CN112187772A - Authority control method, system and medium based on intelligent contract design - Google Patents
Authority control method, system and medium based on intelligent contract design Download PDFInfo
- Publication number
- CN112187772A CN112187772A CN202011011379.8A CN202011011379A CN112187772A CN 112187772 A CN112187772 A CN 112187772A CN 202011011379 A CN202011011379 A CN 202011011379A CN 112187772 A CN112187772 A CN 112187772A
- Authority
- CN
- China
- Prior art keywords
- authority
- contract
- user
- component
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/50—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides an authority control method, a system and a medium based on intelligent contract design, which can enable the access control of a user to a chain to be more refined, and the method comprises the following steps: the authority control contract initializes and manages the user authority, so that the access authority of the user to the chain can be controlled and detailed to the functional method level of each module in the node, and the user access authority can be intelligently adjusted. Aiming at the problems in the background art, the invention can realize more refinement of the access authority of the chain user by the method, can control the authority on any function of any node of the block chain, directly places the user authority control on the chain, does not need to rely on external services, and has very light weight and high reliability.
Description
Technical Field
The invention relates to the technical field of financial technology and block chain application, in particular to an authority control method, system and medium based on intelligent contract design. And more particularly to blockchains and intelligent contract related technology modules.
Background
The block chain user authority management is the core content of the block chain technology in the practical industry field, the traditional authority management technology can be divided into authority control of a certain node and authority control of a plug-in authority system (as shown in fig. 1, which is a schematic view of the access flow of the traditional chain), the traditional authority management technology can well solve the industry application problem, but also has some defects, the authority control can not be refined to the function level of each module in the node in the prior art, the authority control granularity of the scheme in the prior art is at the node level or needs to depend on the external authority system, all function modules of a certain node are opened to a user, relatively speaking, the authority control granularity is too large or too heavy, and whether the dependent external authority system is credible or not can not be ensured, if the control is needed, some functions in the chain node can be accessed and/or some functions can not be accessed, there is no solution in the current art.
Patent document CN201911085168.6 discloses a private data query method and device based on down-link authorization, which is applied to block link nodes to invoke a white list maintained in an authority control contract to implement authority control, but the patent only mentions white list control for query type operations, and the patent has three problems at present, one is that the white list maintenance is too tedious, and people added or deleted need to update the white list, and the patent only relates to authority control of query type operations, but does not relate to authority control of transaction type or account type operations, and the other is that the authority control of the patent is at a node level, if some function authorities that need to control nodes can be accessed and some functions cannot be accessed, the patent cannot be implemented. The method is applied to all functions and methods of all nodes of a block chain, the granularity of control is finer, authority control is achieved based on authority identification in an authority control contract, query type operation and transaction type operation are not distinguished, authority control can be performed aiming at any operation and action, random combination can be achieved, and the authority control is more flexible
Patent document CN201911424785.4 discloses a method for using a block chain permission mechanism, in which identity information, permission request information, and a block chain consensus policy are used to achieve consensus to implement permission control, the method further needs to jointly complete permission check and management of users based on cooperative processing of a user module, a block chain management module, a processing module, and an information feedback module, the consensus policy in the patent is fuzzy, the number of processing modules depended on is large and too heavy, the patent also uses a certain policy to implement permission control, the control granularity is too large, for new users, permission needs to be maintained again, and a permission range of the user needs to be maintained through a permission update request, the maintenance cost is too high, and the function level that can be controlled by our method is more refined, the permission control contract that we utilize is used to perform permission control, no need of other modules, and lighter weight
Patent document CN201710556783.5 discloses a method and an apparatus for controlling user authority, in which any node device in a decentralized system based on a block chain receives an execution result submitted by a held private key when a user executes a preset authority operation, reads an identity of the user bound to a public key corresponding to the private key held by the user, queries a user authority associated with the identity based on the identity, and performs authority control on the user based on the queried user authority, which has the following problems, namely, the patent performs authority control based on any node of the decentralized system, controls granularity or node level, is not fine enough, the patent needs to query the authority information of the user based on an obtained identity in a decentralized module, and is not efficient and complicated in flow, . Aiming at the two problems, the control granularity of the method is in the function level and is more refined, then the authority processing of the method is completely processed in an authority control contract without other module interaction, the flow is simple, the weight is lighter, and the efficiency is higher
Disclosure of Invention
Aiming at the defects in the prior art, the invention aims to provide a permission control method, a permission control system and a permission control medium based on intelligent contract design.
According to the authority control method based on the intelligent contract design, the intelligent contract is divided into a first contract and a second contract, the first contract comprises an authority control component, the second contract comprises an authority checking component, a function distribution component and a specific function module, the second contract can only be accessed through the first contract, and the first contract is open to the outside.
Preferably, the method comprises the following steps:
step S1: the first contract receives an access request of a user, the user is firstly distinguished to be a super user or a common user through an authority control component, the super user can maintain an authority mapping hash table, and the common user can only carry out conventional transaction and query operation;
step S2: the authority control component of the first contract quickly acquires the authority identification of the user through an authority mapping hash table, and then forwards the request to the authority verification component of the second contract;
step S3: the permission verification component of the second contract judges whether the request is forwarded through the first contract, if not, the request is directly returned, then the permission identification of the user is verified, whether the user permission identification can access the target function is judged, and if the user permission identification does not have the right to access, the user permission identification is directly returned;
step S4: after the component passing the authority verification in the second contract is verified, the request is forwarded to the function distribution component for function distribution;
step S5: the second contract function distribution component distributes the request to a specific function, at the moment, the second contract carries out related operation of the chain and then sequentially feeds back data to the first contract according to the elastic stack principle, and the first contract feeds back the data to an external user.
Preferably, the step S1:
the permission mapping table is preset with a plurality of super users for carrying out related maintenance on the permission mapping table, and only the super users can maintain the permission rules of the permission mapping table;
the authority rules of the authority mapping hash table utilize the linear principle and/or the Cartesian set algorithm principle of the hash table;
the permission rules are divided into two categories: one is role class authority identification, which divides rules into a plurality of roles, wherein one role comprises identification codes of specific functions from 0 to a plurality of allowed accesses; the second is function code identification, which is composed of identification codes of 0 to a plurality of body functions allowed to be accessed;
based on the two authority rules, the two rules can be freely combined, and a combination algorithm is freely set by a super user and comprises the following steps: taking multiple result sets of two rules based on a Cartesian set algorithm, taking intersection and union sets based on a linear algorithm of a hash table, and realizing the operation through a simple covering process; the implementation of simple coverage: two rules are mutually covered, one covers the other, or the other covers the other;
the superuser presets a default authority rule for the authority control component in the first contract, and when a new user comes in, the superuser can assign the corresponding authority rule by default.
Preferably, the step S2:
the authority control component mainly comprises an authority mapping hash table, preset authority rules, common authority rules and authority identifications of users are stored through a hash algorithm, and the authority identifications of the users are efficiently obtained through a linear algorithm of the authority mapping hash table.
Preferably, the step S3 includes:
step S3.1: the second contract authority checking component inlet only provides an interface accessed by the first contract authority control component through a passing design, and does not provide an interface accessed to the outside, so that an external user cannot directly access any component of the second contract;
step S3.2: the authority identification of the user is checked only after the entrance of the second contract authority checking component passes the pass check, whether the authority identification of the user can access the target function is judged, and if the authority identification of the user can not access the target function, the request is directly returned
Step S3.3: if the user cannot normally carry out the service due to no right to access the interface, the super user can be informed of the function needing to be upgraded by initiating the authority upgrading application, and the administrator can carry out online real-time upgrading on the authority of the user in an online interface mode and take effect in real time.
Preferably, said step S3.1:
the second contract authority checking component entry is designed to be passed, namely the entry of the authority checking component stores the address of the first contract, when a request comes in, whether the address of the received request comes from the first contract is checked, if so, the second contract authority checking component entry is passed, and if not, the second contract authority checking component entry is directly returned.
Preferably, the step S4:
and the distribution component in the second contract receives a function distribution request of the authority verification component, the function distribution component designs a function method entry into a B-tree index channel mode based on a hash table data structure, and the function distribution component quickly finds a method entry of a target function based on a B-tree algorithm index and then calls a specific function of the pairing chain.
Preferably, the step S5:
after the specific function of the chain in the second contract is called, according to the method stack principle, specific function data are sequentially returned according to the stack popping principle, that is, the calling sequence is sequentially returned in the reverse direction.
According to the authority control system designed based on the intelligent contract, the intelligent contract is divided into a first contract and a second contract, the first contract comprises an authority control component, the second contract comprises an authority checking component, a function distribution component and a specific function module, the second contract can only be accessed through the first contract, and the first contract is open to the outside;
the method comprises the following steps:
module S1: the first contract receives an access request of a user, the user is firstly distinguished to be a super user or a common user through an authority control component, the super user can maintain an authority mapping hash table, and the common user can only carry out conventional transaction and query operation;
module S2: the authority control component of the first contract quickly acquires the authority identification of the user through an authority mapping hash table, and then forwards the request to the authority verification component of the second contract;
module S3: the permission verification component of the second contract judges whether the request is forwarded through the first contract, if not, the request is directly returned, then the permission identification of the user is verified, whether the user permission identification can access the target function is judged, and if the user permission identification does not have the right to access, the user permission identification is directly returned;
module S4: after the component passing the authority verification in the second contract is verified, the request is forwarded to the function distribution component for function distribution;
module S5: the second contract function distribution component distributes the request to a specific function, at the moment, the second contract carries out related operation of the chain and then sequentially feeds back data to the first contract according to the elastic stack principle, and the first contract feeds back the data to an external user.
According to the invention, a computer readable storage medium storing a computer program is provided, wherein the computer program is used for realizing the steps of any one of the above-mentioned rights control methods based on intelligent contract design when being executed by a processor.
Compared with the prior art, the invention has the following beneficial effects:
aiming at the problems in the background art, the method can realize more refinement of the access authority of the chain user, the authority can be controlled on any function of any node of the block chain, the user authority control is directly placed on the chain, the dependence on external services is not needed, the weight is very light, and the reliability is high;
the invention provides two rules to manage the user authority based on the intelligent contract, the first is to classify based on the specific role, n functions preset in each role can be accessed, the second is to classify based on the functions to the corresponding user authority, the function number which can be accessed by the user can be intelligently updated, the two methods can be compatible with each other, and the user authority can be updated, increased, cancelled and the like by the way of combining the two or covering the two methods.
Drawings
Other features, objects and advantages of the invention will become more apparent upon reading of the detailed description of non-limiting embodiments with reference to the following drawings:
fig. 1 is a schematic view illustrating an access flow of a conventional chain.
Fig. 2 is a schematic diagram of a method flow in the technical scheme of the invention.
Detailed Description
The present invention will be described in detail with reference to specific examples. The following examples will assist those skilled in the art in further understanding the invention, but are not intended to limit the invention in any way. It should be noted that it would be obvious to those skilled in the art that various changes and modifications can be made without departing from the spirit of the invention. All falling within the scope of the present invention.
The present invention will be described more specifically with reference to examples.
Example 1:
the invention discloses an authority control method based on intelligent contract design, which divides an intelligent contract into a first contract and a second contract, wherein the first contract comprises an authority control component, the second contract comprises an authority checking component, a function distribution component and a specific function module, the second contract can only be accessed through the first contract, and the first contract is open to the outside. As shown in fig. 2, the specific method comprises the following steps:
step 1: the first contract receives an access request of a user, and the permission control component firstly distinguishes whether the user has permission to maintain the permission mapping hash table (whether the user is a super user), the super user can maintain the permission mapping table, and common users can only carry out conventional transaction and query operation;
step 2: the authority control component of the first contract accesses the record by an authority mapping Hash table (a Hash table is also called as a Hash table and is a data structure directly accessed according to the Key value Key value);
quickly acquiring the authority identification of the user, and forwarding the request to an authority verification component of a second contract by the authority control component;
and step 3: the authority verification component of the second contract judges whether the request is forwarded through the first contract, if not, the request is directly returned, then the authority identification of the user is verified, whether the authority identification of the user can access a target (function) function is judged, and if the authority identification of the user does not access the target function, the authority identification of the user is directly returned;
and 4, step 4: after the component passing the authority verification in the second contract is verified, the request is forwarded to the function distribution component for function distribution;
and 5: the second contract function distribution component distributes the request to a specific (function) function, at the moment, the related operation of the chain is carried out, then the second contract feeds back data to the first contract in sequence according to the elastic stack principle, and the first contract feeds back the data to an external user;
the step 1 comprises the following steps:
step 1.1: the permission mapping table is preset with a plurality of super users for carrying out related maintenance on the permission mapping table, and only the super users can maintain the permission rules of the permission mapping table
Step 1.2: the authority rules of the authority mapping hash table also utilize the linear principle of the hash table
(according to the key value uniqueness principle of the hash table, the intersection and the union of two rules can be quickly taken out by a key counting method, the calculation amount of the algorithm is small, the performance is higher, the intersection and the union of two authority rules can be obtained, and the authority rules can be more flexibly controlled)
And/or principle of cartesian set algorithm
(Cartesian product is a Cartesian product of two sets X and Y, also called direct product, denoted X X Y, the first object being a member of X and the second object being a member of all possible ordered pairs of Y in mathematics, assuming that the set A is { a, B } and the set B is {0,1,2}, then the Cartesian products of the two sets are { [ a,0], [ a,1], [ a,2], [ B,0], [ B,1], [ B,2] }, which makes the distribution of the entitlement rules relatively uniform and reduces the number of times the entitlement rules are maintained)
The rules are divided into two categories: one is role class authority identification, which divides rules into a plurality of roles, wherein one role comprises 0 to a plurality of function codes (identification codes of specific functions) allowing access
The other is function code identification, namely, the function code identification is composed of 0 to a plurality of access-allowed function codes
Step 1.3: based on the two authority rules described in the step 1.2, the two rules can be freely combined, multiple result sets of the two rules can be obtained based on a Cartesian set algorithm, intersection sets and union sets can also be obtained based on a linear algorithm of a hash table, and the two rules can be freely set by a super user through a simple covering process;
wherein the content of the first and second substances,
1. a plurality of result sets which are indicated by two rules based on a Cartesian product algorithm are indicated as follows: the two rules described in 1.2 are uniformly combined by cartesian product algorithm, assuming that rule a is { a, B }, and rule B is {0,1,2}, then the cartesian products of the two sets are { [ a,0], [ a,1], [ a,2], [ B,0], [ B,1], [ B,2] }, which will generate multiple result sets;
2. taking the intersection and union of two rules by a linear algorithm based on a hash table means that: by hash key we can split into two hash tables with the two rules described in two 1.2, for example: hash table A { key1: val1, key2: val2 };
and a hash table B: { key1: val1, key2: val2, key 3: val3, if the keys in the hash table A and the hash table B are the same by comparison, the intersection of the two rules is taken, and the union of the two rules is taken after all data of the hash table A and the hash table B are subjected to de-duplication;
3. simple covering means: 1.2, either rule 1 or rule 2 is pre-set, for example: if the rule 1 is taken as the standard, when processing the authority rule, we find that the rule 1 and the rule 2 exist at the same time, and directly take the data of the rule 1 to perform authority control, if the rule 2 is taken as the standard, the same is true;
step 1.4: based on three algorithms in 1.3 (namely 1: Cartesian product algorithm 2: hash table algorithm 3: simple covering), a super user needs to preset a default authority rule for an authority control component in a first contract, and corresponding authority rules can be allocated by default when a new user comes in (namely, whether the authority of the user can maintain an authority mapping table is judged, whether the user is a logic of the super user is judged, and the default allocation of the corresponding authority rules means that when the new user comes in, the authority control component allocates corresponding authority identification to the new user by default through the preset authority rules);
the step 2 comprises the following steps:
step 2.1: the authority control component mainly comprises an authority mapping hash table, a preset authority rule, a common authority rule and an authority identifier of a user are stored through a hash algorithm, and the authority identifier of the user can be efficiently obtained through a linear algorithm of the authority mapping hash table;
the step 3 comprises the following steps:
step 3.1: the second contract authority checking component inlet only provides an interface accessed by the first contract authority control component through a passing design, and does not provide an interface accessed to the outside, so that an external user cannot directly access any component of the second contract;
step 3.2: the authority identification of the user is checked only after the entrance of the second contract authority checking component passes the pass checking, whether the authority identification of the user can access the target function is judged, and if the authority identification of the user cannot access the target function, the request is directly returned;
step 3.3: if the user cannot normally perform the service due to no right to access the interface, the super user (administrator) can be informed of the function required to be upgraded by initiating an authority upgrading application, and the administrator can perform online real-time upgrading on the authority of the user in an online interface mode and take effect in real time;
the step 4 comprises the following steps:
step 4.1: the distribution component in the second contract receives a function distribution request of the authority verification component, the function distribution component designs a function method inlet into a B-tree index channel mode based on a hash table data structure, and the function distribution component is based on a B-tree algorithm;
(the method of searching for a given keyword in a B-tree is to first fetch the root node, search for the given keyword in the keywords K1, …, Kn contained in the root node, either by sequential search or binary search, if a keyword equal to the given value is found, the search is successful, otherwise, it must be determined that the keyword to be searched for is between Ki and Ki +1, Pi is a pointer to the root node of the subtree, and the node pointed by the pointer Pi continues the search until found, or if the pointer Pi is empty, the search fails. for example, a B-tree contains N keywords, so there are N +1 leaf nodes, and the leaves are all at level I, because the root has at least two children, so there are at least two nodes in the second level, and besides the root and the leaves, there are at least m/2 z nodes, so there are at least 2m/2 nodes in the third level, at least 2(M/2 l 2) nodes on the fourth layer, and at least 2(M/2 l 2) nodes on the first layer, wherein M/2 l 2: rounded up, i.e. 2 integers larger than the result closest to it, m/2L-2): is rounded up, i.e. takes the 1 to 2 integers greater than the result that are closest to the result, then there are:
N+1≥2m/2┐I-2
considering the node number of the L-th layer as N +1, 2(m/2 ^ (L-2)) ≦ N +1, i.e., the minimum node number of the L layer is just N +1
Namely: l ≦ logm/2L ((N +1)/2) +2
Therefore, when the B-tree contains N key words, the maximum height of the B-tree is l-1 (because the leaf node level is not included when calculating the height of the B-tree)
Namely: l-bar of logm/2 ((N +1)/2) + 1.
The formula ensures that the searching efficiency of the B-tree is quite high, and greatly provides entry time of a method for helping to index the corresponding function)
The index can quickly find the method entry of the target function, and then the specific function call of the chain is carried out
The step 5 comprises the following steps:
step 5.1: after the specific function of the chain in the second contract is called, according to the method stack principle, the specific function data is returned in turn according to the stack-popping principle (the calling sequence is returned in turn in the reverse direction)
The step 1.1 comprises the following steps:
1.1.1 implementation of simple coverage: the method is simple and convenient in implementation mode, high in performance, and capable of reducing flexibility of authority rules, and the three algorithms can be used for a super user to select to design the authority
In the step 3.1:
3.1.1: the second contract authority checking component entry is designed to be passed, namely the entry of the authority checking component stores the address of the first contract, when a request comes in, whether the address of the received request comes from the first contract is checked, if so, the second contract authority checking component entry is calculated to be passed, if not, the second contract authority checking component entry is directly returned,
example 2:
1.1: when a user accesses a chain, a first contract permission control component firstly judges whether an access user is a super user, if so, judges whether permission upgrading is carried out according to a target function number of the user, if not, judges whether the user is a new user (whether the user is a new user can be quickly searched in a permission hash mapping table according to a user public key), if so, distributes default permission identification to the user according to a permission rule preset by the super user, otherwise, directly acquires the permission identification of the user in the user permission hash table, and forwards a request to a permission verification component in a second contract
1.2: the permission verification component in the second contract receives the request forwarded by the first contract, the entry clearance design of the permission verification component verifies whether the request comes from the first contract, if the request comes from the first contract, the permission identification of the user in the request starts to be verified, the permission verification component can match the permission identification of the user with the target function, the matching mechanism is also based on the kv structure of the hash table, whether the user has permission to access the target function can be quickly judged, if the permission identification does not exist, the request is directly returned, and if the permission identification exists, the request is forwarded to the function distribution component
1.3 the function distribution component in the second contract receives the request, finds out the specific function method directly according to the target function number and the B-tree index mode, and then carries out the function call of the chain
1.4, after the function call is completed, the returned data can be sequentially processed by the function method- > function distribution component- > authority check component- > first contract authority control component- > external user in the second contract according to the method stack popping mode
1.5, if the user encounters the condition that the service can not be normally carried out due to the fact that the request is returned because of insufficient authority, the user can initiate the authority upgrading application to the super user
1.6, the super user receives the permission upgrading application, calls a first contract in an interface mode to upgrade the permission of the user on line, and the trial test becomes effective after the upgrade is finished
1.7 after the user authority is upgraded, repeating the step of 1.1 again to call the chain function
In the description of the present application, it is to be understood that the terms "upper", "lower", "front", "rear", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outer", and the like indicate orientations or positional relationships based on those shown in the drawings, and are only for convenience in describing the present application and simplifying the description, but do not indicate or imply that the referred device or element must have a specific orientation, be constructed in a specific orientation, and be operated, and thus, should not be construed as limiting the present application.
Those skilled in the art will appreciate that, in addition to implementing the systems, apparatus, and various modules thereof provided by the present invention in purely computer readable program code, the same procedures can be implemented entirely by logically programming method steps such that the systems, apparatus, and various modules thereof are provided in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Therefore, the system, the device and the modules thereof provided by the present invention can be considered as a hardware component, and the modules included in the system, the device and the modules thereof for implementing various programs can also be considered as structures in the hardware component; modules for performing various functions may also be considered to be both software programs for performing the methods and structures within hardware components.
The foregoing description of specific embodiments of the present invention has been presented. It is to be understood that the present invention is not limited to the specific embodiments described above, and that various changes or modifications may be made by one skilled in the art within the scope of the appended claims without departing from the spirit of the invention. The embodiments and features of the embodiments of the present application may be combined with each other arbitrarily without conflict.
Claims (10)
1. An authority control method based on intelligent contract design is characterized in that an intelligent contract is divided into a first contract and a second contract, the first contract comprises an authority control component, the second contract comprises an authority checking component, a function distribution component and a specific function module, the second contract can only be accessed through the first contract, and the first contract is open to the outside.
2. The method for controlling authority designed based on the intelligent contract according to claim 1, comprising:
step S1: the first contract receives an access request of a user, the user is firstly distinguished to be a super user or a common user through an authority control component, the super user can maintain an authority mapping hash table, and the common user can only carry out conventional transaction and query operation;
step S2: the authority control component of the first contract acquires the authority identification of the user through an authority mapping hash table, and forwards the request to the authority verification component of the second contract;
step S3: the permission verification component of the second contract judges whether the request is forwarded through the first contract, if not, the request is directly returned, then the permission identification of the user is verified, whether the user permission identification can access the target function is judged, and if the user permission identification does not have the right to access, the user permission identification is directly returned;
step S4: after the component passing the authority verification in the second contract is verified, the request is forwarded to the function distribution component for function distribution;
step S5: the second contract function distribution component distributes the request to a specific function, at the moment, the second contract carries out related operation of the chain and then sequentially feeds back data to the first contract according to the elastic stack principle, and the first contract feeds back the data to an external user.
3. The method for controlling authority designed based on intelligent contracts according to claim 1, wherein the step S1:
the permission mapping table is preset with a plurality of super users for carrying out related maintenance on the permission mapping table, and only the super users can maintain the permission rules of the permission mapping table;
the authority rules of the authority mapping hash table utilize the linear principle and/or the Cartesian set algorithm principle of the hash table;
the permission rules are divided into two categories: one is role class authority identification, which divides rules into a plurality of roles, wherein one role comprises identification codes of specific functions from 0 to a plurality of allowed accesses; the second is function code identification, which is composed of identification codes of 0 to a plurality of body functions allowed to be accessed;
based on the two authority rules, the two rules can be freely combined, and a combination algorithm is freely set by a super user and comprises the following steps: taking multiple result sets of two rules based on a Cartesian set algorithm, taking intersection and union sets based on a linear algorithm of a hash table, and realizing the operation through a simple covering process; the implementation of simple coverage: two rules are mutually covered, one covers the other, or the other covers the other;
the superuser presets a default authority rule for the authority control component in the first contract, and when a new user comes in, the superuser can assign the corresponding authority rule by default.
4. The method for controlling authority designed based on intelligent contracts according to claim 1, wherein the step S2:
the authority control component mainly comprises an authority mapping hash table, preset authority rules, common authority rules and authority identifications of users are stored through a hash algorithm, and the authority identifications of the users are efficiently obtained through a linear algorithm of the authority mapping hash table.
5. The method for controlling authority designed based on intelligent contracts according to claim 1, wherein the step S3 comprises:
step S3.1: the second contract authority checking component inlet only provides an interface accessed by the first contract authority control component through a passing design, and does not provide an interface accessed to the outside, so that an external user cannot directly access any component of the second contract;
step S3.2: the authority identification of the user is checked only after the entrance of the second contract authority checking component passes the pass check, whether the authority identification of the user can access the target function is judged, and if the authority identification of the user can not access the target function, the request is directly returned
Step S3.3: if the user cannot normally carry out the service due to no right to access the interface, the super user can be informed of the function needing to be upgraded by initiating the authority upgrading application, and the administrator can carry out online real-time upgrading on the authority of the user in an online interface mode and take effect in real time.
6. An authority control method based on intelligent contract design according to claim 1, wherein the step S3.1:
the second contract authority checking component entry is designed to be passed, namely the entry of the authority checking component stores the address of the first contract, when a request comes in, whether the address of the received request comes from the first contract is checked, if so, the second contract authority checking component entry is passed, and if not, the second contract authority checking component entry is directly returned.
7. The method for controlling authority designed based on intelligent contracts according to claim 1, wherein the step S4:
and the distribution component in the second contract receives a function distribution request of the authority verification component, the function distribution component designs a function method entry into a B-tree index channel mode based on a hash table data structure, and the function distribution component quickly finds a method entry of a target function based on a B-tree algorithm index and then calls a specific function of the pairing chain.
8. The method for controlling authority designed based on intelligent contracts according to claim 1, wherein the step S5:
after the specific function of the chain in the second contract is called, according to the method stack principle, specific function data are sequentially returned according to the stack popping principle, that is, the calling sequence is sequentially returned in the reverse direction.
9. An authority control system designed based on an intelligent contract is characterized in that the intelligent contract is divided into a first contract and a second contract, the first contract comprises an authority control component, the second contract comprises an authority checking component, a function distribution component and a specific function module, the second contract can only be accessed through the first contract, and the first contract is open to the outside;
the method comprises the following steps:
module S1: the first contract receives an access request of a user, the user is firstly distinguished to be a super user or a common user through an authority control component, the super user can maintain an authority mapping hash table, and the common user can only carry out conventional transaction and query operation;
module S2: the authority control component of the first contract quickly acquires the authority identification of the user through an authority mapping hash table, and then forwards the request to the authority verification component of the second contract;
module S3: the permission verification component of the second contract judges whether the request is forwarded through the first contract, if not, the request is directly returned, then the permission identification of the user is verified, whether the user permission identification can access the target function is judged, and if the user permission identification does not have the right to access, the user permission identification is directly returned;
module S4: after the component passing the authority verification in the second contract is verified, the request is forwarded to the function distribution component for function distribution;
module S5: the second contract function distribution component distributes the request to a specific function, at the moment, the second contract carries out related operation of the chain and then sequentially feeds back data to the first contract according to the elastic stack principle, and the first contract feeds back the data to an external user.
10. A computer-readable storage medium storing a computer program, wherein the computer program, when executed by a processor, implements the steps of the smart contract design-based entitlement control method of any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011011379.8A CN112187772B (en) | 2020-09-23 | 2020-09-23 | Authority control method, system and medium based on intelligent contract design |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011011379.8A CN112187772B (en) | 2020-09-23 | 2020-09-23 | Authority control method, system and medium based on intelligent contract design |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112187772A true CN112187772A (en) | 2021-01-05 |
| CN112187772B CN112187772B (en) | 2021-09-21 |
Family
ID=73956847
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011011379.8A Active CN112187772B (en) | 2020-09-23 | 2020-09-23 | Authority control method, system and medium based on intelligent contract design |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112187772B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113572825A (en) * | 2021-07-09 | 2021-10-29 | 中国科学院计算技术研究所 | Access control and resource access control method and system for relay chain cross-link architecture |
| CN115001718A (en) * | 2022-08-04 | 2022-09-02 | 树根格致科技(湖南)有限公司 | Data processing method and device, computer equipment and readable storage medium |
| CN116915520A (en) * | 2023-09-14 | 2023-10-20 | 南京龟兔赛跑软件研究院有限公司 | Agricultural product informatization data security optimization method based on distributed computing |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107332847A (en) * | 2017-07-05 | 2017-11-07 | 武汉凤链科技有限公司 | A kind of access control method and system based on block chain |
| CN110297689A (en) * | 2019-05-06 | 2019-10-01 | 百度在线网络技术(北京)有限公司 | Intelligent contract executes method, apparatus, equipment and medium |
| CN110580413A (en) * | 2019-11-08 | 2019-12-17 | 支付宝(杭州)信息技术有限公司 | Private data query method and device based on down-link authorization |
| CN110941679A (en) * | 2019-12-05 | 2020-03-31 | 腾讯科技(深圳)有限公司 | Contract data processing method, related equipment and medium |
| CN111010372A (en) * | 2019-11-20 | 2020-04-14 | 国家信息中心 | Block chain network identity authentication system, data processing method and gateway equipment |
| CN111310233A (en) * | 2020-03-24 | 2020-06-19 | 腾讯科技(深圳)有限公司 | Application interface display method, device, equipment and storage medium |
| US20200279224A1 (en) * | 2019-04-16 | 2020-09-03 | Alibaba Group Holding Limited | Blockchain-based program review system, method, computing device and storage medium |
-
2020
- 2020-09-23 CN CN202011011379.8A patent/CN112187772B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107332847A (en) * | 2017-07-05 | 2017-11-07 | 武汉凤链科技有限公司 | A kind of access control method and system based on block chain |
| US20200279224A1 (en) * | 2019-04-16 | 2020-09-03 | Alibaba Group Holding Limited | Blockchain-based program review system, method, computing device and storage medium |
| CN110297689A (en) * | 2019-05-06 | 2019-10-01 | 百度在线网络技术(北京)有限公司 | Intelligent contract executes method, apparatus, equipment and medium |
| CN110580413A (en) * | 2019-11-08 | 2019-12-17 | 支付宝(杭州)信息技术有限公司 | Private data query method and device based on down-link authorization |
| CN111010372A (en) * | 2019-11-20 | 2020-04-14 | 国家信息中心 | Block chain network identity authentication system, data processing method and gateway equipment |
| CN110941679A (en) * | 2019-12-05 | 2020-03-31 | 腾讯科技(深圳)有限公司 | Contract data processing method, related equipment and medium |
| CN111310233A (en) * | 2020-03-24 | 2020-06-19 | 腾讯科技(深圳)有限公司 | Application interface display method, device, equipment and storage medium |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113572825A (en) * | 2021-07-09 | 2021-10-29 | 中国科学院计算技术研究所 | Access control and resource access control method and system for relay chain cross-link architecture |
| CN115001718A (en) * | 2022-08-04 | 2022-09-02 | 树根格致科技(湖南)有限公司 | Data processing method and device, computer equipment and readable storage medium |
| CN116915520A (en) * | 2023-09-14 | 2023-10-20 | 南京龟兔赛跑软件研究院有限公司 | Agricultural product informatization data security optimization method based on distributed computing |
| CN116915520B (en) * | 2023-09-14 | 2023-12-19 | 南京龟兔赛跑软件研究院有限公司 | Agricultural product informatization data security optimization method based on distributed computing |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112187772B (en) | 2021-09-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112187772B (en) | Authority control method, system and medium based on intelligent contract design | |
| US9881170B2 (en) | DBFS permissions using user, role, and permissions flags | |
| US7478094B2 (en) | High run-time performance method for setting ACL rule for content management security | |
| CN110290112B (en) | Authority control method and device, computer equipment and storage medium | |
| EP0675451A2 (en) | A distributed database architecture and distributed database management system for open network evolution | |
| CN110008665B (en) | Authority control method and device for blockchain | |
| AU2005239366A1 (en) | Partial query caching | |
| JPH04216146A (en) | Method for realizing control of user access in dispersing-data processing system by exchange of access control profile | |
| WO2001082141A1 (en) | System and method for determining user identity fraud using similarity searching | |
| CN107004013A (en) | System and method for providing distributed tree traversal using hardware based processing | |
| CN111917636A (en) | Data acquisition processing method, device and system and edge gateway equipment | |
| CN111614777B (en) | Cross-organization account mobile phone number sharing method based on Ether house block chain | |
| CN102243655B (en) | Method and device for managing database connections | |
| CN110992005B (en) | Method and system for realizing data authority control processing in big data application | |
| US10628460B2 (en) | Delegating resembling data of an organization to a linked device | |
| CN113904875B (en) | Multi-chain fusion authority control system based on block chain | |
| CN105589752B (en) | Across data center big data processing based on key assignments distribution | |
| CN100386990C (en) | Method for implementing intelligent network flexible authority management | |
| CN109842482A (en) | A kind of information synchronization method, system and terminal device | |
| US20070061290A1 (en) | system and method for processing a prioritizing protocol | |
| CN112231733A (en) | MAC protection enhancement system of object proxy feature database | |
| CN101916339A (en) | Method and device for inquiring authority | |
| Ibáñez-Espiga et al. | Data placement strategy for a parallel database system | |
| CN103634326B (en) | A kind of method and device for processing application system request message | |
| CN113765925B (en) | Improved method based on OSAC and PERM access control model |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |