CN111814171B - Cloud resource access control method based on attributes and graphs - Google Patents

Cloud resource access control method based on attributes and graphs Download PDF

Info

Publication number
CN111814171B
CN111814171B CN202010714694.0A CN202010714694A CN111814171B CN 111814171 B CN111814171 B CN 111814171B CN 202010714694 A CN202010714694 A CN 202010714694A CN 111814171 B CN111814171 B CN 111814171B
Authority
CN
China
Prior art keywords
cloud
access control
data
resource
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010714694.0A
Other languages
Chinese (zh)
Other versions
CN111814171A (en
Inventor
莫毓昌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huaqiao University
Linewell Software Co Ltd
Original Assignee
Huaqiao University
Linewell Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huaqiao University, Linewell Software Co Ltd filed Critical Huaqiao University
Priority to CN202010714694.0A priority Critical patent/CN111814171B/en
Publication of CN111814171A publication Critical patent/CN111814171A/en
Application granted granted Critical
Publication of CN111814171B publication Critical patent/CN111814171B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Automation & Control Theory (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a cloud resource access control method based on attributes and graphs, and relates to the technical field of computers. The cloud resource access control method based on the attributes and the graphs comprises the following steps: s1, creating user attributes: the administrator adds a new user attribute record to the user's attribute configuration table. According to the cloud resource access control method based on the attributes and the graphs, the rights of user requests, computing resources and data resources are described in the form of attribute combination, so that the flexibility and expandability of access control are greatly improved, meanwhile, the rights verification is performed through graph traversal, logic operation is avoided, the calculated amount can be reduced, in addition, the control graph generation and combination are actually performed only once when the same cloud application request is performed for multiple times, the repeated computation is greatly reduced, the access control requirements of mass users and mass resources in a cloud computing environment can be well met, and the safety of a system is improved.

Description

Cloud resource access control method based on attributes and graphs
Technical Field
The invention relates to the technical field of computers, in particular to a cloud resource access control method based on attributes and graphs.
Background
Cloud computing is a completely new service modality that can provide on-demand network access to configurable shared computing resources. The cloud resource provider is characterized in that software and hardware resources owned by the cloud resource provider are virtualized into resource cloud, and then the cloud base service provider is arranged at the cloud end, so that a novel service mode which is flexible and scalable and is used according to the demand is provided for the cloud resource requester.
The safety of cloud environments is questioned by a large number of accidents. Therefore, the comprehensive analysis and solution of various security problems faced by the current cloud computing environment have become a premise for large-scale popularization and popularity of cloud computing. Ensuring confidentiality, integrity and availability of user data is the core of cloud computing security issues. Access control to data resources is therefore also becoming a core in cloud security.
Access control enables principals to make legitimate accesses to resources by granting appropriate rights to the appropriate principals. Most of cloud platform service providers currently use a role-based access control method to control access to resources in the cloud. Although the basic access control to the data can be realized, the roles are static, once a user acquires the roles, the user has the operation authority to the resources, and the dynamic property of the cloud computing environment is difficult to adapt; however, the access control based on the attribute has certain dynamic property, but because of the authority verification based on the matching search of the control tree, a plurality of control trees need to be processed, the access control method has the problems of large calculation amount and repeated calculation, has low access control efficiency, and is not suitable for the safety control requirements of mass users and mass resources in a cloud computing environment.
Disclosure of Invention
(one) solving the technical problems
Aiming at the defects of the prior art, the invention provides a cloud resource access control method based on attributes and graphs, which solves the problem that in the basic access control of the data by the access control method based on roles, the dynamic property of a cloud computing environment is difficult to adapt because the roles are static; and the problems of large calculation amount and repeated calculation based on the control tree matching search and low access control efficiency.
(II) technical scheme
In order to achieve the above purpose, the invention is realized by the following technical scheme: a cloud resource access control method based on attributes and graphs is characterized in that: the method comprises the following steps:
s1, creating user attributes: the administrator adds a new user attribute record to the user's attribute configuration table.
S2, creating a cloud resource access control tree: AND the administrator performs AND AND OR combination on the attributes according to requirements for various cloud resources, including cloud services AND data resources, AND creates a corresponding cloud resource access control tree.
S3, generating a cloud resource access control diagram according to the cloud resource access control tree; generating a cloud application access control diagram according to the running resource configuration file of the cloud application; and managing the generated various control charts.
S31, constructing a cloud resource access control diagram according to a cloud resource access control tree, wherein the specific operation is as follows:
first, the attributes in the cloud resource access control tree are ordered according to numbers, for example, A0< A1< A2< A3< …, and the position of the attribute with the smaller contracted number in the control graph is above the attribute with the larger number, so the attribute A0 is the root node of the control graph.
Then, constructing a cloud resource access control diagram from bottom to top according to the cloud resource access control tree.
S32, generating a cloud application access control diagram according to an operation resource configuration file of the cloud application, wherein the specific operation is as follows:
firstly, analyzing an operation resource configuration file of a cloud application, and obtaining a cloud service list and a data resource list according to the file. The cloud service list is one or more cloud services which are required to be called according to a certain sequence in order for the cloud platform to complete a cloud application request; the data resource list is the data resource which the cloud platform needs to access in order to complete the cloud application request.
Then, in order to verify the authority of the cloud application request of the user, the user needs to be confirmed to have access authorities to all cloud services and data resources; therefore, the control graphs corresponding to each cloud service AND data resource need to be AND-combined to verify that the user has authority over all cloud services AND data resources required for running the cloud application.
S33, managing the generated various control charts, wherein the specific operation is as follows:
the various generated control charts need to be stored, so that when access control is performed on the same cloud resource, the control charts do not need to be regenerated. Since the control graph is graph data, a graph database management system, such as Neo4j graph database software, is required for saving.
Each time a user makes a cloud application request, the authority of the cloud application request of the user needs to be verified, at this time, a control diagram AND an AND combination are not directly generated, but are firstly queried from a diagram database, if some cloud services related to the cloud application request AND the control diagram corresponding to the data resources are already generated, the control diagram is directly obtained, AND the generation AND AND combination is only performed when the corresponding control diagram is not queried.
S4, performing access control based on the access control diagram: and extracting cloud resource information and attribute information from a cloud application request submitted by a user, and performing authority verification by traversing a cloud application access control diagram method.
Preferably, in step S2, the cloud service is a computing unit that constitutes a cloud application, that is, completes a cloud application request, and the cloud platform executes one or more cloud services according to the cloud application in a certain order; the data resources are: the cloud service can access the data resources in the execution process, and the specific conditions of the data resource organization mode are as follows:
data warehouse: storing all data resources of the cloud computing platform; typically, a data warehouse contains a plurality of databases therein.
Database: a database stores all data of a certain cloud application; typically, the database contains a plurality of data tables.
Data table: a data table stores all attribute data of an entity in a cloud application; typically, the data table contains a plurality of data fields therein.
Data field: each data field stores certain attribute data of a certain entity.
Preferably, in the process of creating the cloud resource access control tree in step S2, an administrator performs AND OR combination on the attributes according to the requirements, AND creates a corresponding cloud resource access control tree for each cloud service, data warehouse, database, data table AND data field.
(III) beneficial effects
The invention provides a cloud resource access control method based on attributes and graphs. The beneficial effects are as follows: according to the cloud resource access control method based on the attributes and the graphs, the rights of the user request, the computing resource and the data resource are described in the form of attribute combination, so that the flexibility and the expandability of access control are greatly improved, and meanwhile, the rights verification efficiency is improved by utilizing the control graphs. The traditional method is that access control trees are directly adopted for authority verification, logic calculation is needed in the verification process due to the fact that the access control trees contain logic operations of AND AND OR, the verification process of each access control tree is independent, the calculated amount is large, AND the control graphs are generated AND combined, AND the control graphs are stored in a graph mode, namely nodes in the graphs are shared, so that the calculated amount can be reduced; meanwhile, the permission verification is carried out through the traversal of the graph, so that the logic operation is avoided, the calculated amount can be reduced, in addition, the method of generating and repeatedly utilizing the control graph once is adopted, when the same cloud application request is carried out for a plurality of times, the control graph generation and combination are carried out only once in practice, the repeated calculation is greatly reduced, the access control requirements of mass users and mass resources in the cloud computing environment can be well met, and therefore the safety of the system is improved.
Drawings
FIG. 1 is a schematic diagram of an exemplary access control tree in accordance with embodiments of the present invention;
FIG. 2 is a schematic diagram of a control diagram exemplified in a specific embodiment of the present invention;
FIG. 3 is a schematic diagram of the bottom layer of the control tree of FIG. 1 according to the present invention;
FIG. 4 is a schematic diagram of a control diagram generated by the control tree of FIG. 3 according to the present invention;
FIG. 5 is a schematic diagram of the control tree of the upper layer of the control tree of FIG. 3 according to the present invention;
FIG. 6 is a schematic diagram of a control diagram generated by the control tree of FIG. 5 in accordance with the present invention;
FIG. 7 is a schematic diagram of a control diagram generated by the control tree of FIG. 1 in accordance with the present invention;
FIG. 8 is a schematic diagram illustrating the operation of AND combining a plurality of control charts according to the present invention;
fig. 9 is a control diagram obtained by combining the L control diagram AND the R control diagram of fig. 8 with AND.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 1-9, the present invention provides a technical solution: a cloud resource access control method based on attributes and graphs comprises the following steps:
s1, creating user attributes: the administrator adds a new User attribute record to the User's attribute configuration table, e.g., for User1, the attributes that it can possess include: job title, job age, sex, access IP, office location, belonging to a project group, allowed access time, etc.
S2, creating a cloud resource access control tree, wherein an administrator performs AND AND OR combination on the attributes according to requirements for various cloud resources including cloud services AND data resources, AND creates a corresponding cloud resource access control tree.
The cloud resources comprise computing resources and data resources, wherein the computing resources are as follows: in the process of processing a user cloud application request, the cloud platform calls one or more cloud services according to a certain sequence; the data resources are: the cloud service accesses corresponding data resources in the execution process, and the specific situation of the data resource organization mode is as follows:
data warehouse: storing all data resources of the cloud computing platform; typically, a data warehouse contains a plurality of databases therein.
Database: a database stores all data of a certain cloud application; typically, the database contains a plurality of data tables.
Data table: a data table stores all attribute data of a certain entity of a certain cloud application; typically, the data table contains a plurality of data fields therein.
Data field: each data field stores certain attribute data of a certain entity.
In the process of creating the cloud resource access control tree, an administrator needs to perform AND AND OR combination on the attributes according to actual requirements for each cloud service, each cloud data warehouse, each cloud data table AND each cloud data field, AND create the corresponding cloud resource access control tree. In the access control tree, leaf nodes represent attributes, and non-leaf nodes represent logic gates. Such as logic gates AND OR. Logic gate AND means that certain attributes must be owned at the same time; the logic gate OR indicates that a certain attribute is satisfied.
For example: an access control tree for a cloud resource is shown in fig. 1. Fig. 1 shows that a user can access cloud resources only if attributes A0, A1 or A0, A2, A3 are satisfied.
Since the access control tree is graph data, a graph database management system, such as Neo4j graph database software, is required for saving.
S3, generating a cloud resource access control diagram according to the cloud resource access control tree; generating a cloud application access control diagram according to the running resource configuration file of the cloud application; and managing the generated various control charts.
The control diagram in this step has two types of nodes: attribute nodes and decision nodes. Take the control diagram shown in fig. 2 as an example. There are two types of nodes in the control graph: attribute nodes, such as A0, A1, A2, A3. Each attribute node has two branches: y-branch indicates that the attribute is satisfied and N-branch indicates that the attribute is not satisfied. Nodes, such as N and Y, are determined. The N node is insufficient in authority and cannot access cloud resources; y node indicates that permission is satisfied and cloud resources can be accessed.
Each path from the top level node of the control graph to decision node Y indicates a combination of attributes that can access the cloud resource. For example, in fig. 2, the rightmost path from the top level node to decision node Y includes the Y branch of A0 and the Y branch of A1, indicating that the user satisfies attribute A0, A1 has access to the cloud resource.
Each path from the top level node of the control graph to decision node N indicates a combination of attributes that is insufficient to access the cloud resource. For example, in fig. 2, the leftmost path from the top level node to decision node N includes N for A0, indicating that the user either satisfies attribute A0 or illegally accesses the cloud resource.
S31, constructing a cloud resource access control diagram according to a cloud resource access control tree, wherein the specific operation is as follows:
first, the attributes in the cloud resource access control tree are ordered according to numbers, for example, A0< A1< A2< A3< …, and the position of the attribute with the smaller contracted number in the control graph is above the attribute with the larger number, so the attribute A0 is the root node of the control graph.
Then, constructing a cloud resource access control diagram from bottom to top according to the cloud resource access control tree.
If the lowest layer of the cloud resource access control tree is an AND gate, the attributes below the gate node are connected in the order of numbers by using Y branches AND are connected to a decision node Y, AND N branches of all the attributes are directly connected to a decision node N.
If the lowest layer of the cloud resource access control tree is an OR gate, the attributes below the gate node are connected in the order of numbers by using N branches and are connected to a decision node N, and Y branches of all the attributes are directly connected to a decision node Y.
For example: there is a control tree as shown in fig. 1, the lowest level AND gate control tree of which is shown in fig. 3, AND the control diagram generated in fig. 3 is shown in fig. 4.
Then, the cloud resource access control tree is processed layer by layer upwards, and a control chart is further generated.
Taking the cloud resource access control tree shown in fig. 1 as an example, from the bottom layer to the top layer, the currently processed top layer control tree is an OR gate control tree as shown in fig. 5, and a control diagram shown in fig. 6 is generated. The generation process is as follows: the attribute A1 node is constructed as an OR gate, with the Y-branch of A1 directly connected to decision node Y. The N branch of A1 is connected to the control diagram corresponding to the AND gate control tree constructed in the last step.
After processing the OR gate control tree shown in FIG. 5, the top level AND gate control tree shown in FIG. 1 is reached, AND the resulting control diagram is shown in FIG. 7. The generation process is as follows: the attribute A0 node is constructed, because of being an AND gate, the N branch of A0 is directly connected to the decision node N, AND the Y branch of A0 is connected to the control diagram corresponding to the OR gate control tree constructed in the last step.
S32, generating a cloud application access control diagram according to an operation resource configuration file of the cloud application, wherein the specific operation is as follows:
firstly, analyzing an operation resource configuration file of a cloud application, and obtaining a cloud service list and a data resource list according to the file. The cloud service list is one or more cloud services which are required to be called according to a certain sequence in order for the cloud platform to complete a cloud application request; the data resource list is the data resource which the cloud platform needs to access in order to complete the cloud application request.
In the process of processing a user cloud application request, the cloud platform can call one or more cloud services according to a cloud service list and a certain sequence. Each cloud service has an access control tree, and each access control tree generates a control diagram; a user cloud application request corresponds to multiple cloud service access control graphs. On the other hand, in order to fulfill one user cloud application request, different cloud services need to access different data resources. Each data resource generates a control graph; a user cloud application requests access to a control graph corresponding to a plurality of data resources.
In order to verify the authority of the cloud application request of the user, the user needs to be confirmed to have access authorities to all cloud services and data resources; therefore, the control graphs corresponding to each cloud service AND data resource need to be AND-combined to verify that the user has authority over all cloud services AND data resources required for running the cloud application.
As shown in fig. 8, the method of AND combining the control charts specifically includes the following steps:
the left side of the diagram is two control diagrams needing AND combination, the left side of the two control diagrams is called L, the right side of the two control diagrams is called R, AND the combined control diagram is called C1.
The AND combining process is a top-down process:
comparing the numbers of the root nodes of the two control graphs, it is apparent that A1 is smaller, so A1 is taken as the root node of the combined control graph C1.
The Y-branch of root node A1 of C1 is the AND combination of the Y-branch of A1 AND R in L.
The N branch of root node A1 of C1 is the AND combination of the N branch of A1 AND R in L.
Since the N branch of A1 in L is the determination node N, that is, authority is not satisfied, the AND combination result of the determination nodes N AND R is also the determination node N, that is, authority is not satisfied.
The Y branch of A1 and R in L are both A2, so A2 is taken as the root node of the combined control diagram C2.
The Y-branch of root node A2 of C2 is the AND combination of the Y-branch of A2 in L AND the Y-branch of A2 in R.
The N branch of root node A2 of C2 is the AND combination of the N branch of A2 in L AND the N branch of A2 in R.
Since the Y branch of A2 in L is the decision node Y, i.e., the authority is satisfied, the result of the AND combination of the decision node Y AND the Y branch of A2 in R is the Y branch of A2 in R.
The N branch of A2 in L and the N branch of A2 in R are compared with the numbers of the root nodes of the two control graphs, and A3 is obviously smaller, so A3 is taken as the root node of the combined control graph C3.
The Y branch of root node A3 of C3 is the AND combination of the Y branch of A3 in L AND the N branch of A2 in R.
The N branch of root node A3 of C3 is the AND combination of the N branch of A3 in L AND the N branch of A2 in R.
Since the Y branch of A3 in L is decision node Y, i.e., authority is satisfied, the result of the AND combination of decision node Y AND the N branch of A2 in R is the N branch of A2 in R.
Since the N branch of A3 in L is the determination node N, that is, authority is not satisfied, the AND combination result of the N branches of A2 in R AND the determination node N is also the determination node N, that is, authority is not satisfied.
The final results are shown in FIG. 9.
S33, managing the generated various control charts, wherein the specific operation is as follows:
the various generated control charts need to be stored, so that when access control is performed on the same cloud resource, the control charts do not need to be regenerated. Because the control graph is graph data, a graph database management system is needed to be used for storage, such as Neo4j graph database software;
when a user performs a cloud application request, verifying the authority of the cloud application request of the user, at the moment, not directly generating a control diagram AND an AND combination, but firstly inquiring from a diagram database, directly acquiring the control diagram if some cloud services related to the cloud application request AND the control diagram corresponding to the data resource are already generated, AND generating AND AND combination only when the corresponding control diagram is not inquired;
s4, performing access control based on the access control diagram: and extracting cloud resource information and attribute information from a cloud application request submitted by a user, and performing authority verification by traversing a cloud application access control diagram method.
The cloud application request submitted by the user is processed as follows:
and the user submits a certain cloud application request to the cloud platform.
The cloud platform receives the cloud application request, analyzes the cloud application request, and extracts attribute information including a user name, a cloud application name, a request initiation time and a request initiation address.
The cloud platform queries a user-attribute configuration table by using the user name to obtain user attributes; such as job position, job age, sex, access IP, office location, belonging project group, allowed access time, etc.
And the cloud platform finds out an operation resource configuration file corresponding to the cloud application in a configuration file library by using the cloud application name, and obtains a cloud service list and a data resource list according to the file.
According to step S33, the cloud platform queries the graph database to determine whether the cloud application access control graph has been generated and stored in the graph database.
If already present, the acquisition is direct.
If the cloud application access control graph does not exist, confirming whether the cloud service related to the cloud application and the control graph corresponding to the data resource are generated or not by querying a graph database.
If already present, direct acquisition; AND according to the step S32, performing AND combination on the control graphs corresponding to all relevant cloud services AND data resources to generate a cloud application access control graph, AND storing the generated cloud application access control graph in a graph database.
If the control graphs corresponding to the cloud services AND the data resources which are partially related do not exist, access control trees corresponding to the cloud services AND the data resources are obtained by querying a graph database, the access control trees are converted into access control graphs according to the step S31, AND then the control graphs corresponding to all the cloud services AND the data resources which are related are subjected to AND combination according to the step S32, so that cloud application access control graphs are generated, AND the generated cloud application access control graphs are stored in the graph database.
Finally, the cloud platform combines the request initiation addresses to form an attribute set according to the obtained user attributes and the request initiation time; and performing authority verification by traversing a cloud application access control diagram method.
And if the cloud platform reaches the judging node Y, the authority verification is successful, and the cloud platform calls the corresponding cloud resource to finish the cloud application request processing.
If the user reaches the judging node N, the cloud platform feeds back information illegally accessed by the user.
If the judgment nodes N and Y cannot be reached, the cloud platform feeds back information of insufficient user permission.
For example, if a cloud application requests, a corresponding access control diagram is shown in fig. 9;
if the attribute information extracted from the cloud application request submitted by the user is { A1, A3}, the access control diagram is traversed to know that the Y branch only relying on A1 and the Y branch of A3 cannot reach the judging node Y, so that the information with insufficient authority of the user is fed back;
if the attribute information extracted from the cloud application request submitted by the user is { non-A1 }, for example, A1 refers to the access time period [8:00-15:00], and the time for the user to make the cloud application request is 7:00. The attribute information is not A1. By traversing the access control graph, N of A1 reaches the determination node N, so that information illegally accessed by the user is fed back.
If the attribute information extracted from the cloud application request submitted by the user is { A1, non-A2, A3, A4}, the access control diagram is traversed to know that the Y branch of A1, the N branch of A2, the Y branch of A3 and the Y branch of A4 reach the judging node Y, so that the authority verification is successful, and the cloud platform calls corresponding cloud resources to finish cloud application request processing.
In summary, according to the cloud resource access control method based on the attributes and the graphs, the rights of the user request, the computing resource and the data resource are described in the form of attribute combination, so that the flexibility and the expandability of access control are greatly improved, and meanwhile, the rights verification efficiency is improved by using the control graphs. The traditional method is that access control trees are directly adopted for authority verification, logic calculation is needed in the verification process due to the fact that the access control trees contain logic operations of AND AND OR, the verification process of each access control tree is independent, the calculated amount is large, AND the control graphs are generated AND combined, AND the control graphs are stored in a graph mode, namely nodes in the graphs are shared, so that the calculated amount can be reduced; meanwhile, the permission verification is carried out through the traversal of the graph, so that the logic operation is avoided, the calculated amount can be reduced, in addition, the method of generating and repeatedly utilizing the control graph once is adopted, when the same cloud application request is carried out for a plurality of times, the control graph generation and combination are carried out only once in practice, the repeated calculation is greatly reduced, the access control requirements of mass users and mass resources in the cloud computing environment can be well met, and therefore the safety of the system is improved.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Although embodiments of the present invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made therein without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.

Claims (3)

1. A cloud resource access control method based on attributes and graphs is characterized in that: the method comprises the following steps:
s1, creating user attributes: the administrator adds a new user attribute record to the attribute configuration table of the user;
s2, creating a cloud resource access control tree: an administrator establishes a corresponding cloud resource access control tree for various cloud resources, including cloud services AND data resources, by combining the attributes with each other AND OR according to requirements;
s3, generating a cloud resource access control diagram according to the cloud resource access control tree; generating a cloud application access control diagram according to the running resource configuration file of the cloud application; the various control charts generated are managed,
s31, constructing a cloud resource access control diagram according to a cloud resource access control tree, wherein the specific operation is as follows:
firstly, sorting attributes in a cloud resource access control tree according to numbers, wherein the position of the attribute with the smaller contracted number in a control graph is positioned above the attribute with the larger number, so that the A0 attribute is the root node of the control graph;
then, constructing a cloud resource access control diagram from bottom to top according to the cloud resource access control tree,
s32, according to the running resource configuration file of the cloud application, generating a cloud application access control diagram specifically comprises the following operations:
firstly, analyzing an operation resource configuration file of a cloud application, and obtaining a cloud service list and a data resource list according to the file, wherein the cloud service list is one or more cloud services which need to be called according to a certain sequence in order for a cloud platform to complete a cloud application request; the data resource list is a data resource which needs to be accessed by the cloud platform in order to complete a cloud application request;
then, in order to verify the authority of the cloud application request of the user, the user needs to be confirmed to have access authorities to all cloud services and data resources; therefore, the control graphs corresponding to each cloud service AND data resource need to be subjected to AND combination to verify that the user has authority over all cloud services AND data resources required by the operation of the cloud application;
s33, managing the generated various control charts, wherein the specific operation is as follows:
1. the generated various control charts need to be stored, so that when access control is carried out on the same cloud resource, the control charts do not need to be regenerated, and because the control charts are chart data, the control charts need to be stored by adopting a chart database management system;
2. when a user performs a cloud application request, verifying the authority of the cloud application request of the user, at the moment, not directly generating a control diagram AND an AND combination, but firstly inquiring from a diagram database, directly acquiring the control diagram if some cloud services related to the cloud application request AND the control diagram corresponding to the data resource are already generated, AND generating AND AND combination only when the corresponding control diagram is not inquired;
s4, performing access control based on the access control diagram: and extracting cloud resource information and attribute information from a cloud application request submitted by a user, and performing authority verification by traversing a cloud application access control diagram method.
2. The cloud resource access control method based on the attribute and the graph according to claim 1, wherein: in step S2, the cloud service is a computing unit that constitutes a cloud application, that is, completes a cloud application request, and the cloud platform executes one or more cloud services according to the cloud application in a certain order; the data resources are: the cloud service can access the data resources in the execution process, and the specific conditions of the data resource organization mode are as follows:
data warehouse: storing all data resources of the cloud computing platform; the data warehouse comprises a plurality of databases;
database: a database stores all data of a certain cloud application; the database comprises a plurality of data tables;
data table: a data table stores all attribute data of an entity in a cloud application; the data table comprises a plurality of data fields;
data field: each data field stores certain attribute data of a certain entity.
3. The cloud resource access control method based on the attribute and the graph according to claim 1, wherein: in step S2, during the process of creating the cloud resource access control tree, the administrator performs AND OR combination on the attributes according to the requirements, AND creates a corresponding cloud resource access control tree for each cloud service, data warehouse, database, data table AND data field.
CN202010714694.0A 2020-07-23 2020-07-23 Cloud resource access control method based on attributes and graphs Active CN111814171B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010714694.0A CN111814171B (en) 2020-07-23 2020-07-23 Cloud resource access control method based on attributes and graphs

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010714694.0A CN111814171B (en) 2020-07-23 2020-07-23 Cloud resource access control method based on attributes and graphs

Publications (2)

Publication Number Publication Date
CN111814171A CN111814171A (en) 2020-10-23
CN111814171B true CN111814171B (en) 2024-01-09

Family

ID=72862273

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010714694.0A Active CN111814171B (en) 2020-07-23 2020-07-23 Cloud resource access control method based on attributes and graphs

Country Status (1)

Country Link
CN (1) CN111814171B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104079574A (en) * 2014-07-02 2014-10-01 南京邮电大学 User privacy protection method based on attribute and homomorphism mixed encryption under cloud environment
CN105049409A (en) * 2015-05-28 2015-11-11 合肥城市云数据中心有限公司 Security access control framework under distributed cloud environment and access method thereof
CN106059765A (en) * 2016-08-04 2016-10-26 北京邮电大学 Digital virtual asset access control method based on attribute password under cloud environment
CN110493301A (en) * 2019-06-19 2019-11-22 莫毓昌 The generic structure platform delivered for cloud combination and cloud user negotiation service
CN110866135A (en) * 2019-11-12 2020-03-06 重庆邮电大学 Response length hiding-based k-NN image retrieval method and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104079574A (en) * 2014-07-02 2014-10-01 南京邮电大学 User privacy protection method based on attribute and homomorphism mixed encryption under cloud environment
CN105049409A (en) * 2015-05-28 2015-11-11 合肥城市云数据中心有限公司 Security access control framework under distributed cloud environment and access method thereof
CN106059765A (en) * 2016-08-04 2016-10-26 北京邮电大学 Digital virtual asset access control method based on attribute password under cloud environment
CN110493301A (en) * 2019-06-19 2019-11-22 莫毓昌 The generic structure platform delivered for cloud combination and cloud user negotiation service
CN110866135A (en) * 2019-11-12 2020-03-06 重庆邮电大学 Response length hiding-based k-NN image retrieval method and system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
一种带节点失效的BDD网络可靠性分析新方法;潘竹生 等;《浙江师范大学学报(自然科学版)》;第40卷(第4期);全文 *
移动云计算环境下个人数据访问控制系统的研究;史汪洋;《中国优秀硕士学位论文全文数据库 信息科技辑》(第3期);全文 *

Also Published As

Publication number Publication date
CN111814171A (en) 2020-10-23

Similar Documents

Publication Publication Date Title
JP7222036B2 (en) Model training system and method and storage medium
US7409401B2 (en) Method and system for supporting multivalue attributes in a database system
US7299171B2 (en) Method and system for processing grammar-based legality expressions
JP4856627B2 (en) Partial query caching
US9231974B2 (en) Dynamic policy-based entitlements from external data repositories
US20040078368A1 (en) Indexing virtual attributes in a directory server system
US8909669B2 (en) System and method for locating and retrieving private information on a network
US7974981B2 (en) Multi-value property storage and query support
CN106294352B (en) A kind of document handling method, device and file system
CN100442236C (en) Method and system for use of MD4 checksum and link transactions across machines
US8799321B2 (en) License management apparatus, license management method, and computer readable medium
NO326743B1 (en) Method of limiting access to search results and search engine supporting the process
US8245291B2 (en) Techniques for enforcing access rights during directory access
US20120310969A1 (en) Semantic terminology importer
CA2461871A1 (en) An efficient index structure to access hierarchical data in a relational database system
CN108154024B (en) Data retrieval method and device and electronic equipment
Edward et al. Practical MongoDB: Architecting, Developing, and Administering MongoDB
CN115269631A (en) Data query method, data query system, device and storage medium
CN113377876B (en) Data database processing method, device and platform based on Domino platform
CN111026709A (en) Data processing method and device based on cluster access
CN110659418A (en) Content searching method and device, storage medium and computing equipment
CN113918149A (en) Interface development method and device, computer equipment and storage medium
CN113127906A (en) Unified authority management platform, method and storage medium based on C/S architecture
US7689584B2 (en) Hybrid groups
CN111814171B (en) Cloud resource access control method based on attributes and graphs

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20231203

Address after: 362000 Fengze District, Quanzhou City, Fujian Province

Applicant after: HUAQIAO University

Applicant after: LINEWELL SOFTWARE Co.,Ltd.

Address before: 321000 Room 202, unit 1, building 52, 786 Yuquan West Road, Wucheng District, Jinhua City, Zhejiang Province

Applicant before: Mo Yuchang

GR01 Patent grant
GR01 Patent grant