as described in the third aspect above.
A fifth aspect of the present application provides a computer-readable storage medium having stored therein instructions, which, when run on a computer, cause the computer to perform the method of the above-described aspects.
According to the technical scheme, the embodiment of the application has the following advantages:
in the embodiment of the application, an access control method is provided, which includes obtaining a target data type and a target relationship type, determining a target relationship cluster from an access control model based on the relationship cluster according to the target relationship type, determining N target role authorities corresponding to the target relationship cluster according to the access control model based on the relationship cluster, and opening a target data interface corresponding to the target data type for an access initiator if the data types corresponding to the N target role authorities are successfully matched with the target data type, so that the access initiator can obtain data of an access authorizer. Through the method, the corresponding relation among the relation type, the relation cluster, the role authority and the data type is established by using the access control model based on the relation cluster, and classification on two layers of the relation cluster and the role authority is introduced between the relation type and the data type, so that the authority of data access is configured and maintained conveniently, the corresponding data interface can be inquired efficiently, and the efficiency of data access is improved.
Drawings
FIG. 1A is a schematic diagram of a cloud database architecture based on business applications in an embodiment of the present application;
fig. 1B is a schematic diagram of a cloud database architecture based on mobile office in the embodiment of the present application;
fig. 1C is a schematic diagram of a cloud database architecture based on the financial industry in the embodiment of the present application;
FIG. 1D is a diagram illustrating a cloud database architecture based on game applications in an embodiment of the present application;
FIG. 2 is a schematic diagram of an environment of an access control system in an embodiment of the present application;
FIG. 3 is a schematic diagram of an embodiment of a method for access control in an embodiment of the present application;
FIG. 4 is a schematic diagram of a network structure applied to a social network in the embodiment of the present application;
FIG. 5 is a schematic structural diagram of a relationship cluster-based access control model provided in the present application;
FIG. 6 is a schematic diagram of an interface showing a first verification message by a client in an embodiment of the present application;
FIG. 7 is a diagram illustrating an embodiment of obtaining relationship chain authorization information based on symmetric encryption according to an embodiment of the present application;
FIG. 8 is a diagram illustrating an embodiment of obtaining relationship-based authorization information based on asymmetric encryption according to an embodiment of the present application;
FIG. 9 is a schematic diagram of an interface showing a second verification message by a client in an embodiment of the present application;
FIG. 10 is a schematic diagram of an interface showing a third verification message at the client in the embodiment of the present application;
FIG. 11 is a diagram illustrating a security architecture for accessing relational data in a microservice scenario in an embodiment of the present application;
FIG. 12 is a block chain based data sharing system according to the present invention;
FIG. 13 is a block chain diagram of a data sharing system according to an embodiment of the present application;
FIG. 14 is a schematic diagram of an embodiment of generating a block in an embodiment of the present application;
FIG. 15 is a schematic diagram of an embodiment of an access control device in an embodiment of the present application;
FIG. 16 is a schematic structural diagram of a server in an embodiment of the present application;
fig. 17 is a schematic structural diagram of a terminal device in the embodiment of the present application.
Detailed Description
The embodiment of the application provides an access control method, a related device, equipment, a system and a storage medium, classification on two layers of relation clustering and role authority is introduced between a relation type and a data type, so that the data access authority can be configured and maintained conveniently, a corresponding data interface can be inquired efficiently, and the data access efficiency is improved.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims of the present application and in the drawings described above, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are, for example, capable of operation in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "corresponding" and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be understood that the method provided by the application is applicable to a scenario of performing access control on data in a social network, and the situation of unauthorized vulnerability of social services can be effectively prevented through the access control. With diversification of social business types and complication of social business data, the data can be stored in a cloud database, and corresponding data is provided based on different business types. The cloud database is realized based on cloud technology (cloud technology), and the cloud technology is a hosting technology for unifying series resources such as hardware, software and networks in a wide area network or a local area network to realize calculation, storage, processing and sharing of data. Cloud computing technology will become an important support. Background services of the technical network system require a large amount of computing and storage resources, such as video websites, picture-like websites and more web portals. With the high development and application of the internet industry, each article may have its own identification mark and needs to be transmitted to a background system for logic processing, data in different levels are processed separately, and various industrial data need strong system background support and can only be realized through cloud computing.
The access control method provided by the present application will be described with reference to four general scenarios, please refer to fig. 1A, fig. 1A is a schematic diagram of a cloud database architecture based on business applications in the embodiment of the present application, as shown in the figure, when a user A needs to call data (for example, order data) of a user B, an Access request is initiated, based on a target data type and a target relationship type carried in the Access request, whether the user A has the authority to call the data of the user B is determined by adopting a Relationship Cluster Based Access Control (RCBAC) model provided by the application, if so, an interface of the cloud server (e.g., an interface of an order server, an interface of a payment server, or an interface of an operation server, etc.) is opened to the user a so that the user a can call relevant data of the user B in a database (e.g., database a, database B, or database C) through the interface. Optionally, the data of the user B may also be directly stored in the cloud storage Redis, so that the cloud server can directly read the data in the cloud storage Redis.
Referring to fig. 1B, fig. 1B is a schematic diagram of a cloud database architecture based on mobile office in the embodiment of the present application, as shown in the figure, when a user a needs to invoke data (e.g., commodity data) of a user C, an access request is initiated, based on a target data type and a target relationship type carried in the access request, whether the user a has an authority to invoke the data of the user C is determined by using an RCBAC model provided in the present application, and if the user a has the authority, an interface of a cloud server (e.g., an interface of a web service) is opened to the user a, so that the user a can invoke relevant data of the user C in a database (e.g., activity information, an order list, or user data) through. Optionally, the data of the user C may also be directly stored in the cloud storage Redis, so that the cloud server directly reads the data in the cloud storage Redis.
Referring to fig. 1C, fig. 1C is a schematic diagram of a cloud database architecture based on the financial industry in the embodiment of the present application, as shown, an access request is initiated when user a needs to invoke user C's data (e.g., bank flow data), wherein, the data of the user C relates to the services in the financial field, therefore, an authentication request needs to be sent to a supervising mechanism through a private line or a Virtual Private Network (VPN), after the authentication is passed, the user a is shown to be a legal user, then based on the type of the target data and the type of the target relationship carried in the access request, the RCBAC model provided by the application is adopted to determine whether the user a has the authority to call the data of the user C, if so, an interface of the cloud server (e.g., an interface of an application service) is opened to the user a so that the user a can call related data of the user C in a database (e.g., database a or database B) through the interface.
Referring to fig. 1D, fig. 1D is a schematic diagram of a cloud database architecture based on a game application in an embodiment of the present application, as shown in the figure, when a user a needs to invoke data (e.g., player basic data, etc.) of the user D, an access request is initiated, based on a target data type and a target relationship type carried in the access request, whether the user a has an authority to invoke the data of the user D is determined by using an RCBAC model provided in the present application, and if the user a has the authority, an interface of a cloud server (e.g., an interface of a game fighting server) is opened to the user a, so that the user a can invoke relevant data of the user D in a database (e.g., numbers of game items and activity information, etc.). Optionally, the data of the user C may also be directly stored in the cloud storage Redis, so that the cloud server directly reads the data in the cloud storage Redis.
The database can be regarded as an electronic file cabinet, namely a place for storing electronic files, and a user can perform operations such as adding, inquiring, updating, deleting and the like on data in the files. A "database" is a collection of data that is stored together in a manner that can be shared by multiple users, has as little redundancy as possible, and is independent of the application.
Database Management systems (DBMS) are computer software systems designed to manage databases, typically with basic functions of storage, interception, security, backup, etc. Database Management systems may be categorized according to the Database model it supports, such as relational, Extensible Markup language (XM L), or according to the type of computer supported, such as server cluster, mobile phone, or according to the Query language used, such as Structured Query language (SQ L angle, SQ L), XQuery, or according to the size of the performance impact, such as maximum speed, or other classification.
For convenience of understanding, the present application provides an access control method, which is applied to an access control system shown in fig. 2, please refer to fig. 2, and fig. 2 is a schematic structural diagram of the access control system in an embodiment of the present application, as shown in the figure, it is assumed that a user a needs to access data of a user B, and then a service request is sent to an access control device, where the service request carries identification ticket information corresponding to the user a and relationship chain authorization information, and if the identification ticket information is verified, the access control device determines whether the data of the user B can be provided for the user a by using an RCBAC model, and if the data of the user B can be accessed, opens an interface right for the user a, so that the user a accesses the data of the user B in a server through the interface.
It should be noted that the client is deployed on a terminal device, and the terminal device includes but is not limited to a tablet computer, a notebook computer, a palm computer, a mobile phone, a voice interaction device, and a Personal Computer (PC). The access control device is deployed on an access control node, wherein the access control node is an upstream node of a database, the database is generally composed of servers, the servers can be independent physical servers, can also be a server cluster or a distributed system composed of a plurality of physical servers, and can also be cloud servers providing basic cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, Network services, cloud communication, middleware services, domain name services, security services, Content Delivery Networks (CDNs), big data platforms and artificial intelligence platforms. The terminal may be, but is not limited to, a smart phone, a tablet computer, a laptop computer, a desktop computer, a smart speaker, a smart watch, and the like. The terminal and the server may be directly or indirectly connected through wired or wireless communication, and the application is not limited herein.
With reference to fig. 3, an embodiment of the method for access control in the present application includes:
101. the access control device acquires a target data type and a target relation type, wherein the target data type represents a data type requested by an access initiator, and the target relation type represents a relation type between the access initiator and an access authorizer;
in this embodiment, with the popularization of social networks, social relationships between users are more and more complex, and for convenience of understanding, please refer to fig. 4, where fig. 4 is a schematic diagram of a network structure applied to a social network in the embodiment of the present application, as shown in the drawing, each node in the graph represents one user, a connecting edge between a node and a node represents that two users have a social relationship therebetween, taking a node 1 as an example, and adjacent nodes of the node 1 are a node 2, a node 3, a node 4, and a node 5, based on which, please refer to table 1, and table 1 is a schematic diagram between a social relationship and a relationship type of a user.
TABLE 1
Node point Neighboring node Access initiator Access authorizer Type of relationship Data type
Node
1 Node 1 User A User A User self-relation Checking basic account information
Node
1 Node 2 User A User B Friend relationships Looking up user forward relation chain
Node
1 Node 3 User A User C Applet subscription relationships Sending messages
Node
1 Node 4 User A User D Public number concern Sending group messages
Node
1 Node 5 User A User E Close payment relationship Checking basic account information
Node
2 Node 1 User B User A Friend relationships User checking reverse relation chain
Node
2 Node 2 User B User B Identity relationship with real name Recall account information
Node
2 Node 4 User B User D Public number concern Sending group messages
Node
2 Node 7 User B User G Article comment relationship Checking basic account information
As can be seen from table 1, each node corresponds to one user, and the identity of the same user may be at least one of an access initiator and an access receiver, taking user a in table 1 as an example, if user a needs to access its own data, user a is both the access initiator and the access receiver. If the user A needs to access the data of the user B, the user A is an access initiator, and the user B is an access receiver. In practical application, two or more types of relationship may exist between users, for example, the user a and the user B belong to both a friend relationship and an intimate payment relationship. And the user under each relationship type can inquire at least one data type, for example, the user with friend relationship can inquire the user forward relationship chain and the user backward relationship chain.
The application is introduced by taking an example that a user a and a user B have a target relationship type, based on a target data type (i.e. a data type corresponding to an access control device) requested by a user under the target relationship type, the target relationship type represents a relationship type between an access initiator and an access authorizer, and the target data type represents a data type requested by the access initiator. In practical applications, access between users in a social network may be controlled in a similar manner.
It should be noted that the access control device is disposed above the access control node, and the access control node is usually upstream of the database, and may be independently disposed on the server, or may be directly disposed on the server in the database.
102. The access control device determines a target relation cluster from a relation cluster-based access control model according to a target relation type, wherein the relation cluster-based access control model comprises a corresponding relation among the relation type, the relation cluster, role authority and a data type;
in this embodiment, the user a sends a service request to the access control device through the client, and the access control device obtains the target data type and the target relationship type based on the service request, and then invokes the RCBAC model, and determines the target relationship cluster corresponding to the target relationship type through the RCBAC model.
For convenience of description, please refer to fig. 5, fig. 5 is a schematic structural diagram of an access control model based on a relationship cluster provided in the present application, and as shown in the figure, an RCBAC model includes a corresponding relationship between a relationship type, a relationship cluster, a role authority, and a data type, and assuming that a target relationship type is a "friend relationship", it can be known that the relationship cluster corresponding to the "friend relationship" is a "friend" based on the RCBAC model, that is, the target relationship cluster is a "friend". Similarly, assuming that the type of the target relationship is "article comment relationship", based on the RCBAC model, it can be known that the relationship cluster corresponding to the "article comment relationship" is "stranger social contact", that is, the target relationship cluster is "stranger social contact".
It should be noted that the RCBAC model shown in fig. 5 is only one example, and the RCBAC model has extensibility and usability, that is, more possible capabilities can be extended in four dimensions of a relationship type, a relationship cluster, a role authority, and a data type, so as to provide an effective solution for protecting private data of a social service.
103. The access control device determines N target role authorities corresponding to the target relation clustering according to an access control model based on the relation clustering, wherein N is an integer greater than or equal to 1;
in this embodiment, after the access control device obtains the target relationship cluster, it continues to obtain at least one target role right based on the RCBAC model. Continuing with the RCBAC model shown in fig. 5 as an example, assuming that the target relationship cluster is "friend", the target relationship cluster corresponds to two target role authorities, that is, the two target role authorities are the role authority of "account basic data" and the role authority of "send message", respectively. Similarly, assuming that the target relationship cluster is "stranger social contact", the target relationship cluster corresponds to a target role permission, i.e., the target role permission is the role permission of "account basic data".
104. And if the data types corresponding to the N target role authorities are successfully matched with the target data types, the access control device opens a target data interface corresponding to the target data types to the access initiator, wherein the target data interface is an interface for the access initiator to access the data corresponding to the access authorizer.
In this embodiment, after determining N target role permissions, the access control device may obtain, by using the RCBAC model shown in fig. 5, a data type corresponding to each target role permission, then determine whether a condition that the data type is consistent with the target data type exists, and if the condition exists, the matching is successful, so that the access control device opens a target data interface corresponding to the target data type to the access initiator.
For convenience of understanding, a specific example will be described below, please refer to table 1 again, assuming that the access initiator is a user a, the access authorizer is a user C, the user a needs to access the voice message sent by the user C, that is, the target data type is "send voice message", based on table 1, the target relationship type between the user a and the user C is "applet subscription relationship", then the target relationship cluster corresponding to the "applet subscription relationship" is determined as "focus" based on the RCBAC model shown in fig. 5, and then two target role permissions, that is, "account basic data" and "send message", are determined corresponding to the "focus" based on the target relationship cluster. When the target role authority is the 'account basic data', the corresponding data types are 'checking user basic account information', 'checking user attribute information' and 'checking account information after user desensitization', and when the target role authority is 'sending message', the corresponding data types are 'sending message', 'sending group message' and 'sending voice message'. Therefore, when the target role authority is 'send message', the corresponding 'send voice message' is consistent with the target data type, namely, the matching is successful, and then the access control device opens a target data interface for 'send voice message' to the user A, so that the user A can access the voice message of the user C through the target data interface.
Conversely, if the data type under the authority of the target role is not consistent with the target data type, it indicates that the user a does not have the authority to access the voice message sent by the user C.
In the embodiment of the application, an access control method is provided, which includes obtaining a target data type and a target relationship type, determining a target relationship cluster from an access control model based on the relationship cluster according to the target relationship type, determining N target role authorities corresponding to the target relationship cluster according to the access control model based on the relationship cluster, and opening a target data interface corresponding to the target data type for an access initiator if the data types corresponding to the N target role authorities are successfully matched with the target data type, so that the access initiator can obtain data of an access authorizer. Through the method, the corresponding relation among the relation type, the relation cluster, the role authority and the data type is established by using the access control model based on the relation cluster, and classification on two layers of the relation cluster and the role authority is introduced between the relation type and the data type, so that the authority of data access is configured and maintained conveniently, the corresponding data interface can be inquired efficiently, and the efficiency of data access is improved.
Optionally, on the basis of the foregoing embodiments corresponding to fig. 3, in another optional embodiment of the method for access control provided in the embodiment of the present application, the obtaining, by the access control device, the target data type and the target relationship type may include:
the method comprises the steps that an access control device receives a data access request sent by a client, wherein the data access request carries identity bill information and relation chain authorization information;
the access control device determines the type of the target data according to the data access request;
if the identity bill information is successfully verified, the access control device determines the target relationship type according to the relationship chain authorization information;
and if the authentication of the identity ticket information fails, the access control device sends a first authentication message to the client so that the client displays the first authentication message.
In this embodiment, a method for verifying identity ticket information is introduced, and since a social network structure is complex, data access can be realized based on a micro service system, where the micro service system is a large system that is divided into multiple small systems with single responsibility according to service functions, and the multiple small systems cooperate with each other to form the large system. The authorization certificate after the user identity authentication in the micro service system is the identity bill information, and the identity bill information records the user identity information, login information, authority identification and other information.
Specifically, after the access control device receives the data access request, it may directly determine which target data interface needs to be accessed on the basis of the data access request, and the target data interface and the target data type have a corresponding relationship, so that the access control device may determine the target data type according to the data access request. The data access request also carries identity bill information, the access control device needs to verify the information in the identity bill information, and the verification mode can be that whether the user name and the password of the access initiator are consistent with the pre-stored user name and password or not is verified. And if the current access request is inconsistent with the current access request, the access initiator is prompted to fail. If the access authority is consistent with the authority of the user, whether the access initiator has the authority to execute the access operation is checked from the user authority table, if the access authority is provided, the authentication success of the identity bill information is shown, and if the access authority is not provided, the authentication failure of the identity bill information is shown.
For convenience of understanding, please refer to fig. 6, where fig. 6 is an interface schematic diagram illustrating a first verification message displayed by a client in an embodiment of the present application, an access initiator sends a data access request to an access control device through the client, determines a target data type according to the data access request, and the data access request also carries identity ticket information and relationship chain authorization information of the access initiator, the access control device verifies the identity ticket information first, and if the identity ticket information is successfully verified, the access initiator enters the interface shown in fig. 6 (a), so that the access initiator can comment on an article with a public number on a message page in the "ancient love public number". If the authentication of the identity ticket information fails, the interface shown in (B) in fig. 6 is entered, and a first authentication message is displayed on the interface, for example, the first authentication message may be "sorry, and you do not have the right to comment on the article". It is understood that the content of the document referred to in the first authentication message may be adjusted according to the actual situation, and is only an illustration here, and should not be construed as a limitation to the present application.
Secondly, in the embodiment of the application, a method for verifying the identity ticket information is provided, through the method, before the target data type and the target relationship type are obtained, the identity ticket information of the access initiator needs to be verified, and if the verification fails, an interface is not opened for the access initiator, so that the security of data access is improved.
Optionally, on the basis of the foregoing embodiments corresponding to fig. 3, in another optional embodiment of the method for access control provided in the embodiment of the present application, the determining, by the access control device, the target relationship type according to the relationship-chain authorization information may include:
the access control device decrypts the relation chain authorization information to obtain relation context information, wherein the relation context information comprises an identifier of an access authorization party and a relation type set, and the relation type set comprises at least one available relation type;
and the access control device acquires the target relation type from at least one available relation type according to the identification of the access authority.
In this embodiment, a method for acquiring a target relationship type based on relationship chain authorization information is introduced, and in a general case, the relationship chain authorization information needs to be encrypted, so after the relationship chain authorization information is acquired, decryption processing needs to be performed on the relationship chain authorization information, so that corresponding relationship context information is obtained. The relationship context information includes an identifier of the access authorizer, for example, the identifier of the access authorizer is "1000101", which is used to indicate that the access authorizer is the user B. The relationship context information also includes at least one available relationship type, for example, the access initiator is user A, user A has 3 available relationship types, respectively, an available relationship type for user A and user B (user B identified as "1000101"), an available relationship type for user A and user D (user D identified as "1111101"), and an available relationship type for user A and user H (user H identified as "10101001"). If the identifier of the access authority is "1000101", it may be determined that the target relationship type is a relationship type between the user a and the user B (e.g., the relationship type is "buddy relationship").
Specifically, before the access control device acquires the context information, it needs to perform decryption processing on the relationship chain authorization information, and a decryption manner of the relationship chain authorization information will be described below with reference to fig. 7 and 8. Referring to fig. 7, fig. 7 is a schematic diagram of an embodiment of obtaining the relation chain authorization information based on symmetric encryption according to the embodiment of the present application, where the same key is used for encryption and decryption in the symmetric encryption and decryption process. As shown in fig. 7, the client encrypts the relationship context information by using the key a to obtain the relationship chain authorization information, and then sends the relationship chain authorization information to the access control device, and the access control device decrypts the relationship chain authorization information by using the key a to obtain the relationship context information.
Referring to fig. 8, fig. 8 is a schematic diagram illustrating an embodiment of obtaining the relationship chain authorization information based on asymmetric encryption according to the embodiment of the present application, in the asymmetric encryption and decryption process, both the encryption side and the decryption side have a public key and a private key, and the public key may be exposed to the outside, is equivalent to a public address book, and may be accessed by other devices. The private key is only reserved, and only the corresponding private key can decrypt the information encrypted by using the public key. Accordingly, information encrypted using the private key can only be decrypted using the public key. As shown in fig. 8, the client has a private key a and a public key a, and the access control device has a private key B and a public key B, where the public key a and the public key B are both exposed to the outside, and it is assumed that the client encrypts the relationship context information by using the public key B to obtain relationship chain authorization information, and then sends the relationship chain authorization information to the access control device, and the access control device decrypts the relationship chain authorization information by using the private key B to obtain the relationship context information.
In the embodiment of the application, a method for acquiring the target relationship type based on the relationship chain authorization information is provided, and through the method, verification and credentialing of the social relationship chain are realized, and data of the other party can be accessed only through authentication of the relationship chain authorization information, so that the security of data access is improved. And the relation chain authorization information is encrypted, so that the relation chain authorization information has better guarantee in the transmission process, and the reliability of data transmission is improved.
Optionally, on the basis of the foregoing embodiments corresponding to fig. 3, in another optional embodiment of the method for access control provided in the embodiment of the present application, the relationship context information further includes a relationship validity period;
the access control device may decrypt the relationship chain authorization information to obtain the relationship context information, and may further include:
if the effective time of the relationship is sufficient to the access time limit condition, the access control device executes the step of obtaining the target relationship type from at least one available relationship type according to the identifier of the access authorized party;
and if the relation validity period does not meet the access time limit condition, the access control device sends a second verification message to the client so that the client displays the second verification message.
In this embodiment, a method for performing an access operation based on a relationship validity period is described, where an access control device decrypts relationship chain authorization information to obtain relationship context information, where the relationship context information may further include a relationship validity period in addition to an identifier of an access authorization party and a relationship type set, where the relationship validity period represents a validity period of the relationship chain authorization information. How to judge whether the access initiator meets the access time limit condition according to the relation validity period is respectively described in two ways.
The first way is that the relation validity period is a fixed time point, the relation validity period is assumed to be 3/31/2020, if the time for initiating the data access request is before 3/31/2020 (including 3/31/2020), the relation validity period is indicated to satisfy the access time limit condition, and then the access control device continues to acquire the target relation type and performs the subsequent operation by using the RCBAC model. On the contrary, if the time of initiating the data access request is after 31/3/2020, it indicates that the relationship validity period does not satisfy the access time limit condition.
In the second way, the relationship validity period is a fixed time period, assuming that the relationship validity period is 1 year, the calculation is started from the date of issuing the relationship chain authorization information for the access initiator, for example, the date of acquiring the relationship chain authorization information by the access initiator is 1 month and 1 day of 2020, and then a data access request is initiated in the period from 1 month and 1 day of 2020 to 1 month and 1 day of 2021, i.e. the relationship validity period does not satisfy the access time limit condition. The access control device then proceeds to acquire the target relationship type and performs subsequent operations using the RCBAC model. On the contrary, if the data access request is not initiated within the period from 1/2020/1 to 1/2021/indicates that the relationship validity period does not satisfy the access time limit condition.
Specifically, for convenience of understanding, please refer to fig. 9, where fig. 9 is an interface schematic diagram illustrating a second verification message displayed by a client in the embodiment of the present application, as shown in the figure, an access initiator sends a data access request to an access control device through the client, determines a target data type according to the data access request, where the data access request further carries identity ticket information and relationship chain authorization information of the access initiator, the access control device verifies the identity ticket information first, if the identity ticket information is successfully verified, continues to verify a relationship validity period corresponding to the relationship chain authorization information, and if the relationship validity period satisfies an access time limit condition, the access initiator enters the interface shown in (a) in fig. 9, so that the access initiator can add "which ancestor" as its new friend. If the relationship validity period does not satisfy the access time limit condition, the interface shown in (B) in fig. 9 is entered, and a second verification message is displayed on the interface, for example, the second verification message may be "sorry, your relationship chain authorization information has expired, please retrieve". It is understood that the content of the document referred to in the second verification message may be adjusted according to the actual situation, and is only an illustration here, and should not be construed as a limitation to the present application.
Further, in the embodiment of the present application, a method for performing an access operation based on a relationship validity period is provided, and by the above manner, validity of the relationship chain authorization information of the access initiator needs to be checked, and for the access initiator, data in the whole life cycle can be accessed only by successfully authenticating the relationship chain authorization information, so that cost and expense of relationship chain checking are saved, and availability of the scheme is improved. In addition, if the relation chain authorization information is expired, the access initiator is not provided with the authority of interface calling, so that the timeliness of data verification is facilitated.
Optionally, on the basis of the foregoing embodiments corresponding to fig. 3, in another optional embodiment of the access control method provided in this embodiment of the present application, the determining, by the access control device, a target relationship cluster from the relationship cluster-based access control model according to the target relationship type may include:
the access control device determines a first corresponding relation according to an access control model based on the relation clusters, wherein the first corresponding relation represents the corresponding relation between the relation types and the relation clusters, and each relation cluster corresponds to at least one relation type;
and the access control device queries the target relation clusters corresponding to the target relation types according to the first corresponding relation.
In this embodiment, a method for determining a target relationship cluster is introduced, where a complete RCBAC model includes four parts, namely a relationship type, a relationship cluster, a role authority, and a data type, and a relationship between the relationship type and the relationship cluster, that is, a first corresponding relationship, is described below.
Specifically, for ease of description, please refer to fig. 5 again, there is a many-to-one relationship between relationship types and relationship clusters in the first corresponding relationship, and thus, each relationship cluster corresponds to at least one relationship type. Referring to table 2, table 2 is an illustration of the first correspondence.
TABLE 2
Figure BDA0002440571100000121
As can be seen from table 2, when the target relationship type is determined, the corresponding target relationship cluster can be found, it should be noted that the relationship type and the relationship cluster shown in table 2 are only one schematic, in practical application, more relationship types and relationship clusters can be further expanded, and the corresponding relationship between the relationship cluster and the relationship type can also be adjusted according to the practical situation, which is not limited herein.
Secondly, in the embodiment of the present application, a method for determining a target relationship cluster is provided, and by the method, a target relationship cluster corresponding to a target relationship type can be directly determined by using a first corresponding relationship included in an RCBAC model, and it is not necessary to traverse all relationship types and relationship clusters, thereby improving the efficiency of data access control.
Optionally, on the basis of the foregoing embodiments corresponding to fig. 3, in another optional embodiment of the access control method provided in this embodiment of the present application, the determining, by the access control device, N target role permissions corresponding to the target relationship clusters according to the access control model based on the relationship clusters may include:
the access control device determines a second corresponding relation according to an access control model based on the relation clusters, wherein the second corresponding relation represents the corresponding relation between the relation clusters and the role authority, and each relation cluster corresponds to at least one role authority;
and the access control device queries N target role authorities corresponding to the target relation clusters according to the second corresponding relation.
In this embodiment, a method for determining at least one target role authority is introduced, where a complete RCBAC model includes four parts, which are a relationship type, a relationship cluster, a role authority, and a data type, and a relationship between the role authority and the relationship cluster, that is, a second corresponding relationship, is described below.
Specifically, for ease of description, please refer to fig. 5 again, in the second corresponding relationship, there is a one-to-many relationship between the relationship clusters and the role authorities, and thus, each relationship cluster corresponds to at least one role authority. Referring to table 3, table 3 is an illustration of the second correspondence relationship.
TABLE 3
Figure BDA0002440571100000131
As can be seen from table 3, when the target relationship cluster is determined, the corresponding target role authority can be found, it should be noted that the role authority and the relationship cluster shown in table 3 are only one schematic, in practical application, more role authorities and relationship clusters can be further expanded, and the corresponding relationship between the relationship cluster and the role authority can also be adjusted according to practical situations, which is not limited herein.
Secondly, in the embodiment of the present application, a method for determining at least one target role authority is provided, and by using the second corresponding relationship included in the RCBAC model, N target role authorities corresponding to target relationship clustering can be directly determined without traversing all role authorities, thereby improving the efficiency of data access control.
Optionally, on the basis of the foregoing embodiments corresponding to fig. 3, in another optional embodiment of the access control method provided in this embodiment of the present application, after the access control device determines, according to the access control model based on the relationship cluster, N target role authorities corresponding to the target relationship cluster, the method may further include:
the access control device determines a third corresponding relation according to the access control model based on the relation cluster, wherein the third corresponding relation represents the corresponding relation between role authorities and data types, each role authority corresponds to at least one data type, and each data type corresponds to one data interface;
the access control device inquires the data type of each target role authority in the N target role authorities according to the third corresponding relation to obtain M data types, wherein M is an integer greater than or equal to 1;
if the M data types comprise target data types, the access control device determines that the data types corresponding to the N target role authorities are successfully matched with the target data types;
and if the M data types do not comprise the target data type, the access control device sends a third verification message to the client so that the client displays the third verification message.
In this embodiment, a method for detecting an interface authority is introduced, where a complete RCBAC model includes four parts, namely a relationship type, a relationship cluster, a role authority, and a data type, and a relationship between the role authority and the relationship cluster, that is, a third corresponding relationship, is described below.
Specifically, for ease of description, please refer to fig. 5 again, there is a one-to-many relationship between the role rights and the data types in the second corresponding relationship, so that each role right corresponds to at least one data type, and typically, each data type corresponds to one data interface. Referring to table 4, table 4 is an illustration of the third corresponding relationship.
TABLE 4
Figure BDA0002440571100000141
As can be seen from table 4, when the target role authority is determined, the corresponding data type can be found, it should be noted that the role authority and the data type shown in table 4 are only one schematic, in practical application, more role authorities and data types can be further expanded, and the corresponding relationship between the role authority and the data type can also be adjusted according to practical situations, which is not limited herein.
Taking table 4 as an example, assume that N target role authorities are the role authority queried by the relationship chain and the role authority to send a message, respectively, where N is equal to 2. And determining that the M data types are respectively the data type of the checking user forward relation chain, the data type of the checking user reverse relation chain, the data type of the sending message, the data type of the sending group message and the data type of the sending voice message based on the N target role authorities, wherein M is equal to 5. Assuming that the target data type is "send voice message", it can be known that the M data types include the target data type, that is, the data type corresponding to the N target role permissions is successfully matched with the target data type.
For convenience of understanding, please refer to fig. 10, where fig. 10 is an interface diagram illustrating a third verification message displayed by the client according to an embodiment of the present application, if a data type corresponding to a target role authority is successfully matched with a target data type (e.g., "send voice message"), a corresponding target data interface is opened for the access initiator, and then the access initiator enters an interface shown in (a) of fig. 10, and can send the voice message in a public number in "ancient love language public number". If the data type corresponding to the target role permission fails to match the target data type (such as "send voice message"), the interface shown in (B) of fig. 10 is entered, and a third verification message is displayed on the interface, for example, the third verification message may be "sorry, you do not have permission to send voice message". It is understood that the content of the document referred to in the third verification message may be adjusted according to the actual situation, and is only an illustration here, and should not be construed as a limitation to the present application.
In the embodiment of the present application, a method for detecting interface permissions is provided, and in the above manner, by using the third corresponding relationship included in the RCBAC model, the data type of each target role permission can be directly determined, and it is not necessary to traverse all data types, so that the efficiency of data access control is improved. In addition, if the data type of the target role authority fails to be matched with the target data type, a message of verification failure can be pushed to the client, so that the access initiator can know the access result in time, and the feasibility and the flexibility of data access are improved.
Optionally, on the basis of the foregoing embodiments corresponding to fig. 3, in another optional embodiment of the method for controlling access provided in the embodiment of the present application, the opening, by the access control device, of the target data interface corresponding to the target data type to the access initiator may include:
the access control device determines a target data interface according to the type of the target data;
and the access control device opens the authority of the target data interface to the client so that the client provides the data corresponding to the access authorization party to the access initiator according to the authority of the target data interface.
In this embodiment, a method for opening the authority of a target data interface to a client is introduced, where after determining a type of target data that an access initiator needs to access, an access control device may determine a corresponding target data interface. Typically, each data interface corresponds to a data type, so that when a target data interface is opened, the access initiator has access to the data of the authorized party under the target data interface.
Specifically, assuming that the access initiator is user a, the access authorizer is user B, and the target relationship type between user a and user B is a friend relationship, user a sends a data access request to the access control device through the client, where the data access request is used to request to send a voice message to user B, that is, the target data type is "send voice message". If the identity bill information and the relation chain authorization information are verified, a target relation cluster with a target relation type of friend relation is queried to be friend based on an RCBAC model, the target relation cluster has two target role authorities which are respectively the role authority of account basic data and the role authority of message sending, and each data type corresponding to the two target role authorities is obtained based on the RCBAC model, wherein the target role authority has the data type of voice message sending when the target role authority is the message sending, namely is consistent with the target data type, so that a target data interface with the data type of voice message sending is opened, and a user A can access the voice message of a user B from a database through the target data interface.
Assuming that an access initiator is a user A, an access authorization party is a user B, and the target relationship type between the user A and the user B is a public account attention relationship, the user A sends a data access request to an access control device through a client, wherein the data access request is used for requesting to modify the account information of the user B, namely the target data type is 'modified account information'. If the identity bill information and the relationship chain authorization information are verified, a target relationship cluster with a target relationship type of public account attention relationship is queried as attention based on an RCBAC model, the target relationship cluster has two target role authorities, namely a role authority of account basic data and a role authority of message sending, and each data type corresponding to the two target role authorities is obtained based on the RCBAC model.
Secondly, in the embodiment of the application, a method for opening the authority of the target data interface to the client is provided, and by the above manner, only the use authority of the target data interface is opened to the access initiator according to the target data interface corresponding to the target data type, but the data interface authority of the non-target data type does not need to be opened, so that the data interface can be prevented from being randomly called, and the security of data access is improved.
Optionally, on the basis of each embodiment corresponding to fig. 3, in another optional embodiment of the access control method provided in the embodiment of the present application, the identity ticket information is generated according to a login request sent by the client, where the login request carries at least one of identity information, login information, and permission information of the access initiator.
In this embodiment, a method for obtaining identity ticket information based on a security architecture is introduced, where a client may send a login request to a login server, where the login request carries at least one of identity information, login information, and permission information of an access initiator, where the identity information is usually an Identity (ID) of a user, such as a user name, an account, or other identity. The login information typically includes a login address (such as shanghai, shenzhen, or beijing, etc.) and a login time (such as 27 minutes and 10 seconds at 23 rd/31 rd/3/2020). The authority identifier identifies whether the access initiator has an identifier of login authority, for example, when the authority identifier is 1, it indicates that the access initiator can log in to the server, and when the authority identifier is 0, it indicates that the access initiator does not have the authority to log in to the server. And the login server authenticates the information in the login request, packages the information after the authentication is passed, generates a signature, encrypts the information by using the signature to obtain the identity bill information, and finally sends the identity bill information to the client so that the access initiator can subsequently use the identity bill information to perform data access.
Specifically, the access initiator generally needs to input a user name and a password on an interface of the client, where the user name may be a mobile phone, a mailbox, or a third party account, and initiates a login request after the input is completed. And the login server matches the user name and the password with the pre-stored user name and the password after receiving the login request, and if the user name and the password are matched with each other, a token (token) for marking the user is generated according to the identity information of the access initiator. Whether the token is used by the Access initiator itself needs to be identified next, and the determination may be performed through location information and device information, where the location information is usually determined by an Internet Protocol (IP) address (e.g., 117.114.151.174) or latitude and longitude, and the device address may be a serial number of a device shipment or a Media Access Control (MAC) address. The login server then authenticates the identity of the access initiator in combination with the token, location information and device information.
In order to improve the authentication efficiency, the following two ways can be adopted for authentication. One way is that the login server verifies the identity of the access initiator randomly or regularly, for example, the login server sends an authentication request to the client every 2 seconds, and the client feeds back token, location information, and device information to the login server based on the authentication request, thereby performing identity verification. Alternatively, the client periodically requests authentication from the login server, that is, sets a valid time for the token, for example, the valid time of the token is 5 minutes, and then the token is disabled after 5 minutes, so that the token needs to be refreshed and the authentication request is sent to the server again.
Secondly, in the embodiment of the application, a method for acquiring identity ticket information based on a security architecture is provided, through the above manner, the information of an access initiator needs to be verified, and corresponding identity ticket information is issued only after the verification is passed, otherwise, the identity ticket information is not distributed to the access initiator, so that the condition of illegal access is reduced, and the security of data access is improved.
Optionally, on the basis of the foregoing embodiments corresponding to fig. 3, in another optional embodiment of the access control method provided in this embodiment of the present application, the relationship chain authorization information is generated according to relationship context information, where the relationship context information includes an identifier of an access authorizer, a relationship validity period, and a relationship type set, and the relationship type set includes at least one available relationship type.
In this embodiment, a method for obtaining relationship chain authorization information based on a security architecture is introduced, in which a client sends a login request to a login server, the login server performs authentication processing on information in the login request, and after the authentication is passed, identity ticket information is sent to the client. The client may then continue to obtain relationship chain authorization information.
Specifically, for convenience of understanding, please refer to fig. 11, where fig. 11 is a schematic diagram of a security architecture for accessing relational data in a micro service scenario in the embodiment of the present application, and as shown in the figure, the security architecture may include a business logic server, a relational chain authorization service, at least one association chain authentication server, a base server, an access control node, and a database, where the access control node and the database may be integrally deployed, and an access control device is deployed on the access control node.
In step S1, the access initiator sends a service access request to the service logic server through the client, where the service access request carries the identity ticket information and the service type identifier, and the service type identifier is used to represent different data types, such as sending a message, reviewing an article, or adding a friend, and the like, which all need to refer to the situation of accessing data of another person. After receiving the service access request, the service logic server may determine the type, such as a friend relationship or a public number attention relationship, between the access initiator and the access authorizer according to the service type identifier. And the business logic server sends a relation chain authorization request to a relation chain authorization server based on the relation type, wherein the relation chain authorizes the identity bill information written by the request and the identifier of the relation type.
The relation chain authorization server firstly verifies the identity bill information, thereby determining whether the identity of the access initiator is legal or not, and if the identity bill information of the access initiator passes the verification, forwarding a relation chain authorization request to the corresponding relation chain authentication server. Assuming that the identifiers of the relationship types are "100" and "111", respectively, where "100" indicates that the access initiator and the access authorizer are in a "friend relationship", and "111" indicates that the access initiator and the access authorizer are in an "affinity payment relationship", then the relationship chain authorization server needs to forward the relationship chain authorization request to two corresponding relationship chain authentication servers, respectively, and if the "friend relationship" corresponds to relationship chain authentication server a and the "affinity payment relationship" corresponds to relationship chain authentication server B, the relationship chain authorization server performs step S2 and step S4, respectively.
In step S2, the relation chain authentication server sends a relation chain authorization request to the relation chain authentication server a based on the "friend relationship" between the access initiator and the access authorizer, and the relation chain authentication server a performs relation chain verification, such as querying whether the "friend relationship" exists between the access initiator and the access authorizer.
In step S3, if the relationship chain authentication server a determines that the relationship chain verification is successful, the result of successful authentication is fed back to the relationship chain authentication server, whereas if the relationship chain authentication server a determines that the relationship chain verification is failed, the result of failed authentication is fed back to the relationship chain authentication server.
In step S4, the relationship chain authentication server sends a relationship chain authorization request to the relationship chain authentication server B based on the "close payment relationship" between the access initiator and the access authorizer, and the relationship chain authentication server B performs relationship chain verification, such as querying whether the "close payment relationship" exists between the access initiator and the access authorizer.
In step S5, if the relationship chain authentication server B determines that the relationship chain verification is successful, the result of successful authentication is fed back to the relationship chain authentication server, whereas if the relationship chain authentication server B determines that the relationship chain verification is failed, the result of failed authentication is fed back to the relationship chain authentication server.
In step S6, if the relationship chain authentication server receives the result of successful authentication, the relationship chain authorization information is issued to the business logic server. Otherwise, if the relation chain authentication server receives the result of authentication failure, the subsequent steps are not executed. In order to improve the security of information transmission, the relationship chain authorization information needs to be obtained by encrypting relationship context information, where the relationship context information includes an identifier of an access authorizer, a relationship validity period, and at least one available relationship type.
It should be noted that, in steps S1 to S6, channel encryption may be performed during information transmission, so as to improve the security of data transmission.
In step S7, after acquiring the relation chain authorization information, the service logic server may send a data access request to the base server, where the data access request carries the identity ticket information of the access initiator and the relation chain authorization information, and the relation chain authorization information is transparently transmitted in a layer in a subsequent Remote Procedure Call (RPC). The basic server is a server providing a specific service, for example, a server used by a public service or a server used by an applet service.
In step S8, the base server sends a data access request to the access control node, and the access control node verifies the identity ticket information and the relationship authorization information in the data access request, thereby determining whether to release the interface for data access. The access control node is arranged at the upstream of the database, the access control device provided by the application is arranged on the access control node, and if the access control node successfully verifies the identity bill information and the relation chain authorization information, an interface calling request is sent to the database.
In step S9, after the database receives the interface call request, the corresponding data interface, i.e., the target data interface, may be opened for the access initiator, so that the access initiator can access the relevant data of the access authorizer from the database through the data interface.
In the embodiment of the application, a method for acquiring relationship chain authorization information based on a security architecture is provided, and through the method, along with the authorization service of the social relationship chain, the relationship chain authorization and the relationship chain verification can be separated, the relationship chain authorization does not invade business logic, the problem that the social data storage is dispersed and the authorization cannot be unified under a distributed scene is solved, and the system expandability is improved. In addition, the verification of the relation chain can be independent of the safety awareness of a service developer, and the system safety is improved.
Optionally, on the basis of the foregoing embodiments corresponding to fig. 3, in another optional embodiment of the method for access control provided in this embodiment of the present application, the identity ticket information and the relationship chain authorization information are information stored on the blockchain.
In this embodiment, a method for storing identity ticket information and relationship chain authorization information on a blockchain is introduced, and after the identity ticket information and the relationship chain authorization information are generated, in order to improve the security of the information, the information may also be stored on the blockchain, where the blockchain is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism, and an encryption algorithm. A block chain (Blockchain), which is essentially a decentralized database, is a series of data blocks associated by using a cryptographic method, and each data block contains information of a batch of network transactions, so as to verify the validity (anti-counterfeiting) of the information and generate a next block. The blockchain may include a blockchain underlying platform, a platform product services layer, and an application services layer.
Specifically, for convenience of understanding, please refer to fig. 12, where fig. 12 is a schematic diagram of a data sharing system based on the blockchain technique in the embodiment of the present application, and as shown in the figure, the data sharing system 200 refers to a system for performing data sharing between nodes, the data sharing system may include a plurality of nodes 201, and the plurality of nodes 201 may refer to respective clients in the data sharing system. Each node 201 may receive input information and maintain shared data within the data sharing system based on the received input information while operating normally. In order to ensure information intercommunication in the data sharing system, information connection can exist between each node in the data sharing system, and information transmission can be carried out between the nodes through the information connection. For example, when an arbitrary node in the data sharing system receives input information, other nodes in the data sharing system acquire the input information according to a consensus algorithm, and store the input information as data in shared data, so that the data stored on all the nodes in the data sharing system are consistent.
Each node in the data sharing system has a node identifier corresponding thereto, and each node in the data sharing system may store a node identifier of another node in the data sharing system, so that the generated block is broadcast to the other node in the data sharing system according to the node identifier of the other node in the following. Each node may maintain a node identifier list as shown in the following table, and store the node name and the node identifier in the node identifier list correspondingly. The node identifier may be an inter-network IP address or any other information that can be used to identify the node, and table 5 only illustrates the IP address as an example.
TABLE 5
Node name Node identification
Node
1 117.114.151.174
Node 2 117.116.189.145
Node N 119.123.789.258
Each node in the data sharing system stores one identical blockchain. The block chain is composed of a plurality of blocks, as shown in fig. 13, the block chain is composed of a plurality of blocks, the starting block includes a block head and a block main body, the block head stores an input information characteristic value, a version number, a timestamp and a difficulty value, and the block main body stores input information, namely, identity bill information and relationship chain authorization information. The next block of the starting block takes the starting block as a parent block, the next block also comprises a block head and a block main body, the block head stores the input information characteristic value of the current block, the block head characteristic value of the parent block, the version number, the timestamp and the difficulty value, and the like, so that the block data stored in each block in the block chain is associated with the block data stored in the parent block, and the safety of the input information in the block is ensured.
When each block in the block chain is generated, referring to fig. 14, when a node where the block chain is located receives input information (i.e., identity ticket information and relationship chain authorization information), the input information is verified, after the verification is completed, the input information is stored in a memory pool, and a hash tree used for recording the input information is updated; and then, updating the updating time stamp to the time when the input information is received, trying different random numbers, and calculating the characteristic value for multiple times, so that the calculated characteristic value can meet the following formula:
SHA256(SHA256(version+prev_hash+merkle_root+ntime+nbits+x))<TARGET
wherein, SHA256 is a characteristic value algorithm used for calculating a characteristic value; version is version information of the relevant block protocol in the block chain; prev _ hash is a block head characteristic value of a parent block of the current block; merkle _ root is a characteristic value of the input information; ntime is the update time of the update timestamp; nbits is the current difficulty, is a fixed value within a period of time, and is determined again after exceeding a fixed time period; x is a random number; TARGET is a feature threshold, which can be determined from nbits.
Therefore, when the random number meeting the formula is obtained through calculation, the information can be correspondingly stored, and the block head and the block main body are generated to obtain the current block. And then, the node where the block chain is located respectively sends the newly generated blocks to other nodes in the data sharing system where the newly generated blocks are located according to the node identifications of the other nodes in the data sharing system, the newly generated blocks are verified by the other nodes, and the newly generated blocks are added to the block chain stored in the newly generated blocks after the verification is completed.
Further, in the embodiment of the present application, a method for storing identity ticket information and relationship chain authorization information on a block chain is provided, and in the above manner, since a block includes information for verifying the validity of a next block, the possibility that the identity ticket information and the relationship chain authorization information are maliciously stolen can be effectively reduced, and in addition, a new block cannot be removed once being added to the block chain, thereby reducing the situation that data such as the identity ticket information and the relationship chain authorization information are lost.
Referring to fig. 15, fig. 15 is a schematic view of an embodiment of an access control device in an embodiment of the present application, and the access control device 30 includes:
an obtaining module 301, configured to obtain a target data type and a target relationship type, where the target data type represents a data type requested by an access initiator, and the target relationship type represents a relationship type between the access initiator and an access authorizer;
a determining module 302, configured to determine a target relationship cluster from a relationship cluster-based access control model according to a target relationship type, where the relationship cluster-based access control model includes a relationship type, a relationship cluster, a role authority, and a correspondence between data types;
a determining module 302, configured to determine, according to an access control model based on a relationship cluster, N target role authorities corresponding to a target relationship cluster, where N is an integer greater than or equal to 1;
and the control module 303 is configured to, if the data types corresponding to the N target role permissions are successfully matched with the target data type, open a target data interface corresponding to the target data type to the access initiator, where the target data interface is an interface through which the access initiator accesses data corresponding to the access authorizer.
In the embodiment of the application, an access control device is provided, and by adopting the device, the relationship type, the relationship clustering, the role authority and the corresponding relationship among the data types are established by using the access control model based on the relationship clustering, and classification on two layers of the relationship clustering and the role authority is introduced between the relationship type and the data types, so that the authority of data access is convenient to configure and maintain, corresponding data interfaces can be efficiently inquired, and the efficiency of data access is improved.
Alternatively, on the basis of the embodiment corresponding to fig. 15, in another embodiment of the access control device 30 provided in the embodiment of the present application,
the acquiring module 301 is specifically configured to receive a data access request sent by a client, where the data access request carries identity ticket information and relationship chain authorization information;
determining a target data type according to the data access request;
if the identity bill information is successfully verified, determining a target relation type according to the relation chain authorization information;
and if the authentication of the identity bill information fails, sending a first authentication message to the client so that the client displays the first authentication message.
In the embodiment of the application, by adopting the device, before the target data type and the target relation type are obtained, the identity bill information of the access initiator needs to be verified, and if the verification fails, an interface is not opened for the access initiator, so that the security of data access is improved.
Alternatively, on the basis of the embodiment corresponding to fig. 15, in another embodiment of the access control device 30 provided in the embodiment of the present application,
the obtaining module 301 is specifically configured to decrypt the relationship chain authorization information to obtain relationship context information, where the relationship context information includes an identifier of an access authorization party and a relationship type set, and the relationship type set includes at least one available relationship type;
and acquiring the target relation type from at least one available relation type according to the identification of the access authority.
In the embodiment of the application, the device is adopted to realize the verification and credentialing of the social relation chain, and the data of the other party can be accessed only through the authentication of the relation chain authorization information, so that the security of data access is improved. And the relation chain authorization information is encrypted, so that the relation chain authorization information has better guarantee in the transmission process, and the reliability of data transmission is improved.
Optionally, on the basis of the embodiment corresponding to fig. 15, in another embodiment of the access control apparatus 30 provided in the embodiment of the present application, the relationship context information further includes a relationship validity period;
the access control device 30 further comprises a sending module 304;
an obtaining module 301, configured to perform decryption processing on the relationship chain authorization information to obtain relationship context information, and if the validity period of the relationship is sufficient for the access time limit condition, perform a step of obtaining a target relationship type from at least one available relationship type according to an identifier of an access authorizer;
a sending module 304, configured to send a second verification message to the client if the relation validity period does not meet the access time limit condition, so that the client displays the second verification message.
In the embodiment of the application, by adopting the device, the validity of the relation chain authorization information of the access initiator needs to be checked, and for the access initiator, the data in the whole life cycle can be accessed only by successfully authenticating the relation chain authorization information, so that the cost and expense of relation chain verification are saved, and the usability of the scheme is improved. In addition, if the relation chain authorization information is expired, the access initiator is not provided with the authority of interface calling, so that the timeliness of data verification is facilitated.
Alternatively, on the basis of the embodiment corresponding to fig. 15, in another embodiment of the access control device 30 provided in the embodiment of the present application,
a determining module 302, configured to determine a first correspondence according to an access control model based on relationship clusters, where the first correspondence represents a correspondence between a relationship type and relationship clusters, and each relationship cluster corresponds to at least one relationship type;
and querying the target relation clusters corresponding to the target relation types according to the first corresponding relation.
In the embodiment of the application, by adopting the device and utilizing the first corresponding relation contained in the RCBAC model, the target relation cluster corresponding to the target relation type can be directly determined without traversing all relation types and relation clusters, so that the efficiency of data access control is improved.
Alternatively, on the basis of the embodiment corresponding to fig. 15, in another embodiment of the access control device 30 provided in the embodiment of the present application,
a determining module 302, configured to determine a second correspondence according to an access control model based on a relationship cluster, where the second correspondence represents a correspondence between a relationship cluster and role permissions, and each relationship cluster corresponds to at least one role permission;
and inquiring N target role authorities corresponding to the target relation clusters according to the second corresponding relation.
In the embodiment of the application, by adopting the device and utilizing the second corresponding relation contained in the RCBAC model, the N target role authorities corresponding to the target relation clustering can be directly determined without traversing all the role authorities, so that the efficiency of data access control is improved.
Optionally, on the basis of the embodiment corresponding to fig. 15, in another embodiment of the access control apparatus 30 provided in the embodiment of the present application, the access control apparatus 30 further includes an inquiry module 305;
the determining module 302 is further configured to determine, according to the access control model based on the relationship cluster, a third correspondence according to the access control model based on the relationship cluster after determining N target role permissions corresponding to the target relationship cluster, where the third correspondence represents a correspondence between role permissions and data types, each role permission corresponds to at least one data type, and each data type corresponds to one data interface;
a query module 305, configured to query, according to a third correspondence, a data type of each target role permission in the N target role permissions to obtain M data types, where M is an integer greater than or equal to 1;
the determining module 302 is further configured to determine that the data types corresponding to the N target role authorities are successfully matched with the target data types if the M data types include the target data type;
the sending module 304 is further configured to send a third verification message to the client if the M data types do not include the target data type, so that the client displays the third verification message.
In the embodiment of the application, by adopting the device and utilizing the third corresponding relation contained in the RCBAC model, the data type of each target role authority can be directly determined without traversing all the data types, so that the efficiency of data access control is improved. In addition, if the data type of the target role authority fails to be matched with the target data type, a message of verification failure can be pushed to the client, so that the access initiator can know the access result in time, and the feasibility and the flexibility of data access are improved.
Alternatively, on the basis of the embodiment corresponding to fig. 15, in another embodiment of the access control device 30 provided in the embodiment of the present application,
a control module 303, specifically configured to determine a target data interface according to a target data type;
and opening the authority of the target data interface to the client so that the client provides the data corresponding to the access authorization party to the access initiator according to the authority of the target data interface.
In the embodiment of the application, by adopting the device, the access initiator can only open the use permission of the target data interface according to the target data interface corresponding to the target data type, but the permission of the data interface of the non-target data type does not need to be opened, so that the data interface can be prevented from being randomly called, and the safety of data access is improved.
Alternatively, on the basis of the embodiment corresponding to fig. 15, in another embodiment of the access control device 30 provided in the embodiment of the present application,
the identity bill information is generated according to a login request sent by the client, wherein the login request carries at least one of identity information, login information and authority information of the access initiator.
In the embodiment of the application, by adopting the device, the information of the access initiator needs to be verified, and the corresponding identity bill information is issued only after the verification is passed, otherwise, the identity bill information cannot be distributed to the access initiator, so that the condition of illegal access is reduced, and the safety of data access is improved.
Alternatively, on the basis of the embodiment corresponding to fig. 15, in another embodiment of the access control device 30 provided in the embodiment of the present application,
the relationship chain authorization information is generated according to the relationship context information, wherein the relationship context information comprises an identifier of an access authorization party, a relationship validity period and a relationship type set, and the relationship type set comprises at least one available relationship type.
In the embodiment of the application, by adopting the device, along with the authorization service of the social relationship chain, the relationship chain authorization and the relationship chain verification can be separated, the relationship chain authorization does not invade business logic, the difficult point that the social data storage is dispersed and the authorization cannot be unified under a distributed scene is solved, and the expandability of the system is improved. In addition, the verification of the relation chain can be independent of the safety awareness of a service developer, and the system safety is improved.
Optionally, on the basis of the embodiment corresponding to fig. 15, in another embodiment of the access control apparatus 30 provided in this embodiment of the present application, the identity ticket information and the relationship chain authorization information are information stored on the blockchain.
In the embodiment of the application, by adopting the device, because the block comprises the information for verifying the validity of the next block, the possibility that the identity bill information and the relation chain authorization information are maliciously stolen can be effectively reduced, and in addition, a new block cannot be removed once being added into the block chain, so that the condition that data such as the identity bill information, the relation chain authorization information and the like are lost is reduced.
The access control device provided by the application is deployed on an access control node, wherein the access control node can be a server. Fig. 16 is a schematic diagram of a server structure provided by an embodiment of the present application, where the server 400 may have a relatively large difference due to different configurations or performances, and may include one or more Central Processing Units (CPUs) 422 (e.g., one or more processors) and a memory 432, and one or more storage media 430 (e.g., one or more mass storage devices) for storing applications 442 or data 444. Wherein the memory 432 and storage medium 430 may be transient or persistent storage. The program stored on the storage medium 430 may include one or more modules (not shown), each of which may include a series of instruction operations for the server. Still further, the central processor 422 may be arranged to communicate with the storage medium 430, and execute a series of instruction operations in the storage medium 430 on the server 400.
The Server 400 may also include one or more power supplies 426, one or more wired or wireless network interfaces 450, one or more input-output interfaces 458, and/or one or more operating systems 441, such as a Windows ServerTM,Mac OS XTM,UnixTM,LinuxTM,FreeBSDTMAnd so on.
The CPU 422 provided by the present application is configured to perform the following steps:
acquiring a target data type and a target relationship type, wherein the target data type represents a data type requested by an access initiator, and the target relationship type represents a relationship type between the access initiator and an access authorizer;
determining a target relation cluster from a relation cluster-based access control model according to a target relation type, wherein the relation cluster-based access control model comprises a corresponding relation among the relation type, the relation cluster, role authority and a data type;
determining N target role authorities corresponding to the target relation clusters according to an access control model based on the relation clusters, wherein N is an integer greater than or equal to 1;
and if the data types corresponding to the N target role authorities are successfully matched with the target data types, opening a target data interface corresponding to the target data types for the access initiator, wherein the target data interface is an interface for the access initiator to access the data corresponding to the access authorizer.
Optionally, the CPU 422 provided in this application is specifically configured to execute the following steps:
receiving a data access request sent by a client, wherein the data access request carries identity bill information and relationship chain authorization information;
determining a target data type according to the data access request;
if the identity bill information is successfully verified, determining a target relation type according to the relation chain authorization information;
and if the authentication of the identity bill information fails, sending a first authentication message to the client so that the client displays the first authentication message.
Optionally, the CPU 422 provided in this application is specifically configured to execute the following steps:
decrypting the relation chain authorization information to obtain relation context information, wherein the relation context information comprises an identifier of an access authorization party and a relation type set, and the relation type set comprises at least one available relation type;
and acquiring the target relation type from at least one available relation type according to the identification of the access authority.
Optionally, the CPU 422 provided in the present application is further configured to perform the following steps:
if the effective time of the relationship is sufficient to the access time limit condition, executing the step of obtaining the target relationship type from at least one available relationship type according to the identifier of the access authorized party;
and if the relation validity period does not meet the access time limit condition, sending a second verification message to the client so that the client displays the second verification message.
Optionally, the CPU 422 provided in this application is specifically configured to execute the following steps:
determining a first corresponding relation according to an access control model based on the relation clusters, wherein the first corresponding relation represents the corresponding relation between the relation types and the relation clusters, and each relation cluster corresponds to at least one relation type;
and querying the target relation clusters corresponding to the target relation types according to the first corresponding relation.
Optionally, the CPU 422 provided in this application is specifically configured to execute the following steps:
determining a second corresponding relation according to an access control model based on the relation clusters, wherein the second corresponding relation represents the corresponding relation between the relation clusters and the role authority, and each relation cluster corresponds to at least one role authority;
and inquiring N target role authorities corresponding to the target relation clusters according to the second corresponding relation.
Optionally, the CPU 422 provided in the present application is further configured to perform the following steps:
determining a third corresponding relation according to the access control model based on the relation cluster, wherein the third corresponding relation represents the corresponding relation between role authorities and data types, each role authority corresponds to at least one data type, and each data type corresponds to one data interface;
inquiring the data type of each target role authority in the N target role authorities according to the third corresponding relation to obtain M data types, wherein M is an integer greater than or equal to 1;
if the M data types comprise target data types, determining that the data types corresponding to the N target role authorities are successfully matched with the target data types;
and if the M data types do not comprise the target data type, sending a third verification message to the client so that the client displays the third verification message.
Optionally, the CPU 422 provided in this application is specifically configured to execute the following steps:
determining a target data interface according to the type of the target data;
and opening the authority of the target data interface to the client so that the client provides the data corresponding to the access authorization party to the access initiator according to the authority of the target data interface.
The steps performed by the server in the above embodiment may be based on the server structure shown in fig. 16.
The access control device provided by the application is deployed on an access control node, wherein the access control node can be a terminal device. As shown in fig. 17, for convenience of explanation, only the portions related to the embodiments of the present application are shown, and details of the specific techniques are not disclosed, please refer to the method portion of the embodiments of the present application. The terminal device may be any terminal device including a mobile phone, a tablet computer, a Personal Digital Assistant (PDA), a Point of Sales (POS), a vehicle-mounted computer, and the like, taking the terminal device as a computer device as an example:
fig. 17 is a block diagram illustrating a partial structure of a computer device related to a terminal device provided in an embodiment of the present application. Referring to fig. 17, the computer apparatus includes: radio Frequency (RF) circuit 510, memory 520, input unit 530, display unit 540, sensor 550, audio circuit 560, wireless fidelity (WiFi) module 570, processor 580, and power supply 590. Those skilled in the art will appreciate that the computer device configuration illustrated in FIG. 17 does not constitute a limitation of computer devices, and may include more or fewer components than those illustrated, or some components may be combined, or a different arrangement of components.
The following describes each component of the computer device in detail with reference to fig. 17:
the RF circuit 510 may be used for receiving and transmitting signals during a message transmission or call, and in particular, for receiving downlink information of a base station and processing the received downlink information, and for transmitting data designed for uplink to the base station, the RF circuit 510 may include, but is not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a low noise amplifier (L w noise amplifier, &lttttransmission = L "&ttt/t &gttna), a duplexer, etc. furthermore, the RF circuit 510 may communicate with a network and other devices through wireless communication, which may use any communication standard or protocol, including, but not limited to, a global system for Mobile communication (GSM), a General Packet radio Service (General Packet radio Service, GPRS), a Code Division Multiple Access (Code Division Multiple Access, Wideband CDMA), a Code Division Multiple Access (CDMA), a Short Service Access (SMS Service, L), a long Term Evolution (SMS) message, L, a Service, a Short Service (Service), a WCDMA, a Mobile communication system, a Mobile communication, a wireless.
The memory 520 may be used to store software programs and modules, and the processor 580 executes various functional applications and data processing of the computer device by operating the software programs and modules stored in the memory 520. The memory 520 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data (such as audio data, a phonebook, etc.) created according to the use of the computer device, and the like. Further, the memory 520 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device.
The input unit 530 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function control of the computer apparatus. Specifically, the input unit 530 may include a touch panel 531 and other input devices 532. The touch panel 531, also called a touch screen, can collect touch operations of a user on or near the touch panel 531 (for example, operations of the user on or near the touch panel 531 by using any suitable object or accessory such as a finger or a stylus pen), and drive the corresponding connection device according to a preset program. Alternatively, the touch panel 531 may include two parts, a touch detection device and a touch controller. The touch detection device detects the touch direction of a user, detects a signal brought by touch operation and transmits the signal to the touch controller; the touch controller receives touch information from the touch sensing device, converts the touch information into touch point coordinates, and sends the touch point coordinates to the processor 580, and can receive and execute commands sent by the processor 580. In addition, the touch panel 531 may be implemented by various types such as a resistive type, a capacitive type, an infrared ray, and a surface acoustic wave. The input unit 530 may include other input devices 532 in addition to the touch panel 531. In particular, other input devices 532 may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control keys, switch keys, etc.), a trackball, a mouse, a joystick, and the like.
The Display unit 540 may include a Display panel 541, and optionally, the Display panel 541 may be configured in the form of a liquid crystal Display (L iquid crystal Display, L CD), an Organic light-Emitting Diode (O L ED), and the like, further, the touch panel 531 may cover the Display panel 541, and when a touch operation is detected on or near the touch panel 531, the touch panel 531 may transmit to the processor 580 to determine the type of the touch event, and then the processor 580 may provide a corresponding visual output on the Display panel 541 according to the type of the touch event.
The computer device may also include at least one sensor 550, such as light sensors, motion sensors, and other sensors. Specifically, the light sensor may include an ambient light sensor that adjusts the brightness of the display panel 541 according to the brightness of ambient light, and a proximity sensor that turns off the display panel 541 and/or the backlight when the computer device is moved to the ear. As one type of motion sensor, an accelerometer sensor can detect the magnitude of acceleration in each direction (generally three axes), detect the magnitude and direction of gravity when stationary, and can be used for applications (such as horizontal and vertical screen switching, related games, magnetometer attitude calibration) for recognizing the attitude of a computer device, and related functions (such as pedometer and tapping) for vibration recognition; as for other sensors such as a gyroscope, a barometer, a hygrometer, a thermometer, and an infrared sensor, which can be configured on the computer device, detailed descriptions thereof are omitted.
Audio circuitry 560, speaker 561, and microphone 562 may provide an audio interface between a user and a computer device. The audio circuit 560 may transmit the electrical signal converted from the received audio data to the speaker 561, and convert the electrical signal into a sound signal by the speaker 561 for output; on the other hand, the microphone 562 converts the collected sound signals into electrical signals, which are received by the audio circuit 560 and converted into audio data, which are then processed by the audio data output processor 580, either through the RF circuit 510 for transmission to another computer device, for example, or output to the memory 520 for further processing.
WiFi belongs to short-range wireless transmission technology, and the computer device can help the user send and receive e-mails, browse web pages, access streaming media and the like through the WiFi module 570, and provides wireless broadband internet access for the user. Although fig. 17 shows the WiFi module 570, it is understood that it does not belong to the essential constitution of the computer device, and may be omitted entirely as needed within the scope not changing the essence of the invention.
The processor 580 is a control center of the computer device, connects various parts of the entire computer device using various interfaces and lines, performs various functions of the computer device and processes data by operating or executing software programs and/or modules stored in the memory 520 and calling data stored in the memory 520, thereby monitoring the computer device as a whole. Alternatively, processor 580 may include one or more processing units; optionally, processor 580 may integrate an application processor, which handles primarily the operating system, user interface, applications, etc., and a modem processor, which handles primarily the wireless communications. It will be appreciated that the modem processor described above may not be integrated into processor 580.
The computer device also includes a power supply 590 (e.g., a battery) for powering the various components, which may optionally be logically coupled to the processor 580 via a power management system to manage charging, discharging, and power consumption management functions via the power management system.
Although not shown, the computer device may further include a camera, a bluetooth module, etc., which will not be described herein.
In the embodiment of the present application, the processor 580 included in the terminal device further has the following functions:
acquiring a target data type and a target relationship type, wherein the target data type represents a data type requested by an access initiator, and the target relationship type represents a relationship type between the access initiator and an access authorizer;
determining a target relation cluster from a relation cluster-based access control model according to a target relation type, wherein the relation cluster-based access control model comprises a corresponding relation among the relation type, the relation cluster, role authority and a data type;
determining N target role authorities corresponding to the target relation clusters according to an access control model based on the relation clusters, wherein N is an integer greater than or equal to 1;
and if the data types corresponding to the N target role authorities are successfully matched with the target data types, opening a target data interface corresponding to the target data types for the access initiator, wherein the target data interface is an interface for the access initiator to access the data corresponding to the access authorizer.
An embodiment of the present application further provides a computer-readable storage medium, in which a computer program is stored, and when the computer program runs on a computer, the computer is caused to execute the steps executed by the access control device in the method described in the foregoing embodiment.
Embodiments of the present application also provide a computer program product comprising a program which, when run on a computer, causes the computer to perform the steps performed by the access control device in the method as described in the previous embodiments.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing an access control node (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions in the embodiments of the present application.

Claims (15)

1. A method of access control, comprising:
acquiring a target data type and a target relationship type, wherein the target data type represents a data type requested by an access initiator, and the target relationship type represents a relationship type between the access initiator and an access authorizer;
determining a target relation cluster from a relation cluster-based access control model according to the target relation type, wherein the relation cluster-based access control model comprises a corresponding relation among the relation type, the relation cluster, role authority and a data type;
determining N target role authorities corresponding to the target relation clusters according to the access control model based on the relation clusters, wherein N is an integer greater than or equal to 1;
and if the data types corresponding to the N target role authorities are successfully matched with the target data types, opening a target data interface corresponding to the target data types for the access initiator, wherein the target data interface is an interface for the access initiator to access the data corresponding to the access authorizer.
2. The method of claim 1, wherein obtaining the target data type and the target relationship type comprises:
receiving a data access request sent by a client, wherein the data access request carries identity bill information and relationship chain authorization information;
determining the target data type according to the data access request;
if the identity bill information is successfully verified, determining the target relation type according to the relation chain authorization information;
and if the authentication of the identity ticket information fails, sending a first authentication message to the client so that the client displays the first authentication message.
3. The method of claim 2, wherein the determining the target relationship type according to the relationship-chain authorization information comprises:
decrypting the relationship chain authorization information to obtain relationship context information, wherein the relationship context information comprises an identifier of the access authorization party and a relationship type set, and the relationship type set comprises at least one available relationship type;
and acquiring the target relation type from the at least one available relation type according to the identifier of the access authorization party.
4. The method of claim 3, wherein the relationship context information further comprises a relationship validity period;
after the decrypting is performed on the relationship chain authorization information to obtain the relationship context information, the method further includes:
if the relation validity period meets the access time limit condition, executing the step of acquiring the target relation type from the at least one available relation type according to the identifier of the access authorized party;
and if the relation validity period does not meet the access time limit condition, sending a second verification message to the client so that the client displays the second verification message.
5. The method of claim 1, wherein determining a target relationship cluster from a relationship cluster based access control model according to the target relationship type comprises:
determining a first corresponding relation according to the access control model based on the relation clusters, wherein the first corresponding relation represents the corresponding relation between a relation type and relation clusters, and each relation cluster corresponds to at least one relation type;
and querying the target relationship cluster corresponding to the target relationship type according to the first corresponding relationship.
6. The method according to claim 1, wherein the determining N target role permissions corresponding to the target relationship clusters according to the relationship cluster-based access control model comprises:
determining a second corresponding relation according to the access control model based on the relation clusters, wherein the second corresponding relation represents the corresponding relation between the relation clusters and role authorities, and each relation cluster corresponds to at least one role authority;
and inquiring the N target role authorities corresponding to the target relation clusters according to the second corresponding relation.
7. The method according to claim 6, wherein after determining N target role permissions corresponding to the target relationship clusters according to the relationship cluster-based access control model, the method further comprises:
determining a third corresponding relation according to the access control model based on the relation cluster, wherein the third corresponding relation represents the corresponding relation between role authorities and data types, each role authority corresponds to at least one data type, and each data type corresponds to one data interface;
inquiring the data type of each target role authority in the N target role authorities according to the third corresponding relation to obtain M data types, wherein M is an integer greater than or equal to 1;
if the M data types comprise the target data type, determining that the data types corresponding to the N target role authorities are successfully matched with the target data type;
and if the M data types do not comprise the target data type, sending a third verification message to the client so that the client displays the third verification message.
8. The method according to claim 1, wherein the opening of the target data interface corresponding to the target data type to the access initiator includes:
determining the target data interface according to the target data type;
and opening the authority of the target data interface to a client so that the client provides the data corresponding to the access authorization party to the access initiator according to the authority of the target data interface.
9. The method according to claim 2, wherein the identity ticket information is generated according to a login request sent by the client, wherein the login request carries at least one of identity information, login information, and permission information of the access initiator.
10. The method of claim 9, wherein the relationship-based authorization information is generated according to relationship context information, wherein the relationship context information comprises an identifier of the access authorizer, a relationship validity period, and a set of relationship types, and wherein the set of relationship types comprises at least one available relationship type.
11. The method of claim 2 or 9, wherein the identity ticket information and the relationship chain authorization information are information stored on a blockchain.
12. An access control apparatus, comprising:
the system comprises an acquisition module, a storage module and a processing module, wherein the acquisition module is used for acquiring a target data type and a target relation type, the target data type represents a data type requested by an access initiator, and the target relation type represents a relation type between the access initiator and an access authorizer;
the determining module is used for determining a target relation cluster from a relation cluster-based access control model according to the target relation type, wherein the relation cluster-based access control model comprises a relation type, a relation cluster, role authority and a corresponding relation among data types;
the determining module is further configured to determine, according to the access control model based on the relationship cluster, N target role authorities corresponding to the target relationship cluster, where N is an integer greater than or equal to 1;
and the control module is used for opening a target data interface corresponding to the target data type for the access initiator if the data types corresponding to the N target role authorities are successfully matched with the target data type, wherein the target data interface is an interface for the access initiator to access the data corresponding to the access authorizer.
13. An access control node, comprising: a memory, a transceiver, a processor, and a bus system;
wherein the memory is used for storing programs;
the processor is configured to execute a program in the memory, including the method of any of claims 1 to 11;
the bus system is used for connecting the memory and the processor so as to enable the memory and the processor to communicate.
14. An access control system, characterized in that it comprises at least one access control node according to claim 13.
15. A computer-readable storage medium comprising instructions that, when executed on a computer, cause the computer to perform the method of any of claims 1 to 11.
CN202010264128.4A 2020-04-07 2020-04-07 Access control method, related device, equipment, system and storage medium Active CN111475841B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010264128.4A CN111475841B (en) 2020-04-07 2020-04-07 Access control method, related device, equipment, system and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010264128.4A CN111475841B (en) 2020-04-07 2020-04-07 Access control method, related device, equipment, system and storage medium

Publications (2)

Publication Number Publication Date
CN111475841A true CN111475841A (en) 2020-07-31
CN111475841B CN111475841B (en) 2023-04-14

Family

ID=71749995

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010264128.4A Active CN111475841B (en) 2020-04-07 2020-04-07 Access control method, related device, equipment, system and storage medium

Country Status (1)

Country Link
CN (1) CN111475841B (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111242705A (en) * 2019-12-31 2020-06-05 航天信息股份有限公司企业服务分公司 Invoice data acquisition method and device
CN111984949A (en) * 2020-08-24 2020-11-24 北京达佳互联信息技术有限公司 Authentication method, authentication device, electronic equipment and storage medium
CN112036850A (en) * 2020-08-28 2020-12-04 光大科技有限公司 Digital asset data access method and device and digital asset transaction system
CN112069490A (en) * 2020-08-27 2020-12-11 北京百度网讯科技有限公司 Method, device, electronic equipment and storage medium for providing applet capability
CN112149077A (en) * 2020-10-12 2020-12-29 杭州云链趣链数字科技有限公司 Supply chain billing method, system and computer equipment based on block chain technology
CN112532595A (en) * 2020-11-18 2021-03-19 四川安迪科技实业有限公司 Satellite network data authority control method, device and storage medium
CN112596922A (en) * 2020-12-17 2021-04-02 百度在线网络技术(北京)有限公司 Communication management method, apparatus, device, medium, and program product
CN112685511A (en) * 2020-12-31 2021-04-20 中国农业银行股份有限公司 Method and device for commercial intelligent warehouse high-performance routing
CN112883390A (en) * 2021-02-18 2021-06-01 腾讯科技(深圳)有限公司 Authority control method and device and storage medium
CN115134405A (en) * 2022-09-01 2022-09-30 北京达佳互联信息技术有限公司 Data processing method and device, electronic equipment and computer readable storage medium
CN115225387A (en) * 2022-07-21 2022-10-21 济宁简约信息技术有限公司 Data security tamper-proof method and system based on big data and cloud platform
CN116842220A (en) * 2023-07-06 2023-10-03 中国科学院青藏高原研究所 Data access method based on logic classification and data role control
CN117688592A (en) * 2024-02-01 2024-03-12 山东中翰软件有限公司 Fine authority management and control method and system based on data production node
CN117688592B (en) * 2024-02-01 2024-04-26 山东中翰软件有限公司 Fine authority management and control method and system based on data production node

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101778109A (en) * 2010-01-13 2010-07-14 苏州国华科技有限公司 Construction method for access control policy and system thereof
CN102035846A (en) * 2010-12-22 2011-04-27 北京航空航天大学 Social network user identity authentication method based on relation statement
US20140310519A1 (en) * 2013-04-10 2014-10-16 Foundation Of Soongsil University-Industry Cooperation Method and apparatus for controlling access in a social network service
CN106685978A (en) * 2017-01-04 2017-05-17 北京奇虎科技有限公司 Method and apparatus of controlling access permission among multi devices, and mobile terminal
CN107426134A (en) * 2016-05-23 2017-12-01 上海神计信息系统工程有限公司 A kind of access control method based on relation
CN108600174A (en) * 2018-03-26 2018-09-28 西安交通大学 A kind of access control mechanisms and its implementation of big merger network
CN109327314A (en) * 2018-11-08 2019-02-12 阿里巴巴集团控股有限公司 Access method, device, electronic equipment and the system of business datum
CN110290112A (en) * 2019-05-30 2019-09-27 平安科技(深圳)有限公司 Authority control method, device, computer equipment and storage medium
CN110909373A (en) * 2018-09-18 2020-03-24 阿里巴巴集团控股有限公司 Access control method, device, system and storage medium

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101778109A (en) * 2010-01-13 2010-07-14 苏州国华科技有限公司 Construction method for access control policy and system thereof
CN102035846A (en) * 2010-12-22 2011-04-27 北京航空航天大学 Social network user identity authentication method based on relation statement
US20140310519A1 (en) * 2013-04-10 2014-10-16 Foundation Of Soongsil University-Industry Cooperation Method and apparatus for controlling access in a social network service
CN107426134A (en) * 2016-05-23 2017-12-01 上海神计信息系统工程有限公司 A kind of access control method based on relation
CN106685978A (en) * 2017-01-04 2017-05-17 北京奇虎科技有限公司 Method and apparatus of controlling access permission among multi devices, and mobile terminal
CN108600174A (en) * 2018-03-26 2018-09-28 西安交通大学 A kind of access control mechanisms and its implementation of big merger network
CN110909373A (en) * 2018-09-18 2020-03-24 阿里巴巴集团控股有限公司 Access control method, device, system and storage medium
CN109327314A (en) * 2018-11-08 2019-02-12 阿里巴巴集团控股有限公司 Access method, device, electronic equipment and the system of business datum
CN110290112A (en) * 2019-05-30 2019-09-27 平安科技(深圳)有限公司 Authority control method, device, computer equipment and storage medium

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
AJIAN005: "访问控制安全机制及相关模型(包括:强制访问控制和自主访问控制)", 《HTTPS://BLOG.CSDN.NET/AJIAN005/ARTICLE/DETAILS/8490082》 *
YUAN CHENG等: "Relationship-Based Access Control for Online Social Networks: Beyond User-to-User Relationships", 《2012 INTERNATIONAL CONFERENCE ON PRIVACY, SECURITY, RISK AND TRUST AND 2012 INTERNATIONAL CONFERNECE ON SOCIAL COMPUTING》 *
刘嘉俊: "移动互联网中基于上下文信息的用户偏好提取研究", 《中国优秀硕士学位论文全文数据库》 *
张梦娇等: "在线社交网络中基于标签的访问控制研究", 《计算技术与自动化》 *
陈天柱等: "面向社交网络的访问控制模型和策略研究进展", 《网络与信息安全学报》 *

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111242705A (en) * 2019-12-31 2020-06-05 航天信息股份有限公司企业服务分公司 Invoice data acquisition method and device
CN111242705B (en) * 2019-12-31 2023-12-26 航天信息股份有限公司企业服务分公司 Invoice data acquisition method and device
CN111984949A (en) * 2020-08-24 2020-11-24 北京达佳互联信息技术有限公司 Authentication method, authentication device, electronic equipment and storage medium
CN111984949B (en) * 2020-08-24 2023-11-28 北京达佳互联信息技术有限公司 Authentication method, device, electronic equipment and storage medium
CN112069490B (en) * 2020-08-27 2023-08-15 北京百度网讯科技有限公司 Method and device for providing applet capability, electronic equipment and storage medium
CN112069490A (en) * 2020-08-27 2020-12-11 北京百度网讯科技有限公司 Method, device, electronic equipment and storage medium for providing applet capability
CN112036850A (en) * 2020-08-28 2020-12-04 光大科技有限公司 Digital asset data access method and device and digital asset transaction system
CN112149077A (en) * 2020-10-12 2020-12-29 杭州云链趣链数字科技有限公司 Supply chain billing method, system and computer equipment based on block chain technology
CN112532595A (en) * 2020-11-18 2021-03-19 四川安迪科技实业有限公司 Satellite network data authority control method, device and storage medium
CN112532595B (en) * 2020-11-18 2022-07-22 四川安迪科技实业有限公司 Satellite network data authority control method, device and storage medium
CN112596922A (en) * 2020-12-17 2021-04-02 百度在线网络技术(北京)有限公司 Communication management method, apparatus, device, medium, and program product
CN112596922B (en) * 2020-12-17 2024-04-05 百度在线网络技术(北京)有限公司 Communication management method, device, equipment and medium
CN112685511A (en) * 2020-12-31 2021-04-20 中国农业银行股份有限公司 Method and device for commercial intelligent warehouse high-performance routing
CN112883390A (en) * 2021-02-18 2021-06-01 腾讯科技(深圳)有限公司 Authority control method and device and storage medium
CN115225387A (en) * 2022-07-21 2022-10-21 济宁简约信息技术有限公司 Data security tamper-proof method and system based on big data and cloud platform
CN115134405A (en) * 2022-09-01 2022-09-30 北京达佳互联信息技术有限公司 Data processing method and device, electronic equipment and computer readable storage medium
CN116842220A (en) * 2023-07-06 2023-10-03 中国科学院青藏高原研究所 Data access method based on logic classification and data role control
CN116842220B (en) * 2023-07-06 2024-01-02 中国科学院青藏高原研究所 Data access method based on logic classification and data role control
CN117688592A (en) * 2024-02-01 2024-03-12 山东中翰软件有限公司 Fine authority management and control method and system based on data production node
CN117688592B (en) * 2024-02-01 2024-04-26 山东中翰软件有限公司 Fine authority management and control method and system based on data production node

Also Published As

Publication number Publication date
CN111475841B (en) 2023-04-14

Similar Documents

Publication Publication Date Title
CN111475841B (en) Access control method, related device, equipment, system and storage medium
CN109472166B (en) Electronic signature method, device, equipment and medium
US9424439B2 (en) Secure data synchronization
CN110545190B (en) Signature processing method, related device and equipment
CN107431924B (en) Device theft protection associating device identifiers with user identifiers
US7840812B1 (en) Authentication of digital certificates used by portable computing devices
CN110826043B (en) Digital identity application system and method, identity authentication system and method
CN108510022B (en) Two-dimensional code generation and verification method and server
JP2018533141A (en) Access server authenticity check initiated by end user
JP6543743B1 (en) Management program
CN103095457A (en) Login and verification method for application program
US11943256B2 (en) Link detection method and apparatus, electronic device, and storage medium
CN111475832B (en) Data management method and related device
US20210111897A1 (en) Offline protection of secrets
US11398901B2 (en) Restricted partial key storage
CN112035897A (en) Block chain evidence storage method and related device
US11757877B1 (en) Decentralized application authentication
US11824850B2 (en) Systems and methods for securing login access
CN115001841A (en) Identity authentication method, identity authentication device and storage medium
US9135460B2 (en) Techniques to store secret information for global data centers
CN114039726B (en) Key generation method, key acquisition method, related device and medium
KR20240045262A (en) Data recovery from computing devices
CN117751551A (en) System and method for secure internet communications
CN116015695A (en) Resource access method, system, device, terminal and storage medium
CN114389802B (en) Information decryption method and device, electronic equipment and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant