CN114205098A - Method, device and equipment for inquiring operation authority and computer readable storage medium - Google Patents

Method, device and equipment for inquiring operation authority and computer readable storage medium Download PDF

Info

Publication number
CN114205098A
CN114205098A CN202010895643.2A CN202010895643A CN114205098A CN 114205098 A CN114205098 A CN 114205098A CN 202010895643 A CN202010895643 A CN 202010895643A CN 114205098 A CN114205098 A CN 114205098A
Authority
CN
China
Prior art keywords
network device
value
resource
operation authority
identifier
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010895643.2A
Other languages
Chinese (zh)
Other versions
CN114205098B (en
Inventor
王路
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Huawei Digital Technologies Co Ltd
Original Assignee
Beijing Huawei Digital Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Huawei Digital Technologies Co Ltd filed Critical Beijing Huawei Digital Technologies Co Ltd
Priority to CN202010895643.2A priority Critical patent/CN114205098B/en
Publication of CN114205098A publication Critical patent/CN114205098A/en
Application granted granted Critical
Publication of CN114205098B publication Critical patent/CN114205098B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a method, a device, equipment and a computer readable storage medium for inquiring operation authority, and belongs to the technical field of communication. Taking the second network device to execute the method as an example, first, the second network device receives a first RPC instruction sent by the first network device for indicating an operation permission to query the first resource, where the first RPC instruction includes a first identifier of the first resource. After the first RPC instruction is analyzed to obtain the first identifier, a value of a first operation authority is obtained according to the first identifier, and the value of the first operation authority is used for indicating whether the first network equipment has the first operation authority for the first resource. And then, according to the value of the first operation authority, packaging the operation authority query result of the first resource to obtain a first response message, and sending the first response message to the first network equipment. Therefore, the first network equipment can directly obtain the operation authority query result of the first resource, so that the more intuitive query of the operation authority is realized, and the efficiency of querying the operation authority is improved.

Description

Method, device and equipment for inquiring operation authority and computer readable storage medium
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method, an apparatus, a device, and a computer-readable storage medium for querying an operation permission.
Background
With the development of communication technology, more and more communication protocols are applied to the communication process between a first network device (client) and a second network device (server), and a network configuration protocol (NETCONF) protocol for implementing communication through a Remote Procedure Call (RPC) mechanism is one of the protocols. Wherein, the RPC mechanism refers to: the first network equipment sends an RPC instruction to the second network equipment, and the second network equipment sends a response message (RPC-reply) to the first network equipment according to the RPC instruction, so that a communication mechanism is realized. In the application process, the second network device often stores a plurality of resources, and the first network device may have different operation rights for different resources. Therefore, it is desirable to provide a method for querying the operation permission of the first network device for each resource based on the RPC mechanism.
In the related art, a first network device sends an RPC instruction for performing a target operation on a target resource to a second network device, and the second network device indirectly determines whether the first network device has a target operation permission of the target resource based on a response message returned by the RPC instruction. For example, a first network device sends an RPC instruction to a second network device to read for a target resource. Then, based on that the response message returned by the second network device is a error message (reply-error) indicating that the first network device cannot perform reading, it can be determined that the first network device does not have the reading right of the target resource. Accordingly, based on the response message returned by the second network device including the target resource, it can be determined that the first network device has the read permission of the target resource.
However, the method provided by the related art can only indirectly determine the operation authority of the first network device on each resource through the response message returned by the second network device, and thus, the method is not only not direct enough, but also has low query efficiency.
Disclosure of Invention
The embodiment of the application provides a method, a device, equipment and a computer readable storage medium for inquiring operation permission, which are used for solving the problems provided by the related technology, and the technical scheme is as follows:
in a first aspect, a method for querying operation permission is provided, where for example, a second network device executes the method, the second network device receives a first RPC instruction sent by a first network device, where the first RPC instruction includes a first identifier of a first resource, and the first RPC instruction is used to indicate an operation permission for querying the first resource. And then, the second network equipment analyzes the first RPC instruction to obtain a first identifier, so that a value of the first operation authority is obtained according to the first identifier, and the value of the first operation authority is used for indicating whether the first network equipment has the first operation authority for the first resource. And then, the second network equipment packages the operation authority query result of the first resource according to the value of the first operation authority to obtain a first response message, and sends the first response message to the first network equipment.
By defining the RPC instruction for inquiring the operation permission, the second network equipment can acquire the value of the first operation permission according to the first identifier of the first resource carried by the RPC instruction, and the value of the first operation permission is used for indicating whether the first network equipment has the first operation permission for the first resource, so that the first response message which is packaged with the operation permission inquiry result of the first resource is fed back to the first network equipment according to the value of the first operation permission, the first network equipment can directly acquire the operation permission inquiry result of the first resource, a more intuitive inquiry mode of the operation permission is realized, and the efficiency of inquiring the operation permission is improved.
In a possible implementation manner, the first RPC instruction further includes a second identifier, where the second identifier is used to indicate whether to encapsulate a value of the first operation permission without the first operation permission, and the second network device encapsulates, according to the value of the first operation permission, the operation permission query result of the first resource to obtain a first response message, where the first response message includes: and obtaining a first response message by the second network device according to an operation authority query result of the second resource, wherein the operation authority query result of the first resource comprises a value of the first operation authority, the value of the first operation authority is a target value and is used for indicating that the first network device does not have the first operation authority on the first resource, and the value of the first operation authority is a non-target value and is used for indicating that the first network device has the first operation authority on the first resource.
And under the condition that the first network equipment does not have the first operation authority on the first resource, the value of the first operation authority is still packaged. Therefore, the operation authority query result in the first response message includes both the value for indicating the first operation authority having the first operation authority and the value for indicating the first operation authority not having the first operation authority, so that the operation authority query result is more intuitive.
In a possible implementation manner, the first RPC instruction further includes a second identifier, where the second identifier is used to indicate whether to encapsulate a value of the first operation permission without the first operation permission, and the second network device encapsulates, according to the value of the first operation permission, the operation permission query result of the first resource to obtain a first response message, where the first response message includes: and the second network equipment packages the operation authority query result of the first resource according to the indication of the second identifier to obtain a first response message, wherein the operation authority query result of the first resource does not include the value of the first operation authority, based on the fact that the value of the first operation authority is a target numerical value and the second identifier indicates that the value of the first operation authority is not packaged under the condition that the second identifier does not have the first operation authority.
And under the condition that the first network equipment does not have the first operation authority on the first resource, not packaging the value of the first operation authority. Therefore, the operation authority query result in the first response message only includes the value for indicating the first operation authority with the first operation authority, and waste of transmission resources is avoided.
In one possible implementation, after sending the first response message to the first network device, the method further includes: the second network equipment receives a second RPC instruction sent by the first network equipment, wherein the second RPC instruction comprises a third identifier of a second resource; the second network equipment analyzes the second RPC instruction to obtain a third identifier; the second network equipment determines at least one target network equipment based on each network equipment which establishes a session with the second network equipment; the second network equipment acquires the value of the second operation authority corresponding to each target network equipment according to the third identifier, wherein the value of the second operation authority corresponding to any target network equipment is used for indicating whether any target network equipment has the second operation authority on the second resource; the second network equipment acquires the updated value of the second operation authority based on the detection of the update of the second operation authority corresponding to any target network equipment; and the second network equipment encapsulates the updated value of the second operation authority to obtain a notification message and sends the notification message to any target network equipment.
When the update of the value of the second operation authority corresponding to the target network equipment is detected, the update of the value of the second operation authority is informed to the target network equipment in time through the notification message, and the system safety is ensured.
In a possible implementation manner, the second RPC instruction further includes a user identifier, and the determining, by the second network device, at least one target network device based on each network device having a session established with the second network device includes: and the second network equipment takes the network equipment indicated by the user identification in each first network equipment as the target network equipment.
In one possible implementation, the first resource is another next generation YANG file, and the first identifier is a file name;
the second network device obtains the value of the first operation authority according to the first identifier, and the method comprises the following steps: the second network device determines at least one sub-resource included in the YANG file according to the file name, and obtains a value of a third operation authority corresponding to each sub-resource, wherein the value of the third operation authority corresponding to any sub-resource is used for indicating the operation authority of the first network device on any sub-resource, any sub-resource has a corresponding sub-identifier, and at least one sub-resource includes at least one of a data node, a protocol operation and a notification;
the second network device packages the operation authority query result of the first resource according to the value of the first operation authority to obtain a first response message, which comprises: and the second network equipment packages the operation authority query result of the YANG file to obtain a first response message, wherein the operation authority query result of the YANG file comprises the values of the third operation authorities corresponding to the sub-resources and the sub-identifiers, and the sub-identifiers correspond to the values of the third operation authorities corresponding to the sub-resources one to one.
In one possible implementation, the first resource is a data node, and the first identifier is a node path;
the second network device obtains the value of the first operation authority according to the first identifier, and the method comprises the following steps: the second network device determines that the data node comprises at least one sub-node according to the node path, and obtains a fourth operation authority value and a fifth operation authority value corresponding to each sub-node, wherein the fourth operation authority value is used for indicating the operation authority of the first network device on the data node, the fifth operation authority value corresponding to any sub-node is used for indicating the operation authority of the first network device on any sub-node, and any sub-node has a corresponding sub-path;
the second network device packages the operation authority query result of the first resource according to the value of the first operation authority to obtain a first response message, which comprises: and the second network equipment encapsulates the operation authority query result of the data node to obtain a first response message, wherein the operation authority query result of the data node comprises a node path, each sub-path, a value of a fourth operation authority and a value of a fifth operation authority corresponding to each sub-node, the node path corresponds to the value of the fourth operation authority, and the sub-paths correspond to the values of the fifth operation authorities corresponding to the sub-nodes one to one.
In one possible implementation, the first resource is a protocol operation, and the first identifier is an operation path;
the second network device packages the operation authority query result of the first resource according to the value of the first operation authority to obtain a first response message, which comprises: and the second network equipment encapsulates the operation authority query result of the protocol operation to obtain a first response message, wherein the operation authority query result of the protocol operation comprises a value of the first operation authority, and the value of the first operation authority is used for indicating whether the first network equipment has the execution authority for the protocol operation.
In one possible implementation, the first resource is a notification, and the first identifier is a notification path;
the second network device packages the operation authority query result of the first resource according to the value of the first operation authority to obtain a first response message, which comprises: and the second network equipment encapsulates the notified operation authority query result to obtain a first response message, wherein the notified operation authority query result comprises a value of the first operation authority, and the value of the first operation authority is used for indicating whether the first network equipment has the reading authority for the notification.
In a second aspect, a method for querying operation authority is provided, where the method includes: the method comprises the steps that a first network device obtains a first identifier of a first resource of operation permission to be inquired, the first identifier is packaged to obtain a first Remote Procedure Call (RPC) instruction, and the first RPC instruction is used for indicating the operation permission of inquiring the first resource; the first network equipment sends a first RPC instruction to the second network equipment; the first network equipment receives a first response message sent by the second network equipment according to the first RPC instruction, wherein the first response message comprises an operation authority query result of the first resource, the first response message is obtained by packaging the operation authority query result of the first resource by the second network equipment according to a value of the first operation authority, and the value of the first operation authority is used for indicating whether the first network equipment has a first operation authority for the first resource; and the first network equipment analyzes the first response message to obtain an operation authority query result of the first resource.
In one possible implementation manner, encapsulating the first identifier of the first resource to obtain a first Remote Procedure Call (RPC) instruction includes: the first network equipment acquires a second identifier, wherein the second identifier is used for indicating whether to package the value of the first operation authority under the condition that the first network equipment does not have the first operation authority; and the first network equipment encapsulates the first identifier and the second identifier to obtain a first RPC instruction.
In a possible implementation manner, the analyzing, by the first network device, the first response message to obtain the operation permission query result of the first resource includes: the first network device analyzes the first response message, the obtained operation authority query result of the first resource includes a value of the first operation authority, the first response message is obtained based on that the value of the first operation authority is a non-target numerical value, or the value of the first operation authority is a target numerical value and the second identifier indicates that the value of the first operation authority is packaged under the condition that the value of the first operation authority does not have the first operation authority, and the second network device packages the operation authority query result of the first resource according to the second identifier, wherein the value of the first operation authority is obtained by using the target numerical value to indicate that the first network device does not have the first operation authority for the first resource, and the value of the first operation authority is a non-target numerical value to indicate that the first network device has the first operation authority for the first resource.
In a possible implementation manner, the analyzing, by the first network device, the first response message to obtain the operation permission query result of the first resource includes: the first network device analyzes the first response message, the obtained operation authority query result of the first resource does not include the value of the first operation authority, the first response message is obtained based on that the value of the first operation authority is a target value and the second identifier indicates that the value of the first operation authority is not packaged under the condition that the first operation authority is not available, and the second network device packages the operation authority query result of the first resource according to the indication of the second identifier, wherein the value of the first operation authority is the target value and is used for indicating that the first network device does not have the operation authority on the first resource.
In a possible implementation manner, after the first network device parses the first response message to obtain the operation permission query result of the first resource, the method further includes: the method comprises the steps that a first network device obtains a third identifier of a second resource to be detected for updating operation authority, the third identifier is used for the second network device to obtain a value of second operation authority corresponding to each target network device, the value of the second operation authority corresponding to any target network device is used for indicating whether any target network device has the second operation authority on the second resource, the updated value of the second operation authority is obtained based on the fact that the value of the second operation authority corresponding to any target network device is detected to be updated, a notification message is obtained by packaging the updated value of the second operation authority, and the notification message is sent to any target network device; and the first network equipment packages the third identifier to obtain a second RPC instruction, and sends the second RPC instruction to the second network equipment.
In a possible implementation manner, the encapsulating, by the first network device, the third identifier to obtain the second RPC instruction includes: the first network equipment acquires a user identifier, wherein the user identifier is used for the second network equipment to take the network equipment indicated by the user identifier as target network equipment; and the first network equipment packages the second identifier and the user identifier to obtain a second RPC instruction.
In one possible implementation manner, the first resource is another next-generation YANG file, the first identifier is a file name, the file name is used for the second network device to determine at least one sub-resource included in the YANG file, the at least one sub-resource includes at least one of a data node, a protocol operation, and a notification, any sub-resource has a corresponding sub-identifier, and the first network device parses the first response message to obtain an operation permission query result of the first resource, including: the first network device analyzes the first response message to obtain an operation authority query result of the YANG file, wherein the operation authority query result of the YANG file comprises a third operation authority value and a sub-identifier corresponding to each sub-resource, and the sub-identifiers correspond to the third operation authority values corresponding to the sub-resources one to one.
In a possible implementation manner, the step of obtaining, by the first network device, an operation permission query result of the first resource includes: the first network device analyzes the first response message to obtain an operation authority query result of the data node, wherein the operation authority query result of the data node comprises a node path, each sub-path, a value of a fourth operation authority and a value of a fifth operation authority corresponding to each sub-node, the node path corresponds to the value of the fourth operation authority, and the sub-paths correspond to the values of the fifth operation authorities corresponding to the sub-nodes one by one.
In a possible implementation manner, the first resource is a protocol operation, the first identifier is an operation path, and the first network device parses the first response message to obtain an operation permission query result of the first resource, including: the first network device analyzes the first response message to obtain an operation authority query result of the protocol operation, wherein the operation authority query result of the protocol operation comprises a value of the first operation authority, and the value of the first operation authority is used for indicating whether the first network device has an execution authority for the protocol operation.
In a possible implementation manner, the first resource is a notification, the first identifier is a notification path, and the first network device parses the first response message to obtain an operation permission query result of the first resource, including: the first network device analyzes the first response message to obtain a notified operation authority query result, wherein the notified operation authority query result comprises a value of the first operation authority, and the value of the first operation authority is used for indicating whether the first network device has a reading authority for the notification.
In a third aspect, an apparatus for querying operation authority is provided, the apparatus comprising:
the Remote Procedure Call (RPC) system comprises a receiving module, a first Remote Procedure Call (RPC) module and a second Remote Procedure Call (RPC) module, wherein the second network equipment receives a first RPC instruction sent by first network equipment, the first RPC instruction comprises a first identifier of a first resource, and the first RPC instruction is used for indicating an operation authority for inquiring the first resource;
the analysis module is used for analyzing the first RPC instruction by the second network equipment to obtain a first identifier;
the acquisition module is used for the second network equipment to acquire a value of the first operation authority according to the first identifier, wherein the value of the first operation authority is used for indicating whether the first network equipment has the first operation authority on the first resource;
and the sending module is used for the second network equipment to package the operation authority query result of the first resource according to the value of the first operation authority to obtain a first response message and send the first response message to the first network equipment.
In a possible implementation manner, the first RPC instruction further includes a second identifier, the second identifier is used to indicate whether to encapsulate the value of the first operation right without the first operation right, the sending module is used to determine that the value of the first operation right is a non-target value based on that the value of the first operation right is a non-target value, or the value of the first operation authority is a target value and the second identifier indicates that the value of the first operation authority is packaged under the condition that the second identifier does not have the first operation authority, the second network device obtains a first response message according to the operation authority query result of the first resource packaged by the second identifier, the operation authority query result of the first resource comprises the value of the first operation authority, the value of the first operation right is a target value used for indicating that the first network device does not have the first operation right for the first resource, and the value of the first operation right is a non-target value used for indicating that the first network device has the first operation right for the first resource.
In a possible implementation manner, the first RPC instruction further includes a second identifier, where the second identifier is used to indicate whether to encapsulate a value of the first operation permission without the first operation permission, and the sending module is configured to, based on that the value of the first operation permission is a target value and the second identifier indicates that the value of the first operation permission is not encapsulated without the first operation permission, package, by the second network device, the operation permission query result of the first resource according to the indication of the second identifier to obtain a first response message, and the operation permission query result of the first resource does not include the value of the first operation permission.
In a possible implementation manner, the receiving module is further configured to receive, by the second network device, a second RPC instruction sent by the first network device, where the second RPC instruction includes a third identifier of the second resource; the second network equipment analyzes the second RPC instruction to obtain a third identifier; the second network equipment determines at least one target network equipment based on each network equipment which establishes a session with the second network equipment; the second network equipment acquires the value of the second operation authority corresponding to each target network equipment according to the third identifier, wherein the value of the second operation authority corresponding to any target network equipment is used for indicating whether any target network equipment has the second operation authority on the second resource; the second network equipment acquires the updated value of the second operation authority based on the detection of the update of the second operation authority corresponding to any target network equipment; and the second network equipment encapsulates the updated value of the second operation authority to obtain a notification message and sends the notification message to any target network equipment.
In a possible implementation manner, the second RPC instruction further includes a user identifier, and the receiving module is configured to use, by the second network device, the network device indicated by the user identifier in each of the first network devices as the target network device.
In one possible implementation, the first resource is another next generation YANG file, and the first identifier is a file name;
the acquisition module is used for the second network device to determine at least one sub-resource included in the YANG file according to the file name and acquire a value of a third operation authority corresponding to each sub-resource, wherein the value of the third operation authority corresponding to any sub-resource is used for indicating the operation authority of the first network device to any sub-resource, any sub-resource has a corresponding sub-identifier, and at least one sub-resource includes at least one of a data node, a protocol operation and a notification;
and the sending module is used for the second network equipment to package the operation authority query result of the YANG file to obtain a first response message, the operation authority query result of the YANG file comprises the values of the third operation authorities corresponding to the sub-resources and the sub-identifiers, and the sub-identifiers correspond to the values of the third operation authorities corresponding to the sub-resources one to one.
In one possible implementation, the first resource is a data node, and the first identifier is a node path;
the acquisition module is used for the second network equipment to determine that the data node comprises at least one sub-node according to the node path, and acquire a value of a fourth operation authority and a value of a fifth operation authority corresponding to each sub-node, wherein the value of the fourth operation authority is used for indicating the operation authority of the first network equipment to the data node, the value of the fifth operation authority corresponding to any sub-node is used for indicating the operation authority of the first network equipment to any sub-node, and any sub-node has a corresponding sub-path;
and the sending module is used for the second network equipment to package the operation authority query result of the data node to obtain a first response message, wherein the operation authority query result of the data node comprises a node path, each sub-path, a value of a fourth operation authority and a value of a fifth operation authority corresponding to each sub-node, the node path corresponds to the value of the fourth operation authority, and the sub-paths correspond to the values of the fifth operation authorities corresponding to the sub-nodes one to one.
In one possible implementation, the first resource is a protocol operation, and the first identifier is an operation path;
and the sending module is used for the second network equipment to package an operation authority query result of the protocol operation to obtain a first response message, wherein the operation authority query result of the protocol operation comprises a value of the first operation authority, and the value of the first operation authority is used for indicating whether the first network equipment has an execution authority for the protocol operation.
In one possible implementation, the first resource is a notification, and the first identifier is a notification path;
and the sending module is used for the second network equipment to package the notified operation authority query result to obtain a first response message, wherein the notified operation authority query result comprises a first operation authority value, and the first operation authority value is used for indicating whether the first network equipment has a reading authority for the notification.
In a fourth aspect, there is provided an apparatus for querying operation authority, the apparatus comprising:
the acquisition module is used for acquiring a first identifier of a first resource of an operation authority to be inquired by a first network device, and packaging the first identifier to obtain a first Remote Procedure Call (RPC) instruction;
the transmission module is used for the first network equipment to transmit a first RPC instruction to the second network equipment;
a receiving module, configured to receive, by a first network device, a first response message sent by a second network device according to a first RPC instruction, where the first response message includes an operation permission query result of a first resource, the first response message is obtained by the second network device encapsulating, according to a value of a first operation permission, the operation permission query result of the first resource, and the value of the first operation permission is used to indicate whether the first network device has a first operation permission for the first resource;
and the analysis module is used for analyzing the first response message by the first network equipment to obtain an operation authority query result of the first resource.
In a possible implementation manner, the obtaining module is configured to obtain, by the first network device, a second identifier, where the second identifier is used to indicate whether to encapsulate a value of the first operation permission without the first operation permission; and the first network equipment encapsulates the first identifier and the second identifier to obtain a first RPC instruction.
In a possible implementation manner, the parsing module is configured to parse, by the first network device, the first response message, where the obtained operation permission query result of the first resource includes a value of the first operation permission, where the first response message is based on that the value of the first operation permission is a non-target numerical value, or the value of the first operation permission is a target numerical value and the second identifier indicates that the value of the first operation permission is encapsulated without the first operation permission, and the second network device encapsulates, according to the second identifier, the operation permission query result of the first resource, where the value of the first operation permission is obtained by using the target numerical value to indicate that the first network device does not have the first operation permission for the first resource, and the value of the first operation permission is a non-target numerical value to indicate that the first network device has the first operation permission for the first resource.
In a possible implementation manner, the parsing module is configured to parse, by the first network device, the first response message, where the obtained operation permission query result of the first resource does not include the value of the first operation permission, the first response message is obtained based on that the value of the first operation permission is a target value and the second identifier indicates that the value of the first operation permission is not encapsulated under the condition that the value of the first operation permission does not have the first operation permission, and the second network device encapsulates, according to the indication of the second identifier, the operation permission query result of the first resource, where the value of the first operation permission is the target value and is used for indicating that the first network device does not have the operation permission for the first resource.
In a possible implementation manner, the obtaining module is further configured to obtain, by the first network device, a third identifier of a second resource to be updated with the operation permission, where the third identifier is used by the second network device to obtain a value of a second operation permission corresponding to each target network device, where the value of the second operation permission corresponding to any target network device is used to indicate whether any target network device has the second operation permission for the second resource, obtain, based on detection of update of the value of the second operation permission corresponding to any target network device, the updated value of the second operation permission, package the updated value of the second operation permission to obtain a notification message, and send the notification message to any target network device;
and the sending module is further used for the first network equipment to package the third identifier to obtain a second RPC instruction, and send the second RPC instruction to the second network equipment.
In a possible implementation manner, the sending module is configured to obtain, by a first network device, a user identifier, where the user identifier is used by a second network device to use a network device indicated by the user identifier as a target network device; and the first network equipment packages the second identifier and the user identifier to obtain a second RPC instruction.
In a possible implementation manner, the first resource is another next-generation YANG file, the first identifier is a file name, the file name is used by the second network device to determine at least one sub-resource included in the YANG file, the at least one sub-resource includes at least one of a data node, a protocol operation, and a notification, any sub-resource has a corresponding sub-identifier, and the parsing module is used by the first network device to parse the first response message to obtain an operation authority query result of the YANG file, the operation authority query result of the YANG file includes a value of a third operation authority corresponding to each sub-resource and the sub-identifier, and the sub-identifiers correspond to values of the third operation authorities corresponding to the sub-resources one to one.
In a possible implementation manner, the first resource is a data node, the first identifier is a node path, the node path is used by the second network device to determine at least one child node included in the data node, any child node has a corresponding child path, and the parsing module is used by the first network device to parse the first response message to obtain an operation permission query result of the data node, the operation permission query result of the data node includes the node path, each child path, a value of the fourth operation permission, and a value of the fifth operation permission corresponding to each child node, the node path corresponds to the value of the fourth operation permission, and the child paths correspond to the values of the fifth operation permission corresponding to the child nodes one to one.
In a possible implementation manner, the first resource is a protocol operation, the first identifier is an operation path, and the parsing module is configured to parse, by the first network device, the first response message to obtain an operation permission query result of the protocol operation, where the operation permission query result of the protocol operation includes a value of the first operation permission, and the value of the first operation permission is used to indicate whether the first network device has an execution permission for the protocol operation.
In a possible implementation manner, the first resource is a notification, the first identifier is a notification path, and the parsing module is configured to parse, by the first network device, the first response message to obtain an operation permission query result of the notification, where the operation permission query result of the notification includes a value of the first operation permission, and the value of the first operation permission is used to indicate whether the first network device has a read permission for the notification.
In a fifth aspect, a device for querying operation authority is provided, the device including a memory and a processor; the memory has stored therein at least one instruction that is loaded and executed by the processor to implement the method of the first aspect or any of its possible embodiments.
In a sixth aspect, an apparatus for querying operation authority is provided, the apparatus including a memory and a processor; the memory has stored therein at least one instruction that is loaded and executed by the processor to implement the method of the second aspect or any of its possible embodiments.
In a seventh aspect, another communication apparatus is provided, the apparatus comprising: a transceiver, a memory, and a processor. Wherein the transceiver, the memory and the processor communicate with each other via an internal connection path, the memory is configured to store instructions, and the processor is configured to execute the instructions stored by the memory to control the transceiver to receive signals and control the transceiver to transmit signals, and when the processor executes the instructions stored by the memory, to cause the processor to perform the method of the first aspect or any of the possible embodiments of the first aspect.
In an eighth aspect, there is provided another communication apparatus, including: a transceiver, a memory, and a processor. Wherein the transceiver, the memory and the processor communicate with each other via an internal connection path, the memory is configured to store instructions, the processor is configured to execute the instructions stored by the memory to control the transceiver to receive signals and control the transceiver to transmit signals, and the processor is configured to execute the instructions stored by the memory to cause the processor to perform the method of the second aspect or any of the possible embodiments of the second aspect.
Optionally, there are one or more processors and one or more memories.
Alternatively, the memory may be integrated with the processor, or provided separately from the processor.
In a specific implementation process, the memory may be a non-transient memory, such as a Read Only Memory (ROM), which may be integrated on the same chip as the processor, or may be separately disposed on different chips.
In a ninth aspect, a system for querying operation authority is provided, the system comprising: the network equipment comprises a first network equipment and a second network equipment, wherein the first network equipment and the second network equipment are in communication connection; the second network device is adapted to perform the method of the first aspect or any of the possible implementations of the first aspect, and the first network device is adapted to perform the method of the second aspect or any of the possible implementations of the second aspect.
In a tenth aspect, there is provided a computer program (product) comprising: computer program code which, when run by a computer, causes the computer to perform the method of the above-mentioned aspects.
In an eleventh aspect, there is provided a readable storage medium storing a program or instructions, the method of the above aspects being performed when the program or instructions are run on a computer.
In a twelfth aspect, a chip is provided, which includes a processor for calling up and executing instructions stored in a memory from the memory, so that a communication device in which the chip is installed executes the method in the above aspects.
In a thirteenth aspect, another chip is provided, including: the system comprises an input interface, an output interface, a processor and a memory, wherein the input interface, the output interface, the processor and the memory are connected through an internal connection path, the processor is used for executing codes in the memory, and when the codes are executed, the processor is used for executing the method in each aspect.
Drawings
Fig. 1 is a schematic diagram of a network architecture according to an embodiment of the present application;
fig. 2 is a layered structure diagram of a NETCONF protocol provided in an embodiment of the present application;
fig. 3 is a flowchart of a method for querying operation permissions according to an embodiment of the present application;
FIG. 4 is a schematic diagram of a process for defining protocol operations according to an embodiment of the present application;
fig. 5 is a schematic flowchart of an authentication process provided in an embodiment of the present application;
FIG. 6 is a diagram illustrating a structure of an RPC instruction according to an embodiment of the present disclosure;
FIG. 7 is a schematic diagram of a process provided in an embodiment of the present application;
FIG. 8 is a schematic diagram of a process provided in an embodiment of the present application;
FIG. 9 is a schematic diagram of a process provided in an embodiment of the present application;
FIG. 10 is a schematic diagram of a process provided by an embodiment of the present application;
FIG. 11 is a schematic diagram of a process provided in an embodiment of the present application;
FIG. 12 is a schematic diagram of a process provided in an embodiment of the present application;
FIG. 13 is a schematic diagram of a process provided in an embodiment of the present application;
FIG. 14 is a schematic diagram of a process provided in an embodiment of the present application;
FIG. 15 is a schematic diagram of a process provided in an embodiment of the present application;
FIG. 16 is a schematic diagram of a process provided in an embodiment of the present application;
FIG. 17 is a schematic diagram of a process provided in an embodiment of the present application;
FIG. 18 is a schematic diagram of a process provided in an embodiment of the present application;
FIG. 19 is a schematic diagram of a process provided in an embodiment of the present application;
FIG. 20 is a schematic diagram of a process provided in an embodiment of the present application;
FIG. 21 is a schematic diagram of a process provided in an embodiment of the present application;
FIG. 22 is a schematic diagram of a process provided in an embodiment of the present application;
FIG. 23 is a schematic diagram of a process provided in an embodiment of the present application;
FIG. 24 is a schematic diagram of a process provided in an embodiment of the present application;
FIG. 25 is a schematic diagram of a process provided in an embodiment of the present application;
FIG. 26 is a schematic diagram of a process provided in an embodiment of the present application;
FIG. 27 is a schematic diagram of a process provided in an embodiment of the present application;
FIG. 28 is a schematic diagram of a process provided in an embodiment of the present application;
FIG. 29 is a schematic diagram of a process provided in an embodiment of the present application;
FIG. 30 is a schematic diagram of a process provided in an embodiment of the present application;
FIG. 31 is a schematic diagram of a process provided in an embodiment of the present application;
FIG. 32 is a schematic diagram of a process provided in an embodiment of the present application;
FIG. 33 is a schematic diagram of a process provided in an embodiment of the present application;
fig. 34 is a schematic structural diagram of an apparatus for querying operation permission according to an embodiment of the present application;
fig. 35 is a schematic structural diagram of an apparatus for querying operation permission according to an embodiment of the present application;
fig. 36 is a schematic structural diagram of a device for querying operation permissions provided in an embodiment of the present application.
Detailed Description
The terminology used in the description of the embodiments section of the present application is for the purpose of describing particular embodiments of the present application only and is not intended to be limiting of the present application.
The embodiment of the application provides a method for inquiring operation authority, which is applied to a network structure shown in fig. 1. Fig. 1 includes a first network device and a second network device, and the first network device and the second network device are connected in communication. A Virtual Machine (VM) or an operating system Linux runs on the first network device, and a management system (or called a network manager) deployed on the VM or Linux in a software form is used as a client (NETCONF client) in the NETCONF protocol. Illustratively, the management system is an Enterprise Management System (EMS) or a Network Management System (NMS), such as management systems of U2000, M2000, eSight, and DT. In addition, the second network device is configured to function as a server (NETCONF server) in the NETCONF protocol. The second network devices include, but are not limited to, servers, routers, and switches.
In this embodiment, the first network device is configured to send, to the second network device, an RPC instruction for indicating an operation permission to query the resource, where the RPC instruction includes an identifier of the resource, so as to obtain, according to a response message returned by the second network device based on the RPC instruction, an operation permission query result of the first network device for the resource. In addition, the first network device is further configured to send an RPC instruction for instructing to detect an update of an operation permission of the resource to the second network device, so that when the operation permission of the resource is updated by the first network device, a notification (notification) sent by the second network device is received, so as to obtain the updated operation permission according to the notification.
The second network device includes a network interface, a memory, and a processor. The network interface is used for being in communication connection with the first network equipment, and the memory is used for storing the operation authority of each resource. The processor is used for acquiring the value of the operation authority of the first network device on the resource according to the identifier of the resource in the RPC after receiving an RPC instruction which is sent by the first network device and used for indicating the operation authority of the resource inquiry through the network interface. And returning a response message to the first network equipment through the network interface, wherein the response message carries the operation authority query result of the resource. The processor is further configured to, after receiving, through the network interface, an RPC instruction sent by the first network device and used for indicating update of the operation permission of the detection resource, obtain the updated operation permission based on detection of update of the operation permission of the first network device on the resource, and return a notification carrying the updated operation permission to the first network device through the network interface.
In addition, for convenience of description of the method provided in the embodiments of the present application, first, the communication terms referred to in the embodiments are described as follows.
NETCONF protocol: a network configuration and management protocol based on extensible markup language (XML) realizes communication between a first network device and a second network device by using the RPC mechanism. In the communication process, the interactive data and messages between the first network equipment and the second network equipment adopt XML format. The data includes configuration data and status data, the message includes hello message, RPC message and notification message, and the RPC message refers to the RPC command and the response message. Referring to fig. 2, the NETCONF protocol employs a layered structure including a transport protocol (transport protocol) layer, an RPC layer, a protocol operations (operations) layer, and a content (content) layer. The layers are described as follows:
and a transmission protocol layer: for providing a communication path for communication between a first network device and a second network device, NETCONF
The protocol can use any transport layer protocol bearer that meets the basic requirements. Illustratively, the transport layer protocol is a Secure Shell (SSH) protocol.
RPC layer: for providing the above RPC mechanism.
The protocol operation layer: for defining operations used in the RPC mechanism, also referred to as RPC operations. Protocol operations are for example: and operations such as obtaining configuration (get-config) and editing configuration (edge-config).
Content layer: for describing configuration data involved in network management.
Another Next Generation (YANG) model: a data modeling language (data modeling language) applied to a protocol operation layer and a content layer in a NETCONF protocol. The YANG model defines a hierarchical structure of data for describing data and messages exchanged between a first network device and a second network device. Under the condition that the first network device or the second network device internally adopts other formats except the XML format to describe data and messages, the YANG model can convert the other formats into the XML format so as to facilitate the interaction between the first network device and the second network device.
Capacity (capabilities): for indicating protocol operations that the first network device and the second network device are capable of performing, each capability is identified by a Uniform Resource Identifier (URI). In the communication process, the first network device and the second network device first establish a session (session). And then, the first network equipment and the second network equipment interact with the respective supported capabilities and the NETCONF protocol version through hello messages. Therefore, the RPC instruction sent by the first network device to the second network device is only used to instruct the second network device to perform the protocol operation that the second network device is capable of performing, that is, only to have the second network device perform the protocol operation indicated by the capability.
The NETCONF protocol defines a base capability base1.0, which is the set of capabilities that the first and second network devices must support, and a set of standard capabilities, which are the capabilities that the first and second network devices can choose to support. In addition, the first network device and the second network device can define new capabilities by themselves, so that new protocol operations are defined based on the new capabilities.
Based on the network architecture shown in fig. 1, an embodiment of the present application provides a method for querying operation permissions, referring to fig. 3, the method includes the following steps 301-308.
301, the first network device obtains a first identifier of a first resource of an operation permission to be queried, and packages the first identifier to obtain a first RPC instruction, where the first RPC instruction is used to indicate the operation permission to query the first resource.
Wherein the first resource is a resource defined according to the YANG model, and the first identifier of the first resource is used for uniquely indicating the first resource. Illustratively, the first resource and the first identifier include, but are not limited to, the following four cases:
the first condition is as follows: the first resource is a YANG file. The YANG model has a YANG file (module) as a basic unit, and in the present embodiment, the YANG file defined by the YANG model is used as the YANG file. Accordingly, the first identification is a file name, i.e., a module-name. Illustratively, the YANG file includes statements such as description (description), version (version) and the like describing the YANG file itself, and at least one of a data node (data node), a protocol operation and a notification.
Case two: the first resource is a data node and the first identifier is a data-node-path (data-node-path). Since the NETCONF protocol is an XML-based protocol, the node path of the data node is an XML path language (XPath).
Case three: the first resource is a protocol operation, and the first identifier is an operation path. Wherein the protocol operation has an operation name (rpc-name). Since the protocol operation is located in the YANG file, the operation path of the protocol operation can be obtained based on the operation name of the protocol operation and the file name of the YANG file where the protocol operation is located, and the operation path is XPath.
Case four: the first resource is a notification, and the first identifier is a notification path. Wherein, the notification has a notification name (notification-name), and the notification path is an XPath containing the notification name and the file name of the YANG file where the notification is located.
In this embodiment, a new capability is defined in the second network device. Illustratively, the URI to which the new capability corresponds is represented as follows:
<capability>http://www.huawei.com/netconf/capability/netconf-resource:1.0</capability>
based on the new capability, the present embodiment further defines a new protocol operation according to fig. 4, which is used as the first RPC instruction sent by the first network device. The new protocol operation includes an input parameter and an output parameter. Based on the new protocol operation, the second network device can return output parameters according to the input parameters provided by the first network device. Therefore, the present embodiment uses the first identifier as an input parameter and uses the value of the first operation authority as an output parameter. Wherein the value of the first operation right is used for indicating whether the first network equipment has the first operation right on the first resource.
In fig. 4, the input parameters include a mandatory (choice) node, which is a node type (node-type) shown in fig. 4. As can be seen from FIG. 4, the selection node includes two options, module-name and node-path. That is, the first network device provides a query that the file name or the XPath can implement the first operation right. The option module-name corresponds to the file name in the first case, and the option node-path corresponds to the node path in the second case, the operation path in the third case, and the notification path in the fourth case.
The output parameters include three container (container) nodes data, rpc and notification. The access-operations in each container node are operation rights. The NETCONF protocol provides an authentication mechanism, namely a NETCONF Access Control Model (NACM) authentication mechanism. According to the definition of the NACM authentication mechanism, the values of the first operation right include, but are not limited to: create to indicate creation rights, delete to indicate deletion rights, read to indicate read rights, update to indicate update rights, and exec to indicate execution rights. In addition, a none for indicating no operation authority is also included. According to the known information of each container node in the output parameters, the operation authority returned to the first network device by the second network device comprises at least one of the operation authority of the first network device on the data node, the operation authority of the first network device on the protocol operation and the operation authority of the first network device on the notification.
In addition, as can be seen from fig. 4, the input parameter further includes a second identifier (without-none), which will be described later, and will not be described herein again.
302, a first network device sends a first RPC instruction to a second network device.
After the first network device packages the first RPC instruction, the first RPC instruction can be sent to the second network device through the session between the first network device and the second network device.
303, the second network device receives a first RPC instruction sent by the first network device, where the first RPC instruction includes a first identifier of the first resource, and the first RPC instruction is used to indicate an operation permission to query the first resource.
Since the first network device sends the first RPC instruction through the session, the second network device can receive the first RPC instruction sent by the first network device through the session.
And 304, the second network equipment analyzes the first RPC instruction to obtain a first identifier.
After the second network device analyzes the first RPC instruction, the first identifier carried in the first RPC instruction can be obtained, and the second network device can determine the first resource of the operation authority to be inquired according to the first identifier. Based on the new protocol operation defined in 301, the second network device further obtains the value of the first operation right of the first network device to the first resource, so as to encapsulate the operation right query result of the first resource according to the value of the first operation right and return the operation right query result to the first network device, which is described in detail in 305.
305, the second network device obtains a value of the first operation right according to the first identifier, where the value of the first operation right is used to indicate whether the first network device has the first operation right for the first resource.
As can be seen from the description in 301, the values of the first operation right include, but are not limited to, create, delete, read, update, exec, and none. Wherein, based on the value of the first operation right being at least one of create, delete, read, update and exec, the value of the first operation right indicates that the first network device has the first operation right for the first resource. And based on that the value of the first operation authority is none, indicating that the first network device does not have the first operation authority on the first resource. The manner in which the second network device acquires the value of the first operation authority is different when the first resource is different, and four cases will be described below.
The first acquisition mode corresponding to the first case: for the case that the first resource is a YANG file and the first identifier is a file name, the obtaining method comprises the following steps: determining at least one sub-resource included in the YANG file according to the file name, and acquiring a value of a third operation authority corresponding to each sub-resource, wherein the value of the third operation authority corresponding to any sub-resource is used for indicating the operation authority of the first network device on any sub-resource, and at least one sub-resource includes at least one of a data node, a protocol operation and a notification.
That is, in the case where the first resource is a YANG file, what the second network device acquires is not the operation authority of the first network device on the YANG file, but the operation authority of the first network device on each sub-resource included in the YANG file. It can be understood that, in the case that the YANG file includes any one of the sub-resources, the present embodiment does not limit the number of the sub-resources included in the YANG file. For example, where a YANG file includes protocol operations, one or more protocol operations can be included in the YANG file.
Wherein, the value of the third operation right corresponding to any data node comprises one or more of create, read, delete, update and exec. For example, the operation authority of the first network device on any data node is: and the first network equipment can read and delete the data node, and the values of the third operation authority of any data node are read and delete. Or, in a case that the first network device does not have any operation authority for any data node, the value of the third operation authority of any resource is none. In addition, the value of the third operation right corresponding to any protocol operation is exec or none, that is, the first network device can only have the execution right at most for any protocol operation, and does not have any right in creation, reading, deletion and updating. The value of the third operation right corresponding to any one notification is read or none, that is, the first network device can only have the read right at most for any one notification, and does not have any right in creation, deletion, updating and execution.
It should be noted that, because the XML adopts a tree structure, the data nodes included in the YANG file can be divided into multiple layers, and the data nodes located at the upper layer can include the data nodes located at the lower layer. For example, a top level data node can comprise one or more first level data nodes, a first level data node can comprise one or more second level data nodes, and so on. Therefore, in the case where the YANG file includes multiple layers of data nodes, the second network device acquires the operation authority of the first network device for each data node in the reference number layer of data nodes. It can be understood that, in this embodiment, the value of the reference number is not limited, and the value of the reference number may be set according to experience or actual needs. Illustratively, the reference number takes a value of one, that is, the second network device obtains the operation authority of the first network device on each top-level data node in the YANG file.
In this embodiment, the second network device obtains the operation authority of the first network device for each sub-resource according to the definition in the request for comment (RFC) 8341. For any one of the sub-resources, the obtaining step can be seen in fig. 5. After determining that the first network device is enabled, determining whether a session between the first network device and the second network device is a recovery session, and allowing an operation to be performed if the session is a recovery session. Thereafter, it is determined whether the first network device performs a close session (close session), and in the case of performing the close session, an operation is allowed to be performed. In a case where the session is not closed, it is determined whether a user identifier (user-name) identical to a user identifier (user-name) of the first network device is included in each user group. Wherein a user group is a group comprising one or more users. If the user identifier identical to the user identifier of the first network device is included in any one user group, it indicates that the first network device is a user in the any one user group. Therefore, each rule list is traversed, the rule list matched with any user group is determined, and under the condition that the rule list matched with any user group is determined, the corresponding rule is further obtained from the matched rule list, so that the operation authority of the first network equipment on the resource is obtained. And then, checking the value of the matching mode 'exec-default' of the authentication rule, and if the value is permit, allowing the operation to be executed, otherwise refusing to execute the operation.
In addition, as can be seen from fig. 5, for three cases, that the user identifier of the first network device does not exist in the user group, the rule list matching the user identifier does not exist in the user group, and the matched rule does not exist in the rule list, the access control rule needs to be executed. And after the access control rule is executed, the matching mode of the authentication rule is checked, so that whether the operation is allowed to be executed or refused to be executed is determined according to whether the value is permit or not. The access control rules corresponding to different sub-resources are also different, and the second, third, and fourth obtaining manners are described respectively.
The second acquisition mode corresponding to the second case: for the case that the first resource is a data node and the first identifier is a node path, the obtaining method includes: and based on the fact that the data node comprises at least one sub-node according to the node path, obtaining a value of a fourth operation authority and a value of a fifth operation authority corresponding to each sub-node, wherein the value of the fourth operation authority is used for indicating the operation authority of the first network device on the data node, the value of the fifth operation authority corresponding to any sub-node is used for indicating the operation authority of the first network device on any sub-node, and any sub-node has a corresponding sub-path.
As can be seen from the description of the first obtaining method, any data node can include one or more child nodes located at a lower layer of the data node. And respectively acquiring the value of the fourth operation authority and the value of the fifth operation authority corresponding to each child node based on the fact that the data node comprises at least one child node according to the node path. Taking the data node as a first-level data node in the YANG file as an example, the child nodes can be two-level data nodes in the YANG file. Alternatively, the child nodes can also be two-layer data nodes, three-layer data nodes, and more layer data nodes in the YANG file.
It can be understood that, for the case that the data node corresponding to the node path does not include a child node, that is, for the case that the data node corresponding to the node path is the bottom layer data node in the YANG file, the second network device may directly acquire the value of the fourth operation permission.
In addition, in the case where the first resource is a data node, the access control rule includes, but is not limited to, the following four:
1. if any data node definition contains a default-dent-all statement, the data node does not support read and write operations. The write operation includes create operation and delete operation.
2. If any data node definition contains a default-dent-write statement, the data node does not support write operation.
3. The first network device has the authority to execute the query operation, that is, the value of the read-default is "permit", the first network device has the read authority, otherwise, the first network device does not have the read authority.
4. The first network device has the permission to execute the configuration operation, namely the value of the write-default is 'permit', the first network device has the write permission, otherwise, the first network device does not have the write permission.
The third acquisition mode corresponding to the third case: for the case that the first resource is a protocol operation and the first identifier is an operation path, the obtaining method includes: and determining the value of the first operation authority according to the operation path, wherein the value of the first operation authority is used for indicating whether the first network equipment has the execution authority on the protocol operation.
The first network device can only have an execution right at most for any protocol operation, that is, the value of the first operation right is exec or none. And indicating that the first network equipment has the execution authority for the protocol operation based on the fact that the value of the first operation authority is exec. And indicating that the first network equipment does not have the execution authority for the protocol operation based on the fact that the value of the first operation authority is none.
In the case where the first resource is a protocol operation, the access control rules include, but are not limited to, the following three:
1. if the protocol operation defined based on the YANG file contains a default-dense-all declaration, the operation of executing the RPC request is refused.
2. Based on whether the protocol operation is < kill-session > or < delete-config >, the operation to execute the RPC request is rejected.
3. And the first network equipment has the execution authority of the protocol operation based on the first network equipment having the default execution authority of the protocol operation. And the first network equipment does not have the execution authority of the protocol operation based on the fact that the first network equipment does not have the default execution authority of the protocol operation.
Acquisition mode four corresponding to case four: for the situation that the first resource is a notification and the first identifier is a notification path, the obtaining method includes: and determining the value of the first operation authority according to the notification path, wherein the value of the first operation authority is used for indicating whether the first network equipment has the reading authority or not for the notification.
The value of the first operation right is read or none, the read indicates that the first network device has a read right for the notification, and the none indicates that the first network device does not have the read right for the notification. In the case where the first resource is a notification, the access control rules include, but are not limited to, the following two:
1. if the notification-based declaration includes a "nacm default-deny-all" declaration, then the notification is not allowed to be read.
2. Based on the first network device having the authority to execute the query operation, the first network device has the notified read authority. And based on that the first network equipment does not have the authority of executing the inquiry operation, the first network equipment does not have the informed reading authority.
And 306, the second network device packages the operation authority query result of the first resource according to the value of the first operation authority to obtain a first response message, and sends the first response message to the first network device.
A first packaging method corresponding to the first case: since the first operation right refers to an operation right of the first network device to each sub-resource in the YANG file when the first resource is the YANG file, the packaging method includes: and packaging the operation authority query result of the YANG file to obtain a first response message, wherein the operation authority query result of the YANG file comprises the values of the third operation authorities corresponding to the sub-resources and the sub-identifiers, and the sub-identifiers correspond to the values of the third operation authorities corresponding to the sub-resources one to one.
Wherein any one of the sub-resources has a corresponding sub-identifier. The sub-identifier corresponding to the data node is a node path, the sub-identifier corresponding to the protocol operation is an operation path, and the sub-identifier corresponding to the notification is a notification path. By making the sub-identifiers and the values of the third operation permissions corresponding to the sub-resources in one-to-one correspondence, it is convenient to indicate that any one of the values of the third operation permissions displayed in the first response message indicates which sub-resource the first network device has the operation permission for, thereby avoiding the mutual confusion of the values of the different third operation permissions.
Illustratively, in the case where the child resource is a protocol operation, in addition to the operation path corresponding to the value of the third operation authority, the operation name of the protocol operation can be also corresponding to the value of the third operation authority. The corresponding manner can also indicate that the value of any third operation right displayed in the first response message indicates the operation right of the first network device to which sub-resource. Accordingly, in the case where the child resource is the notification, in addition to the notification path corresponding to the value of the third operation authority, the notification name of the notification can be also corresponding to the value of the third operation authority.
Example one of the first package method: referring to FIG. 6, FIG. 6 shows the situation where the YANG file ietf-interfaces includes two top level data nodes interfaces and interface-states, but does not contain protocol operations and notifications. The first network device sends a first RPC instruction shown in fig. 7 to the second network device, where the first RPC instruction includes a file name ietf-interfaces. Correspondingly, the second network device sends a first response message as shown in fig. 8 to the first network device, where the first response message includes the node path of the corresponding top-level data node interfaces and the values create, read, update, and delete of the third operation permission corresponding to the interfaces, so as to indicate that the first network device has four permissions of creating, reading, updating, and deleting on the top-level data node interfaces. The first response message further includes a node path of the top-level data node interface-state and a value read of a third operation permission corresponding to the interface-state, so that the first network device is indicated to have a reading permission for the top-level data node interface-state.
Example two of the first packaging method: referring to fig. 9, fig. 9 shows a situation where the YANG file ietf-netconf-monitoring includes an overlay data node netconf-state and a protocol operation get-schema, but does not contain a notification. The first network device sends a first RPC instruction shown in fig. 10 to the second network device, where the first RPC instruction includes a file name ietf-netconf-monitoring. Accordingly, the second network device returns the first response message as shown in fig. 11 to the first network device. The first response message includes a node path of the corresponding top-level data node netconf-state and a value read of a third operation permission corresponding to the netconf-state, which means that the first network device has a read operation permission on the top-level data node netconf-state. The first response message further includes an operation name get-schema of the corresponding protocol operation and a value exec of a third operation right corresponding to the get-schema, so as to indicate that the first network device has an execution right on the protocol operation get-schema.
Example three of the first packaging method: referring to fig. 12, fig. 12 shows a case where the YANG file ietf-netconf-notification includes five notifications netconf-config-change, netconf-capability-change, netconf-session-start, netconf-session-end, and netconf-validated-commit, but does not include data nodes and protocol operations. The first network device sends a first RPC instruction as shown in fig. 13 to the second network device, where the first RPC instruction includes a file name ietf-netconf-notification. The second network device returns the first response message shown in fig. 14 to the first network device, where the first response message includes five values of the third operation right, which are all read. It can be seen from this that the first network device has read rights for all five notifications.
A second packaging method corresponding to the second case: based on the data node including at least one child node, the encapsulation method includes: and packaging the operation authority query result of the data node to obtain a first response message, wherein the operation authority query result of the data node comprises a node path, each sub-path, a value of a fourth operation authority and a value of a fifth operation authority corresponding to each sub-node, the node path corresponds to the value of the fourth operation authority, and the sub-paths correspond to the values of the fifth operation authority corresponding to the sub-nodes one by one.
It should be noted that the value of the fourth operation right and the value of the fifth operation right are the same or different, and the value of the fifth operation right may also be different. Taking the data node including two child nodes as an example, the value of the fourth operation right is read, and the values of the two fifth operation rights are read and none, respectively. Then, the first network device has a read right to the data node, and the first network device has a read right to one of the child nodes in the data node and does not have any operation right to the other child node.
Example one of the package method two: referring to fig. 15, fig. 15 shows a case where the data node netconf-state includes five child nodes capabilities, datastores, schemas, sessions, and statistics. The first network device sends a first RPC instruction as shown in fig. 16 to the second network device, where the first RPC instruction includes a node path/netconf/data/ietf-netconf-monitoring: netconf-state of the data node netconf-state. Correspondingly, the second network device determines each child node included in the data node according to the node path in the first RPC instruction, and any child node has a corresponding child path.
The second network device obtains the values of the fifth operation permissions corresponding to the respective child nodes, and sends the first response message shown in fig. 17 to the first network device. And the netconf-state corresponds to a value read of a fourth operation authority, so that the first network equipment is indicated to have a reading authority on the data node netconf-state. In addition, the values of the fifth operation permission corresponding to each child node in the first response message are as follows:
the sub-path/netconf/data/ietf-netconf-monitoring corresponds to the value read of the fifth operation authority corresponding to the child node capabilities;
the sub-path/netconf/data/ietf-netconf-monitoring corresponds to the value read of the fifth operation authority corresponding to the sub-node datastores;
the sub-path/netconf/data/ietf-netconf-monitoring corresponds to a value read of a fifth operation authority corresponding to the sub-node schemas;
the sub-path/netconf/data/ietf-netconf-monitoring corresponds to the value read of the fifth operation authority corresponding to the child node sessions;
the sub-path/netconf/data/ietf-netconf-monitoring netconf-state/status corresponds to the value read of the fifth operation right corresponding to the sub-node status.
On the basis of the first example of the second encapsulation method, the first network device may further encapsulate the sub-path of any child node to obtain a first RPC instruction based on the sub-paths of all child nodes returned in the first response message, and obtain the sub-paths and the operation permission values of all other child nodes included in any child node by the first network device through the first RPC instruction, thereby implementing resource discovery.
For example, the first network device encapsulates the sub-path of the sub-node schema to obtain the first RPC message as shown in fig. 18. The second network device returns the first response message as shown in fig. 19 to the first network device according to the first RPC message. The first response message comprises the value of the operation authority corresponding to the sub-node schema, the sub-path/netconf/data/ietf-netconf-monitoring of other sub-nodes schema-schema, and the value of the operation authority corresponding to the netconf-state/schema and other sub-nodes schema-schema is read. It will be appreciated that the other sub-nodes schema-schema are sub-nodes that the sub-node schema comprises.
A third packaging method corresponding to the third case: after the second network device obtains the value of the first operation permission, the operation permission query result of the protocol operation is encapsulated to obtain a first response message, the operation permission query result of the protocol operation comprises the value of the first operation permission, and the value of the first operation permission is used for indicating whether the first network device has the execution permission on the protocol operation. Illustratively, since the protocol operation does not include a sub-protocol operation, even if the second network device does not encapsulate the operation path or the operation name of any protocol operation, there is no confusion of the operation authority, and thus the second network device can directly encapsulate the value of the first operation authority.
Example one of the packaging method three: referring to fig. 20, fig. 20 shows a case where the protocol operation is a get-schema. The operation path of the protocol operation is/netconf/operations/ietf-netconf-monitoring: get-schema. The first network device sends a first RPC instruction as shown in fig. 21 containing the operation path to the second network device. Next, the second network device returns a first response message as shown in fig. 22 to the first network device, where the first response message includes the operation name get-schema of the protocol operation and the value exec of the first operation permission, so as to indicate that the first network device has an execution permission for the protocol operation of get-schema.
A fourth packaging method corresponding to case four: after the second network device obtains the value of the first operation right, the operation right query result of the notification is encapsulated to obtain a first response message, the operation right query result of the notification includes the value of the first operation right, and the value of the first operation right is used for indicating whether the first network device has a reading right for the notification.
Example one of the packaging method four: referring to fig. 23, fig. 23 shows a case where the number of notifications is five. Based on that the first network device needs to query the first operation permission for the netconf-config-change, the first network device sends a first RPC instruction as shown in fig. 24, where the first RPC instruction includes a notification path of the netconf-config-change. Accordingly, the second network device returns, to the first network device, a first response message including the pathname netconf-config-change and the value read of the first operation permission as shown in fig. 25, indicating that the first network device has a read permission for the notification of netconf-config-change.
It can be seen that, in the four encapsulation manners, the second network device directly uses the obtained value of the first operation permission as the operation permission query result of the first resource. Illustratively, the second network device may determine the operation authority query result of the first resource according to the indication of the identifier, in addition to directly taking the value of the first operation authority as the operation authority query result of the first resource.
Therefore, in the exemplary embodiment, the first RPC instruction sent by the first network device further includes the second identifier, i.e., the without-none shown in fig. 4. That is, the step of the first network device encapsulating the first identifier to obtain the first RPC instruction includes: and the first network equipment acquires the second identifier, and encapsulates the first identifier and the second identifier to obtain the first RPC instruction. Wherein the second identifier is used for indicating whether to encapsulate the value of the first operation right under the condition of not having the first operation right.
In this embodiment, whether the first network device has the first operation permission on the first resource is indicated according to whether the value of the first operation permission is a target value, where the target value is a none. The value of the first operation right is a target value used for indicating that the first network device does not have the first operation right for the first resource, and the value of the first operation right is a non-target value used for indicating that the first network device has the first operation right for the first resource.
Illustratively, in the case that the second identifier is true, the second identifier is used for indicating a value that does not encapsulate the first operation right without the first operation right. And in the case that the second identifier is false, the second identifier is used for indicating a value which still encapsulates the first operation right without the first operation right. Fig. 26 shows a case where the second flag is true in the first RPC message sent by the first network device.
Correspondingly, after the second network device analyzes the first RPC instruction, the first identifier and the second identifier are obtained. After obtaining the value of the first operation right according to the obtained first identifier, the second network device determines the encapsulation mode based on the indication of the second identifier.
And then, in the manner described in the above description, the value of the first operation permission is used as the operation permission query result of the first resource, so as to obtain the first response message. For example, fig. 27 shows a case where the value of the first operation authority corresponding to the protocol operation netconf-capability-change is the target value none. And according to the indication of the second identifier, the second network device encapsulates the value none of the first operation authority and the values of the other first operation authorities which are not none, so as to obtain a first response message.
It can be understood that, in this case, in the first response message received by the first network device, the operation authority query result of the first resource includes values of all the first operation authorities acquired by the second network device. The value of each first operation right is none or other values except none.
Or, based on that the value of the first operation authority is the target value and the second identifier indicates that the value of the first operation authority is not packaged under the condition that the second identifier does not have the first operation authority, packaging the operation authority query result which does not include the value of the first operation authority according to the indication of the second identifier, thereby obtaining the first response message.
Illustratively, the second network device can acquire values of the plurality of first operation permissions. For example, in the case that the first resource includes multiple sub-resources in the foregoing first case, or in the case that the data node includes at least one sub-node in the foregoing second case, the second network device can acquire values of multiple first operation permissions. And based on that only part of the values of the first operation permissions are none, and the values of other first operation permissions are not none, the second network device encapsulates the first operation permissions which are not none in the values of the first operation permissions. For example, compared to the scenario shown in fig. 27 where the value of the first operation right corresponding to the protocol operation netconf-capability-change is none, the first response message shown in fig. 28 may be obtained based on the second identifier indicating that the value of the first operation right is not encapsulated without the first operation right. It can be understood that, in the case that the values of the plurality of first operation permissions obtained by the second network device are all target values, or in the case that the second network device obtains one value of the first operation permission and the value is none, the sent first response message is null.
Correspondingly, in the first response message received by the first network device, the operation authority query result of the first resource only includes the value of the first operation authority not being a none, and does not include the value of the first operation authority being a none. Or, the first response message received by the first network device is null.
Regardless of the manner in which the first response message is encapsulated, after the first response message is obtained, the second network device sends the first response message over the session established with the first network device.
307, the first network device receives a first response message sent by the second network device according to the first RPC instruction, where the first response message includes an operation permission query result of the first resource.
Since the second network device sends the first response message carrying the operation permission query result, the first network device can receive the first response message through the session. The first response message is obtained by the second network device encapsulating the operation authority query result of the first resource according to the value of the first operation authority, and the value of the first operation authority is used for indicating whether the first network device has the first operation authority for the first resource.
308, the first network device analyzes the first response message to obtain the operation permission query result of the first resource.
Under the condition that the first resources are different, the operation authority query result of the first resources carried in the first response message is also different, and as can be seen from the description in 306, the analysis manner includes the following four manners.
The first analysis method corresponding to the first case: analyzing the first response message to obtain an operation authority query result of the YANG file, wherein the operation authority query result of the YANG file comprises the values of the third operation authorities corresponding to the sub-resources and the sub-identifiers, and the sub-identifiers correspond to the values of the third operation authorities corresponding to the sub-resources one to one.
Analysis method two corresponding to case two: analyzing the first response message to obtain an operation authority query result of the data node, wherein the operation authority query result of the data node comprises a node path, each sub-path, a value of a fourth operation authority and a value of a fifth operation authority corresponding to each sub-node, the node path corresponds to the value of the fourth operation authority, and the sub-paths correspond to the values of the fifth operation authority corresponding to the sub-nodes one by one.
Analysis corresponding to case three: and analyzing the first response message to obtain an operation authority query result of the protocol operation, wherein the operation authority query result of the protocol operation comprises a value of the first operation authority, and the value of the first operation authority is used for indicating whether the first network equipment has an execution authority for the protocol operation.
Analysis method four corresponding to case four: and analyzing the first response message to obtain a notified operation authority query result, wherein the notified operation authority query result comprises a value of the first operation authority, and the value of the first operation authority is used for indicating whether the first network device has a reading authority for the notification.
Further, for the operation authority of the first network device for the partial resource, the embodiment needs to detect the update condition of the operation authority, so that the first network device can timely know when the operation authority is updated, and the security is prevented from being affected. For example: by using the write right of the resource/huawei-aaa: aaa/lam/users/user, a new first network device with arbitrary right can be added, and thus the operation right of each first network device to the resource needs to be limited. Therefore, it is necessary to provide a method for enabling the first network device to timely acquire the update condition of the operation authority of the resource.
Referring to fig. 29, in this embodiment, a YANG push (YANG-push) capability provided by a YANG model is extended, so that the first network device can enable the second network device to detect an update condition of an operation right of any resource in a manner of sending an RPC instruction to the second network device. Accordingly, referring to FIG. 30, the present embodiment also expands the notification capabilities provided by the YANG model. Therefore, the second network device can send the notification message in time when detecting that the operation authority of any resource is updated, so that the first network device can know the update of the operation authority of any resource.
In the exemplary embodiment, after the first network device parses the first response message to obtain the operation right query result of the first resource, the method further includes steps 309 and 315 as follows.
309, the first network device obtains a third identifier of the second resource to be detected for updating the operation authority, and encapsulates the third identifier to obtain a second RPC instruction.
The process of the first network device acquiring the third identifier is described in the above 301, and is not described herein again. For the process of encapsulating the third identifier by the first network device, in addition to directly encapsulating the third identifier according to the description in the above 301, in an exemplary embodiment, encapsulating the third identifier to obtain the second RPC instruction includes: and the first network equipment acquires the user identification, and encapsulates the third identification and the user identification to obtain a second RPC instruction.
The first network equipment corresponds to the user identification one by one. Illustratively, the user id indicates the first network device itself performing 301, 302, 307, and 308, or indicates other first network devices other than the first network device performing 301, 302, 307, and 308. In this embodiment, the number of the user identifiers acquired by the first network device is not limited, and the number of the user identifiers is determined according to actual needs. After acquiring the one or more user identifiers, the first network device encapsulates the third identifier and the acquired one or more user identifiers together, so as to obtain the second RPC instruction.
Referring to fig. 31, fig. 31 shows an exemplary second RPC instruction sent by the first network device. The second RPC instruction includes the resource identification/huawei-aaa: aaa/1am/users/user of the second resource and the user identification test 1.
The first network device sends a second RPC instruction to the second network device 310.
The sending process is described in the above 302, and is not described herein again.
311, the second network device receives a second RPC instruction sent by the first network device, where the second RPC instruction includes a third identifier of the second resource.
The receiving process is described in 303 above, and will not be described herein again. Illustratively, after receiving the second RPC instruction sent by the first network device, the second network device returns a response message as shown in fig. 32 to the first network device, so that the first network device confirms that the second network device has received the second RPC instruction.
312, the second network device parses the second RPC instruction to obtain the third identifier, and determines at least one target network device based on each network device having a session established with the second network device.
And for the condition that the second RPC instruction does not contain the user identification, the second network equipment analyzes the second RPC instruction to only obtain a third identification, and can determine a second resource to be detected for updating the operation permission according to the third identification. In this case, the second network device takes all network devices having sessions established with the home terminal of the second network device as target network devices. Correspondingly, for the condition that the second RPC instruction further includes the user identifier, the second network device can obtain the third identifier and the user identifier by analyzing the second RPC instruction, so that the network device indicated by the user identifier is used as the target network device. It will be appreciated that the target network device is the first network device used to send the second RPC instruction, or is a first network device other than the first network device used to send the second RPC instruction, or includes both the first network device used to send the second RPC instruction and a first network device other than the first network device used to send the second RPC instruction.
313, the second network device obtains the operation right value corresponding to each target network device according to the third identifier, where the operation right value corresponding to any one target network device is used to indicate the operation right of the any one target network device to the second resource.
The second network device may refer to the description in 304 for obtaining the operation permission value corresponding to each target network device, and details are not described here. After the acquisition is completed, the second network device can also store the operation authority of each target network device on the second resource, so as to detect the update condition of the operation authority.
And 314, obtaining the updated value of the second operation right based on the second network device detecting that the value of the second operation right corresponding to any one of the target network devices is updated, where the value of the second operation right corresponding to any one of the target network devices is used to indicate whether any one of the target network devices has the second operation right for the second resource.
Under the condition that the authentication mechanism is changed, the operation authority of the target network device on the second resource may be updated, so that the value of the second operation authority corresponding to the target network device is updated. Therefore, for any target network device, based on that the second network device detects that the authentication mechanism is changed, the value of the second operation right corresponding to any target network device is determined again according to the changed authentication mechanism. In response to the re-determined value of the operation right being the same as the stored value of the second operation right, it indicates that the change of the authentication mechanism does not result in the update of the operation right of the second resource by any one of the target network devices. And responding to the re-determined value of the operation authority being different from the stored value of the second operation authority, indicating that the change of the authentication mechanism causes the operation authority of the any one target user to the second resource to be updated. Therefore, the present embodiment takes the newly determined value of the operation authority as the updated value of the second operation authority.
And 315, the second network device packages the updated value of the second operation right to obtain a notification message, and sends the notification message to any target network device.
For any target network device, the second network device packages the user identifier of the any target network device, the third identifier of the second resource, the value of the second operation right corresponding to any target network device stored in 313, and the updated value of the second operation right together, so as to obtain the notification message. Of course, the notification message may not include the value of the second operation authority corresponding to any target network device stored in 313, and only includes the updated value of the second operation authority, which is not limited in this embodiment.
After obtaining the notification message, the second network device may send the notification message to any of the target network devices. After any target network device receives the notification message, the updated operation authority of any target network device for the second resource can be determined by analyzing the notification message. Then, any target network device can perform other operations, such as adjusting an authentication mechanism, based on the updated operation authority.
Referring to fig. 33, fig. 33 illustrates an exemplary notification message. As can be seen from the previous authority (pre-auth) in fig. 33, before the operation authority is updated, the value of the second operation authority corresponding to the user identifier test1 is read. As can be seen from the current authority (cur-auth) in fig. 33, the updated values of the second operation authority corresponding to the user identifier test1 are create, read, update, and delete.
Of course, in this embodiment, the first network device sends the second RPC instruction for detecting the operation permission update after analyzing the first response message and obtaining the operation permission query result of the first resource, and may also send the second RPC instruction at other occasions, where the time for sending the second RPC instruction is not limited in this embodiment.
In summary, in this embodiment, by defining an RPC instruction for querying an operation permission, a second network device can obtain a value of a first operation permission according to a first identifier of a first resource carried by the RPC instruction, where the value of the first operation permission is used to indicate whether the first network device has the first operation permission for the first resource, so that a first response message encapsulating an operation permission query result of the first resource is fed back to the first network device according to the value of the first operation permission, so that the first network device can directly obtain the operation permission query result of the first resource, thereby implementing a more intuitive query manner of the operation permission, and improving efficiency of querying the operation permission.
Based on the same concept, as shown in fig. 34, an embodiment of the present application further provides an apparatus for querying operation authority, where the apparatus is configured to perform the steps that need to be performed by the second network device in the method shown in fig. 3. The device includes:
the receiving module 3401 is configured to receive, by the second network device, a first Remote Procedure Call (RPC) instruction sent by the first network device, where the first RPC instruction includes a first identifier of the first resource, and the first RPC instruction is used to indicate an operation permission to query the first resource. The steps performed by the receiving module 3401 can be referred to the description in 303 above, and are not described here again.
And the analysis module 3402 is configured to analyze the first RPC instruction by the second network device to obtain the first identifier. The steps performed by the parsing module 3402 can be referred to the description in the above 304, and are not described herein again.
An obtaining module 3403, configured to obtain, by the second network device, a value of the first operation permission according to the first identifier, where the value of the first operation permission is used to indicate whether the first network device has the first operation permission for the first resource. The steps performed by the obtaining module 3403 can be referred to the description in 305 above, and are not described herein again.
The sending module 3404 is configured to package, by the second network device according to the value of the first operation permission, the operation permission query result of the first resource to obtain a first response message, and send the first response message to the first network device. The steps performed by the sending module 3404 can be referred to the description in 306 above, and are not described here again.
In a possible implementation manner, the first RPC instruction further includes a second identifier, where the second identifier is used to indicate whether to encapsulate the value of the first operation right without the first operation right, the sending module 3404 is used to determine, based on that the value of the first operation right is a non-target value, or the value of the first operation authority is a target value and the second identifier indicates that the value of the first operation authority is packaged under the condition that the second identifier does not have the first operation authority, the second network device obtains a first response message according to the operation authority query result of the first resource packaged by the second identifier, the operation authority query result of the first resource comprises the value of the first operation authority, the value of the first operation right is a target value used for indicating that the first network device does not have the first operation right for the first resource, and the value of the first operation right is a non-target value used for indicating that the first network device has the first operation right for the first resource.
In a possible implementation manner, the first RPC instruction further includes a second identifier, where the second identifier is used to indicate whether to encapsulate a value of the first operation permission without having the first operation permission, and the sending module 3404 is configured to encapsulate, based on that the value of the first operation permission is a target numerical value and the second identifier indicates that the value of the first operation permission is not encapsulated without having the first operation permission, the second network device encapsulates, according to the indication of the second identifier, the operation permission query result of the first resource to obtain a first response message, and the operation permission query result of the first resource does not include the value of the first operation permission.
In a possible implementation manner, the receiving module 3401 is further configured to receive, by the second network device, a second RPC instruction sent by the first network device, where the second RPC instruction includes a third identifier of the second resource; the second network equipment analyzes the second RPC instruction to obtain a third identifier; the second network equipment determines at least one target network equipment based on each network equipment which establishes a session with the second network equipment; the second network equipment acquires the value of the second operation authority corresponding to each target network equipment according to the third identifier, wherein the value of the second operation authority corresponding to any target network equipment is used for indicating whether any target network equipment has the second operation authority on the second resource; the second network equipment acquires the updated value of the second operation authority based on the detection of the update of the second operation authority corresponding to any target network equipment; and the second network equipment encapsulates the updated value of the second operation authority to obtain a notification message and sends the notification message to any target network equipment.
In a possible implementation manner, the second RPC instruction further includes a user identifier, and the receiving module 3401 is configured to, by the second network device, use the network device indicated by the user identifier in each first network device as the target network device.
In one possible implementation, the first resource is another next generation YANG file, and the first identifier is a file name;
an obtaining module 3403, configured to determine, by the second network device, at least one sub-resource included in the YANG file according to the file name, and obtain a value of a third operation right corresponding to each sub-resource, where the value of the third operation right corresponding to any sub-resource is used to indicate an operation right of the first network device to any sub-resource, where any sub-resource has a corresponding sub-identifier, and the at least one sub-resource includes at least one of a data node, a protocol operation, and a notification;
the sending module 3404 is configured to package, by the second network device, the operation permission query result of the YANG file to obtain the first response message, where the operation permission query result of the YANG file includes the values of the third operation permissions corresponding to the sub resources and the sub identifiers, and the sub identifiers correspond to the values of the third operation permissions corresponding to the sub resources one to one.
In one possible implementation, the first resource is a data node, and the first identifier is a node path;
an obtaining module 3403, configured to, by the second network device, determine that the data node includes at least one child node according to the node path, obtain a value of a fourth operation permission and a value of a fifth operation permission corresponding to each child node, where the value of the fourth operation permission is used to indicate an operation permission of the first network device on the data node, and the value of the fifth operation permission corresponding to any child node is used to indicate an operation permission of the first network device on any child node, where any child node has a corresponding child path;
the sending module 3404 is configured to package, by the second network device, an operation permission query result of the data node to obtain a first response message, where the operation permission query result of the data node includes a node path, each sub-path, a value of a fourth operation permission, and a value of a fifth operation permission corresponding to each sub-node, the node path corresponds to the value of the fourth operation permission, and the sub-paths correspond to the values of the fifth operation permissions corresponding to the sub-nodes one to one.
In one possible implementation, the first resource is a protocol operation, and the first identifier is an operation path;
the sending module 3404 is configured to package, by the second network device, an operation permission query result of the protocol operation to obtain a first response message, where the operation permission query result of the protocol operation includes a value of the first operation permission, and the value of the first operation permission is used to indicate whether the first network device has an execution permission for the protocol operation.
In one possible implementation, the first resource is a notification, and the first identifier is a notification path;
a sending module 3403, configured to package, by the second network device, the notified operation permission query result to obtain a first response message, where the notified operation permission query result includes a value of the first operation permission, and the value of the first operation permission is used to indicate whether the first network device has a read permission for the notification.
In summary, in this embodiment, by defining an RPC instruction for querying an operation permission, a second network device can obtain a value of a first operation permission according to a first identifier of a first resource carried by the RPC instruction, where the value of the first operation permission is used to indicate whether the first network device has the first operation permission for the first resource, so that a first response message encapsulating an operation permission query result of the first resource is fed back to the first network device according to the value of the first operation permission, so that the first network device can directly obtain the operation permission query result of the first resource, thereby implementing a more intuitive query manner of the operation permission, and improving efficiency of querying the operation permission.
Based on the same concept, as shown in fig. 35, an embodiment of the present application further provides an apparatus for querying operation permission, where the apparatus is configured to perform the steps that need to be performed by the first network device in the method shown in fig. 3. The device includes:
an obtaining module 3501, configured to obtain, by a first network device, a first identifier of a first resource of an operation permission to be queried, and package the first identifier to obtain a first Remote Procedure Call (RPC) instruction. The steps executed by the obtaining module 3501 can refer to the description in the above 301, and are not described herein again.
A sending module 3502, configured to send, by the first network device, the first RPC instruction to the second network device. The steps performed by the sending module 3502 can be referred to the description in the above 302, and are not described herein again.
A receiving module 3503, configured to receive, by the first network device, a first response message sent by the second network device according to the first RPC instruction, where the first response message includes an operation permission query result of the first resource, and the first response message is a message obtained by encapsulating, by the second network device, the operation permission query result of the first resource according to a value of the first operation permission, and the value of the first operation permission is used to indicate whether the first network device has the first operation permission for the first resource. The steps performed by the receiving module 3503 can be referred to the description in the above 307, and are not described herein again.
An analyzing module 3504, configured to analyze, by the first network device, the first response message to obtain an operation permission query result of the first resource. The steps performed by the parsing module 3504 can be referred to the description in the above 308, and are not described herein again.
In a possible implementation manner, the obtaining module 3501 is configured to obtain, by the first network device, a second identifier, where the second identifier is used to indicate whether to encapsulate a value of the first operation right without the first operation right; and the first network equipment encapsulates the first identifier and the second identifier to obtain a first RPC instruction.
In a possible implementation manner, the parsing module 3504 is configured to parse, by the first network device, the first response message, where the obtained operation permission query result of the first resource includes a value of the first operation permission, where the first response message is obtained based on that the value of the first operation permission is a non-target value, or the value of the first operation permission is a target value and the second identifier indicates that the value of the first operation permission is encapsulated without the first operation permission, and the second network device is obtained by encapsulating, according to the second identifier, the operation permission query result of the first resource, where the value of the first operation permission is obtained by using the target value to indicate that the first network device does not have the first operation permission for the first resource, and the value of the first operation permission is a non-target value to indicate that the first network device has the first operation permission for the first resource.
In a possible implementation manner, the parsing module 3504 is configured to parse, by the first network device, the first response message, where the obtained operation permission query result of the first resource does not include the value of the first operation permission, the first response message is obtained based on that the value of the first operation permission is a target value and the second identifier indicates that the value of the first operation permission is not encapsulated under the condition that the first operation permission is not included, and the second network device encapsulates the operation permission query result of the first resource according to the indication of the second identifier, where the value of the first operation permission is the target value and is used for indicating that the first network device does not have the operation permission for the first resource.
In a possible implementation manner, the obtaining module 3501 is further configured to, by the first network device, obtain a third identifier of a second resource to be updated with the operation right, where the third identifier is used by the second network device to obtain a value of a second operation right corresponding to each target network device, where the value of the second operation right corresponding to any one target network device is used to indicate whether any one target network device has the second operation right for the second resource, and obtain the updated value of the second operation right based on detecting that the value of the second operation right corresponding to any one target network device is updated, encapsulate the updated value of the second operation right to obtain a notification message, and send the notification message to any one target network device;
the sending module 3502 is further configured to package, by the first network device, the third identifier to obtain a second RPC instruction, and send the second RPC instruction to the second network device.
In a possible implementation manner, the sending module 3502 is configured to acquire, by a first network device, a user identifier, where the user identifier is used by a second network device to use a network device indicated by the user identifier as a target network device; and the first network equipment packages the second identifier and the user identifier to obtain a second RPC instruction.
In a possible implementation manner, the first resource is another next-generation YANG file, the first identifier is a file name, the file name is used by the second network device to determine at least one sub-resource included in the YANG file, the at least one sub-resource includes at least one of a data node, a protocol operation, and a notification, any sub-resource has a corresponding sub-identifier, and the parsing module 3504 is configured to, by the first network device, parse the first response message to obtain an operation authority query result of the YANG file, the operation authority query result of the YANG file includes a value of a third operation authority corresponding to each sub-resource and a sub-identifier, and the sub-identifiers are in one-to-one correspondence with values of the third operation authorities corresponding to the sub-resources.
In a possible implementation manner, the first resource is a data node, the first identifier is a node path, the node path is used by the second network device to determine at least one child node included in the data node, any child node has a corresponding child path, and the parsing module 3504 is configured to parse the first response message by the first network device to obtain an operation permission query result of the data node, the operation permission query result of the data node includes the node path, each child path, a value of the fourth operation permission, and a value of the fifth operation permission corresponding to each child node, the node path corresponds to the value of the fourth operation permission, and the child path corresponds to the value of the fifth operation permission corresponding to the child node.
In a possible implementation manner, the first resource is a protocol operation, the first identifier is an operation path, and the parsing module 3504 is configured to, by the first network device, parse the first response message to obtain an operation permission query result of the protocol operation, where the operation permission query result of the protocol operation includes a value of the first operation permission, and the value of the first operation permission is used to indicate whether the first network device has an execution permission for the protocol operation.
In a possible implementation manner, the first resource is a notification, the first identifier is a notification path, and the parsing module 3504 is configured to, by the first network device, parse the first response message to obtain an operation permission query result of the notification, where the operation permission query result of the notification includes a value of the first operation permission, and the value of the first operation permission is used to indicate whether the first network device has a read permission for the notification.
In summary, in this embodiment, by defining an RPC instruction for querying an operation permission, a second network device can obtain a value of a first operation permission according to a first identifier of a first resource carried by the RPC instruction, where the value of the first operation permission is used to indicate whether the first network device has the first operation permission for the first resource, so that a first response message encapsulating an operation permission query result of the first resource is fed back to the first network device according to the value of the first operation permission, so that the first network device can directly obtain the operation permission query result of the first resource, thereby implementing a more intuitive query manner of the operation permission, and improving efficiency of querying the operation permission.
It should be understood that the apparatus provided in fig. 34 and 35, when implementing the functions thereof, is only illustrated by the division of the functional modules, and in practical applications, the above functions may be distributed by different functional modules according to needs, that is, the internal structure of the apparatus is divided into different functional modules to implement all or part of the functions described above. In addition, the apparatus and method embodiments provided by the above embodiments belong to the same concept, and specific implementation processes thereof are described in the method embodiments for details, which are not described herein again.
Referring to fig. 36, an embodiment of the present application further provides a device 3600 for querying operation permissions, where the device 3600 for querying operation permissions shown in fig. 36 is used to execute operations related to the method for querying operation permissions. The device 3600 for inquiring operation authority includes: the memory 3601, the processor 3602 and the interface 3603 are connected, and the memory 3601, the processor 3602 and the interface 3603 are connected through a bus 3604.
The memory 3601 stores at least one instruction, and the at least one instruction is loaded and executed by the processor 3602 to implement any of the above methods for querying operation permissions.
An interface 3603 is used for communication with other devices in the network, the interface 3603 may be implemented in a wireless or wired manner, and the interface 3603 may be a network card, for example. For example, the device 3600 inquiring about the operation authority may communicate with other devices through the interface 3603.
For example, the device 3600 querying operation authority shown in fig. 36 is the first network device in fig. 1, and the processor 3602 reads instructions in the memory 3601, so that the device 3600 querying operation authority shown in fig. 36 can perform all or part of operations performed by the first network device.
For another example, the device 3600 inquiring about operation authority shown in fig. 36 is a network device shown in fig. 1, and the processor 3602 reads instructions in the memory 3601 to enable the device 3600 inquiring about operation authority shown in fig. 36 to execute all or part of operations executed by the second network device.
It should be understood that fig. 36 only shows a simplified design of a device 3600 that queries for operational rights. In practical applications, the device 3600 for querying operational rights may include any number of interfaces, processors, or memories. The processor may be a Central Processing Unit (CPU), other general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a field-programmable gate array (FPGA) or other programmable logic device, a discrete gate or transistor logic device, a discrete hardware component, or the like. A general purpose processor may be a microprocessor or any conventional processor or the like. It is noted that the processor may be an advanced reduced instruction set machine (ARM) architecture supported processor.
Further, in an alternative embodiment, the memory may include both read-only memory and random access memory, and provide instructions and data to the processor. The memory may also include non-volatile random access memory. For example, the memory may also store device type information.
In an exemplary embodiment, the present embodiment provides another communication apparatus including: a transceiver, a memory, and a processor. Wherein the transceiver, the memory and the processor are in communication with each other through an internal connection path, the memory is used for storing instructions, the processor is used for executing the instructions stored by the memory to control the transceiver to receive signals and control the transceiver to transmit signals, and when the processor executes the instructions stored by the memory, the processor is enabled to execute the method required to be executed by the first network device.
In an exemplary embodiment, the present embodiment provides another communication apparatus including: a transceiver, a memory, and a processor. Wherein the transceiver, the memory and the processor are in communication with each other through an internal connection path, the memory is used for storing instructions, the processor is used for executing the instructions stored by the memory to control the transceiver to receive signals and control the transceiver to transmit signals, and when the processor executes the instructions stored by the memory, the processor is enabled to execute the method required to be executed by the second network device.
Optionally, there are one or more processors and one or more memories.
Alternatively, the memory may be integrated with the processor, or provided separately from the processor.
In a specific implementation process, the memory may be a non-transient memory, such as a Read Only Memory (ROM), which may be integrated on the same chip as the processor, or may be separately disposed on different chips.
In an exemplary embodiment, there is provided a system for querying operation authority, the system including: the network device comprises a first network device and a second network device, wherein the first network device and the second network device are in communication connection. The method for querying the operation permission executed by the first network device and the second network device may refer to the description in 301-315, which is not described herein again.
In an exemplary embodiment, a computer program (product) is provided, the computer program (product) comprising: computer program code which, when run by a computer, causes the computer to perform the method in the above description.
In an exemplary embodiment, a readable storage medium is provided, which stores a program or instructions, the method in the above description being performed when the program or instructions are run on a computer.
In an exemplary embodiment, a chip is provided, which includes a processor for calling up and executing instructions stored in a memory from the memory, so that a communication device in which the chip is installed performs the method in the above description.
In an exemplary embodiment, there is provided another chip including: the device comprises an input interface, an output interface, a processor and a memory, wherein the input interface, the output interface, the processor and the memory are connected through an internal connection path, the processor is used for executing codes in the memory, and when the codes are executed, the processor is used for executing the method in the above description.
It should be understood that the processor may be a Central Processing Unit (CPU), other general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a field-programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, etc. A general purpose processor may be a microprocessor or any conventional processor or the like. It is noted that the processor may be an advanced reduced instruction set machine (ARM) architecture supported processor.
Further, in an alternative embodiment, the memory may include both read-only memory and random access memory, and provide instructions and data to the processor. The memory may also include non-volatile random access memory. For example, the memory may also store device type information.
The memory may be either volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The non-volatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an electrically Erasable EPROM (EEPROM), or a flash memory. Volatile memory can be Random Access Memory (RAM), which acts as external cache memory. By way of example, and not limitation, many forms of RAM are available. For example, Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), double data rate synchronous SDRAM (DDR SDRAM), Enhanced SDRAM (ESDRAM), synchlink DRAM (SLDRAM), and direct memory bus RAM (DR RAM).
The present application provides a computer program, which when executed by a computer, may cause the processor or the computer to perform the respective steps and/or procedures corresponding to the above-described method embodiments.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the procedures or functions described in accordance with the present application are generated, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions may be transmitted from one website site, computer, second network device, or data center to another website site, computer, second network device, or data center by wire (e.g., coaxial cable, fiber optic, digital subscriber line) or wirelessly (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a second network device, a data center, etc., that includes one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk), among others.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the protection scope of the present application.

Claims (24)

1. A method for querying operational rights, the method comprising:
the method comprises the steps that a second network device receives a first Remote Procedure Call (RPC) instruction sent by a first network device, wherein the first RPC instruction comprises a first identifier of a first resource, and the first RPC instruction is used for indicating an operation authority for inquiring the first resource;
the second network equipment analyzes the first RPC instruction to obtain the first identifier;
the second network equipment acquires a value of a first operation authority according to the first identifier, wherein the value of the first operation authority is used for indicating whether the first network equipment has the first operation authority on the first resource;
and the second network equipment packages the operation authority query result of the first resource according to the value of the first operation authority to obtain a first response message, and sends the first response message to the first network equipment.
2. The method of claim 1, wherein the first RPC instruction further includes a second identifier, the second identifier is used to indicate whether to encapsulate the value of the first operation right without the first operation right, and the second network device encapsulates the operation right query result of the first resource according to the value of the first operation right to obtain a first response message, including:
based on that the value of the first operation permission is a non-target value, or the value of the first operation permission is a target value and the second identifier indicates that the value of the first operation permission is encapsulated under the condition that the value of the first operation permission does not have the first operation permission, the second network device obtains the first response message according to the operation permission query result of the first resource encapsulated by the second identifier, the operation permission query result of the first resource includes the value of the first operation permission, wherein the value of the first operation permission is a target value and is used for indicating that the first network device does not have the first operation permission for the first resource, and the value of the first operation permission is a non-target value and is used for indicating that the first network device has the first operation permission for the first resource.
3. The method of claim 1, wherein the first RPC instruction further includes a second identifier, the second identifier is used to indicate whether to encapsulate the value of the first operation right without the first operation right, and the second network device encapsulates the operation right query result of the first resource according to the value of the first operation right to obtain a first response message, including:
and based on that the value of the first operation authority is a target numerical value and the second identifier indicates that the value of the first operation authority is not encapsulated under the condition that the second identifier does not have the first operation authority, the second network device encapsulates the operation authority query result of the first resource according to the indication of the second identifier to obtain a first response message, wherein the operation authority query result of the first resource does not include the value of the first operation authority.
4. The method of any of claims 1-3, wherein after sending the first response message to the first network device, the method further comprises:
the second network equipment receives a second RPC instruction sent by the first network equipment, wherein the second RPC instruction comprises a third identifier of a second resource;
the second network equipment analyzes the second RPC instruction to obtain the third identifier;
the second network device determining at least one target network device based on each network device having a session established with the second network device;
the second network device obtains a value of a second operation authority corresponding to each target network device according to the third identifier, wherein the value of the second operation authority corresponding to any target network device is used for indicating whether any target network device has a second operation authority for the second resource;
the second network equipment acquires the updated value of the second operation authority based on the detection of the update of the second operation authority corresponding to any target network equipment;
and the second network equipment encapsulates the updated notification message worth obtaining of the second operation authority, and sends the notification message to any target network equipment.
5. The method of claim 4, wherein the second RPC instruction further includes a user identifier, and wherein the determining, by the second network device, at least one target network device based on each network device with which a session is established comprises:
and the second network equipment takes the network equipment indicated by the user identification in each first network equipment as the target network equipment.
6. The method of any of claims 1-5, wherein the first resource is another next generation YANG file, and the first identifier is a file name;
the second network device obtains a value of a first operation permission according to the first identifier, and the method comprises the following steps:
the second network device determines at least one sub-resource included in the YANG file according to the file name, and obtains a value of a third operation authority corresponding to each sub-resource, wherein the value of the third operation authority corresponding to any sub-resource is used for indicating the operation authority of the first network device on any sub-resource, any sub-resource has a corresponding sub-identifier, and the at least one sub-resource includes at least one of a data node, a protocol operation and a notification;
the second network device packages the operation authority query result of the first resource according to the value of the first operation authority to obtain a first response message, which includes:
and the second network equipment packages the operation authority query result of the YANG file to obtain a first response message, wherein the operation authority query result of the YANG file comprises the values of the third operation authorities corresponding to the sub-resources and the sub-identifiers, and the sub-identifiers correspond to the values of the third operation authorities corresponding to the sub-resources one to one.
7. The method according to any one of claims 1 to 5, wherein the first resource is a data node, the first identifier is a node path, and the second network device obtains the value of the first operation right according to the first identifier, including:
the second network device determines that the data node comprises at least one sub-node according to the node path, and obtains a fourth operation permission value and a fifth operation permission value corresponding to each sub-node, wherein the fourth operation permission value is used for indicating the operation permission of the first network device to the data node, the fifth operation permission value corresponding to any sub-node is used for indicating the operation permission of the first network device to any sub-node, and any sub-node has a corresponding sub-path;
the second network device packages the operation authority query result of the first resource according to the value of the first operation authority to obtain a first response message, which includes:
and the second network equipment encapsulates the operation authority query result of the data node to obtain a first response message, wherein the operation authority query result of the data node comprises the node path, each sub-path, the value of the fourth operation authority and the value of the fifth operation authority corresponding to each sub-node, the node path corresponds to the value of the fourth operation authority, and the sub-paths correspond to the values of the fifth operation authority corresponding to the sub-nodes one by one.
8. The method according to any of claims 1-5, wherein the first resource is a protocol operation, and the first identifier is an operation path;
the second network device packages the operation authority query result of the first resource according to the value of the first operation authority to obtain a first response message, which includes:
and the second network equipment encapsulates an operation authority query result of the protocol operation to obtain a first response message, wherein the operation authority query result of the protocol operation comprises a value of the first operation authority, and the value of the first operation authority is used for indicating whether the first network equipment has an execution authority for the protocol operation.
9. The method according to any of claims 1-5, wherein the first resource is a notification, and the first identifier is a notification path;
the second network device packages the operation authority query result of the first resource according to the value of the first operation authority to obtain a first response message, which includes:
and the second network equipment encapsulates the operation authority query result of the notification to obtain a first response message, wherein the operation authority query result of the notification comprises the value of the first operation authority, and the value of the first operation authority is used for indicating whether the first network equipment has a reading authority or not for the notification.
10. A method for querying operational rights, the method comprising:
the method comprises the steps that a first network device obtains a first identifier of a first resource of operation permission to be inquired, the first identifier is packaged to obtain a first Remote Procedure Call (RPC) instruction, and the first RPC instruction is used for indicating the operation permission of inquiring the first resource;
the first network equipment sends the first RPC instruction to second network equipment;
the first network device receives a first response message sent by the second network device according to the first RPC instruction, wherein the first response message comprises an operation permission query result of the first resource, the first response message is obtained by packaging the operation permission query result of the first resource by the second network device according to a value of a first operation permission, and the value of the first operation permission is used for indicating whether the first network device has a first operation permission to the first resource;
and the first network equipment analyzes the first response message to obtain an operation authority query result of the first resource.
11. The method of claim 10, wherein encapsulating the first identifier of the first resource results in a first Remote Procedure Call (RPC) instruction, comprising:
the first network equipment acquires a second identifier, wherein the second identifier is used for indicating whether to package the value of the first operation authority under the condition that the first operation authority is not included;
and the first network equipment encapsulates the first identifier and the second identifier to obtain the first RPC instruction.
12. The method of claim 11, wherein the parsing, by the first network device, the first response message to obtain the operation permission query result of the first resource comprises:
the first network device analyzes the first response message, the obtained operation authority query result of the first resource comprises the value of the first operation authority, the first response message is based on that the value of the first operation authority is a non-target numerical value, or the value of the first operation right is a target numerical value and the second identification indicates that the value of the first operation right is packaged without the first operation right, the second network device is obtained by encapsulating the operation authority query result of the first resource according to the second identifier, wherein the value of the first operation right is a target value for indicating that the first network device does not have the first operation right to the first resource, the value of the first operation right is a non-target value used for indicating that the first network equipment has the first operation right on the first resource.
13. The method of claim 11, wherein the parsing, by the first network device, the first response message to obtain the operation permission query result of the first resource comprises:
the first network device analyzes the first response message, the obtained operation authority query result of the first resource does not include the value of the first operation authority, the first response message is obtained based on that the value of the first operation authority is a target numerical value and the second identifier indicates that the value of the first operation authority is not packaged under the condition that the value of the first operation authority is not included, the second network device packages the operation authority query result of the first resource according to the indication of the second identifier, wherein the value of the first operation authority is a target numerical value and is used for indicating that the first network device does not have the operation authority on the first resource.
14. The method according to any one of claims 10 to 13, wherein after the first network device parses the first response message and obtains the operation right query result of the first resource, the method further comprises:
the first network device acquires a third identifier of a second resource to be updated with operation permissions, the third identifier is used for the second network device to acquire values of second operation permissions corresponding to target network devices, the value of the second operation permission corresponding to any target network device is used for indicating whether any target network device has the second operation permission for the second resource, the updated value of the second operation permission is acquired based on the detection of the value update of the second operation permission corresponding to any target network device, a notification message is encapsulated, and the notification message is sent to any target network device;
and the first network equipment encapsulates the third identifier to obtain a second RPC instruction, and sends the second RPC instruction to the second network equipment.
15. The method of claim 14, wherein the first network device encapsulates the third identifier to obtain a second RPC instruction, comprising:
the first network equipment acquires a user identifier, wherein the user identifier is used for the second network equipment to take the network equipment indicated by the user identifier as the target network equipment;
and the first network equipment encapsulates the second identification and the user identification to obtain the second RPC instruction.
16. The method of any of claims 10-15, wherein the first resource is another next generation YANG file, the first identifier is a file name, the file name is used for the second network device to determine at least one sub-resource included in the YANG file, the at least one sub-resource includes at least one of a data node, a protocol operation, and a notification, any sub-resource has a corresponding sub-identifier, and the parsing of the first response message by the first network device to obtain the result of the operation right query of the first resource comprises:
the first network device analyzes the first response message to obtain an operation authority query result of the YANG file, wherein the operation authority query result of the YANG file comprises the values of the third operation authorities corresponding to the sub-resources and the sub-identifiers, and the sub-identifiers correspond to the values of the third operation authorities corresponding to the sub-resources one to one.
17. The method according to any of claims 10-15, wherein the first resource is a data node, the first identifier is a node path, the node path is used for the second network device to determine at least one child node included in the data node, any child node has a corresponding child path, and the parsing, by the first network device, of the first response message obtains the operation right query result for the first resource includes:
the first network device analyzes the first response message to obtain an operation authority query result of the data node, wherein the operation authority query result of the data node comprises the node path, each sub-path, the value of the fourth operation authority and the value of the fifth operation authority corresponding to each sub-node, the node path corresponds to the value of the fourth operation authority, and the sub-paths correspond to the values of the fifth operation authority corresponding to the sub-nodes one by one.
18. The method according to any one of claims 10 to 15, wherein the first resource is a protocol operation, the first identifier is an operation path, and the first network device parses the first response message to obtain the operation permission query result of the first resource, including:
the first network device analyzes the first response message to obtain an operation authority query result of the protocol operation, wherein the operation authority query result of the protocol operation comprises a value of the first operation authority, and the value of the first operation authority is used for indicating whether the first network device has an execution authority for the protocol operation.
19. The method according to any one of claims 10 to 15, wherein the first resource is a notification, the first identifier is a notification path, and the first network device parses the first response message to obtain the operation permission query result of the first resource, including:
the first network device analyzes the first response message to obtain a notified operation authority query result, wherein the notified operation authority query result comprises a value of the first operation authority, and the value of the first operation authority is used for indicating whether the first network device has a reading authority for the notification.
20. An apparatus for inquiring operation authority, the apparatus comprising:
the Remote Procedure Call (RPC) system comprises a receiving module, a processing module and a processing module, wherein the receiving module is used for receiving a first Remote Procedure Call (RPC) instruction sent by first network equipment by second network equipment, the first RPC instruction comprises a first identifier of a first resource, and the first RPC instruction is used for indicating an operation authority for inquiring the first resource;
the analysis module is used for analyzing the first RPC instruction by the second network equipment to obtain the first identifier;
an obtaining module, configured to obtain, by the second network device, a value of a first operation permission according to the first identifier, where the value of the first operation permission is used to indicate whether the first network device has a first operation permission for the first resource;
and the sending module is used for the second network equipment to package the operation authority query result of the first resource according to the value of the first operation authority to obtain a first response message, and sending the first response message to the first network equipment.
21. An apparatus for inquiring operation authority, the apparatus comprising:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring a first identifier of a first resource of an operation authority to be inquired by a first network device, and packaging the first identifier to obtain a first Remote Procedure Call (RPC) instruction;
a sending module, configured to send, by the first network device, the first RPC instruction to a second network device;
a receiving module, configured to receive, by the first network device, a first response message sent by the second network device according to the first RPC instruction, where the first response message includes an operation permission query result of the first resource, and the first response message is a message obtained by encapsulating, by the second network device, the operation permission query result of the first resource according to a value of a first operation permission, where the value of the first operation permission is used to indicate whether the first network device has a first operation permission for the first resource;
and the analysis module is used for analyzing the first response message by the first network equipment to obtain an operation authority query result of the first resource.
22. An apparatus for querying operation authority, the apparatus comprising a memory and a processor; the memory has stored therein at least one instruction that is loaded and executed by the processor to implement the method of querying operational rights as set forth in any of claims 1-9 or 10-19.
23. A system for querying operational rights, the system comprising: the network device comprises a first network device and a second network device, wherein the first network device and the second network device are in communication connection;
the second network device is used for executing the method for inquiring operation authority of any one of claims 1-9, and the first network device is used for executing the method for inquiring operation authority of any one of claims 10-19.
24. A computer-readable storage medium having stored thereon at least one instruction which is loaded and executed by a processor to perform a method of querying operational rights as claimed in any of claims 1-19.
CN202010895643.2A 2020-08-31 2020-08-31 Method, device, equipment and computer readable storage medium for inquiring operation authority Active CN114205098B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010895643.2A CN114205098B (en) 2020-08-31 2020-08-31 Method, device, equipment and computer readable storage medium for inquiring operation authority

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010895643.2A CN114205098B (en) 2020-08-31 2020-08-31 Method, device, equipment and computer readable storage medium for inquiring operation authority

Publications (2)

Publication Number Publication Date
CN114205098A true CN114205098A (en) 2022-03-18
CN114205098B CN114205098B (en) 2023-12-15

Family

ID=80644180

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010895643.2A Active CN114205098B (en) 2020-08-31 2020-08-31 Method, device, equipment and computer readable storage medium for inquiring operation authority

Country Status (1)

Country Link
CN (1) CN114205098B (en)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101593260A (en) * 2009-07-03 2009-12-02 杭州华三通信技术有限公司 A kind of application process of privileges of management system and device
CN103023656A (en) * 2012-12-17 2013-04-03 北京普泽天玑数据技术有限公司 Method and system for controlling authority by distributed sequence table
CN106339267A (en) * 2016-09-08 2017-01-18 华为技术有限公司 Object query method and server side
CN107122406A (en) * 2017-03-24 2017-09-01 东华大学 Towards the access control method of data field in a kind of Hadoop platform
CN107748849A (en) * 2017-10-25 2018-03-02 郑州云海信息技术有限公司 A kind of authority control method and system based on NFS
CN107770177A (en) * 2017-10-25 2018-03-06 湖南普天科技集团有限公司 Based on mobile data distributed collaboration service system
CN108173839A (en) * 2017-12-26 2018-06-15 北京奇虎科技有限公司 Right management method and system
CN110535880A (en) * 2019-09-25 2019-12-03 四川师范大学 The access control method and system of Internet of Things
CN111177789A (en) * 2020-01-07 2020-05-19 江苏满运软件科技有限公司 Authority management method, system, device and storage medium
CN111200578A (en) * 2018-11-16 2020-05-26 华为技术有限公司 Communication method, client device and server device

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101593260A (en) * 2009-07-03 2009-12-02 杭州华三通信技术有限公司 A kind of application process of privileges of management system and device
CN103023656A (en) * 2012-12-17 2013-04-03 北京普泽天玑数据技术有限公司 Method and system for controlling authority by distributed sequence table
CN106339267A (en) * 2016-09-08 2017-01-18 华为技术有限公司 Object query method and server side
CN107122406A (en) * 2017-03-24 2017-09-01 东华大学 Towards the access control method of data field in a kind of Hadoop platform
CN107748849A (en) * 2017-10-25 2018-03-02 郑州云海信息技术有限公司 A kind of authority control method and system based on NFS
CN107770177A (en) * 2017-10-25 2018-03-06 湖南普天科技集团有限公司 Based on mobile data distributed collaboration service system
CN108173839A (en) * 2017-12-26 2018-06-15 北京奇虎科技有限公司 Right management method and system
CN111200578A (en) * 2018-11-16 2020-05-26 华为技术有限公司 Communication method, client device and server device
CN110535880A (en) * 2019-09-25 2019-12-03 四川师范大学 The access control method and system of Internet of Things
CN111177789A (en) * 2020-01-07 2020-05-19 江苏满运软件科技有限公司 Authority management method, system, device and storage medium

Also Published As

Publication number Publication date
CN114205098B (en) 2023-12-15

Similar Documents

Publication Publication Date Title
US11799711B2 (en) Service layer resource management for generic interworking and extensibility
US10999380B2 (en) Method and apparatus of interworking M2M and IoT devices and applications with different service layers
US11968100B2 (en) Service enabler function
CN107211232B (en) Interworking of lightweight machine-to-machine protocols and device management protocols
KR102104899B1 (en) Method and apparatus for authenticating access authorization in wireless communication system
KR20080111005A (en) A system and method for creating, performing and mapping service
JP6734404B2 (en) Enable Semantics Inference Service in M2M/IOT Service Layer
KR20150088787A (en) Method and apparatus for updating information regarding specific resource in wireless communication system
CN113572651B (en) Cloud platform resource management method and system based on multi-protocol equipment management architecture
US11870873B2 (en) Service layer-based methods to enable efficient analytics of IoT data
US20230262141A1 (en) Service layer message templates in a communications network
US11936749B2 (en) Cross-domain discovery between service layer systems and web of things systems
KR20190061060A (en) Profile-based content and services
CN111552568A (en) Cloud service calling method and device
CN114205098B (en) Method, device, equipment and computer readable storage medium for inquiring operation authority
KR20180084092A (en) Method and apparatus for semantic verification
CN114116067B (en) Information configuration method and device for internal and external systems, electronic equipment and readable storage medium
CN113014411B (en) Method, device and system for managing network device
CN116781795A (en) Data transmission method, gateway and system of Internet of things
CN117579682A (en) Message generation method, device and storage medium
Kang et al. Using management markup language for remote control of OSGi-based home server
Antonopoulos et al. Deliverable release date 28.02. 2020 (revised on 16.04. 2021)

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant