CN114205098B - Method, device, equipment and computer readable storage medium for inquiring operation authority - Google Patents

Method, device, equipment and computer readable storage medium for inquiring operation authority Download PDF

Info

Publication number
CN114205098B
CN114205098B CN202010895643.2A CN202010895643A CN114205098B CN 114205098 B CN114205098 B CN 114205098B CN 202010895643 A CN202010895643 A CN 202010895643A CN 114205098 B CN114205098 B CN 114205098B
Authority
CN
China
Prior art keywords
network device
value
operation authority
resource
identifier
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010895643.2A
Other languages
Chinese (zh)
Other versions
CN114205098A (en
Inventor
王路
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Huawei Digital Technologies Co Ltd
Original Assignee
Beijing Huawei Digital Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Huawei Digital Technologies Co Ltd filed Critical Beijing Huawei Digital Technologies Co Ltd
Priority to CN202010895643.2A priority Critical patent/CN114205098B/en
Publication of CN114205098A publication Critical patent/CN114205098A/en
Application granted granted Critical
Publication of CN114205098B publication Critical patent/CN114205098B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a method, a device, equipment and a computer readable storage medium for inquiring operation authority, belonging to the technical field of communication. Taking the second network device to execute the method as an example, first, the second network device receives a first RPC instruction sent by the first network device to indicate the operation authority of querying the first resource, where the first RPC instruction includes a first identifier of the first resource. After the first RPC instruction is analyzed to obtain a first identifier, a value of a first operation authority is obtained according to the first identifier, wherein the value of the first operation authority is used for indicating whether the first network equipment has the first operation authority to the first resource. And then, packaging the operation authority query result of the first resource according to the value of the first operation authority to obtain a first response message, and sending the first response message to the first network equipment. Therefore, the first network equipment can directly obtain the operation authority query result of the first resource, so that the relatively visual query of the operation authority is realized, and the efficiency of querying the operation authority is improved.

Description

Method, device, equipment and computer readable storage medium for inquiring operation authority
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method, an apparatus, a device, and a computer readable storage medium for querying operation rights.
Background
With the development of communication technology, more and more communication protocols are applied to a communication process between a first network device (client) and a second network device (server), and a network configuration protocol (network configuration, netcon f) protocol for implementing communication through a remote procedure call (remote procedure call, RPC) mechanism is one of them. Wherein, the RPC mechanism refers to: the first network device sends an RPC instruction to the second network device, and the second network device sends a response message (RPC-reply) to the first network device according to the RPC instruction, so that a mechanism of communication is realized. In the application process, the second network device often stores a plurality of resources, and the first network device may have different operation rights to different resources. Therefore, it is desirable to provide a method for querying the operation authority of the first network device on each resource based on the RPC mechanism.
In the related art, a first network device sends an RPC instruction for performing a target operation on a target resource to a second network device, and indirectly determines whether the first network device has a target operation authority of the target resource through a response message returned by the second network device based on the RPC instruction. For example, the first network device sends an RPC instruction to the second network device to read for the target resource. Then, based on the response message returned by the second network device being an error message (reply-error) for indicating that the first network device cannot perform reading, it can be determined that the first network device does not have the read authority of the target resource. Accordingly, based on the fact that the response message returned by the second network device includes the target resource, it can be determined that the first network device has the read authority of the target resource.
However, the method provided by the related art can only indirectly determine the operation authority of the first network device on each resource through the response message returned by the second network device, so that the method is not direct enough, and the query efficiency is low.
Disclosure of Invention
The embodiment of the application provides a method, a device, equipment and a computer readable storage medium for inquiring operation authority, which are used for solving the problems provided by the related technology, and the technical scheme is as follows:
in a first aspect, a method for querying an operation right is provided, which is taken as an example of executing the method by a second network device, where the second network device receives a first RPC instruction sent by a first network device, where the first RPC instruction includes a first identifier of a first resource, and the first RPC instruction is used to indicate the operation right for querying the first resource. And then, the second network equipment analyzes the first RPC instruction to obtain a first identifier, so that a value of the first operation authority is obtained according to the first identifier, and the value of the first operation authority is used for indicating whether the first network equipment has the first operation authority to the first resource. And then, the second network equipment encapsulates the operation authority query result of the first resource according to the value of the first operation authority to obtain a first response message, and sends the first response message to the first network equipment.
By defining an RPC instruction for inquiring the operation authority, the second network device can acquire the value of the first operation authority according to the first identifier of the first resource carried by the RPC instruction, and the value of the first operation authority is used for indicating whether the first network device has the first operation authority for the first resource, so that a first response message of an operation authority inquiry result packaged with the first resource is fed back to the first network device according to the value of the first operation authority, the first network device can directly acquire the operation authority inquiry result of the first resource, a more visual operation authority inquiry mode is realized, and the operation authority inquiry efficiency is improved.
In one possible implementation manner, the first RPC instruction further includes a second identifier, where the second identifier is used to indicate whether to encapsulate a value of the first operation right without having the first operation right, and the second network device encapsulates, according to the value of the first operation right, an operation right query result of the first resource to obtain a first response message, where the first response message includes: and based on the fact that the value of the first operation authority is a non-target value, or the value of the first operation authority is a target value and the second identifier indicates that the value of the first operation authority is packaged under the condition that the first operation authority is not provided, the second network device obtains a first response message according to an operation authority query result of the second identifier, wherein the operation authority query result of the first resource comprises the value of the first operation authority, the value of the first operation authority is a target value and is used for indicating that the first network device does not have the first operation authority to the first resource, and the value of the first operation authority is a non-target value and is used for indicating that the first network device has the first operation authority to the first resource.
In the case that the first network device does not have the first operation right to the first resource, the value of the first operation right is still encapsulated. Therefore, the operation authority query result in the first response message comprises a value for indicating the first operation authority with the first operation authority and a value for indicating the first operation authority without the first operation authority, so that the operation authority query result is more visual.
In one possible implementation manner, the first RPC instruction further includes a second identifier, where the second identifier is used to indicate whether to encapsulate a value of the first operation right without having the first operation right, and the second network device encapsulates, according to the value of the first operation right, an operation right query result of the first resource to obtain a first response message, where the first response message includes: and based on the value of the first operation authority as a target value and the second identifier indicating that the value of the first operation authority is not packaged under the condition of not having the first operation authority, the second network device obtains a first response message according to the operation authority query result of the second identifier indicating that the first resource is packaged, and the operation authority query result of the first resource does not comprise the value of the first operation authority.
In the case that the first network device does not have the first operation right to the first resource, the value of the first operation right is not encapsulated. Therefore, the operation authority query result in the first response message only comprises the value for indicating the first operation authority with the first operation authority, so that the waste of transmission resources is avoided.
In one possible implementation, after sending the first response message to the first network device, the method further includes: the second network equipment receives a second RPC instruction sent by the first network equipment, wherein the second RPC instruction comprises a third identifier of a second resource; the second network equipment analyzes the second RPC instruction to obtain a third identifier; the second network device determining at least one target network device based on each network device with which the session is established; the second network device obtains the value of the second operation authority corresponding to each target network device according to the third identifier, wherein the value of the second operation authority corresponding to any one target network device is used for indicating whether any one target network device has the second operation authority to the second resource; the second network device obtains an updated value of the second operation authority based on the detection of the update of the second operation authority corresponding to any one of the target network devices; the second network device encapsulates the updated value of the second operation authority and sends the notification message to any one of the target network devices.
When the value of the second operation authority corresponding to the target network equipment is detected to be updated, the target network equipment is informed of the update of the value of the second operation authority through the notification message in time, and system safety is guaranteed.
In one possible implementation, the second RPC instruction further includes a user identifier, and the second network device determines at least one target network device based on each network device with which the second network device establishes a session, including: the second network device takes the network device indicated by the user identification in each first network device as a target network device.
In one possible implementation, the first resource is another next generation YANG file, and the first identifier is a file name;
the second network device obtains a value of the first operation authority according to the first identifier, including: the second network device determines at least one sub-resource included in the YANG file according to the file name, acquires a value of a third operation authority corresponding to each sub-resource, wherein the value of the third operation authority corresponding to any sub-resource is used for indicating the operation authority of the first network device to any sub-resource, any sub-resource has a corresponding sub-identifier, and at least one sub-resource comprises at least one of a data node, a protocol operation and a notification;
The second network device encapsulates an operation authority query result of the first resource according to the value of the first operation authority to obtain a first response message, including: the second network device packages the operation authority query result of the YANG file to obtain a first response message, wherein the operation authority query result of the YANG file comprises the value of the third operation authority corresponding to each sub-resource and the sub-identifier, and the sub-identifiers are in one-to-one correspondence with the values of the third operation authorities corresponding to the sub-resources.
In one possible implementation, the first resource is a data node and the first identifier is a node path;
the second network device obtains a value of the first operation authority according to the first identifier, including: the second network device determines that the data node comprises at least one sub-node according to the node path, acquires a value of a fourth operation authority and a value of a fifth operation authority corresponding to each sub-node, wherein the value of the fourth operation authority is used for indicating the operation authority of the first network device on the data node, and the value of the fifth operation authority corresponding to any sub-node is used for indicating the operation authority of the first network device on any sub-node, and any sub-node has a corresponding sub-path;
the second network device encapsulates an operation authority query result of the first resource according to the value of the first operation authority to obtain a first response message, including: the second network equipment encapsulates an operation authority query result of the data node to obtain a first response message, wherein the operation authority query result of the data node comprises a node path, each sub-path, a value of a fourth operation authority and a value of a fifth operation authority corresponding to each sub-node, the node path corresponds to the value of the fourth operation authority, and the sub-paths correspond to the values of the fifth operation authorities corresponding to the sub-nodes one by one.
In one possible implementation, the first resource is a protocol operation, and the first identifier is an operation path;
the second network device encapsulates an operation authority query result of the first resource according to the value of the first operation authority to obtain a first response message, including: the second network equipment encapsulates an operation authority query result of the protocol operation to obtain a first response message, wherein the operation authority query result of the protocol operation comprises a value of the first operation authority, and the value of the first operation authority is used for indicating whether the first network equipment has an execution authority for the protocol operation or not.
In one possible implementation, the first resource is a notification and the first identifier is a notification path;
the second network device encapsulates an operation authority query result of the first resource according to the value of the first operation authority to obtain a first response message, including: the second network equipment encapsulates the notified operation authority query result to obtain a first response message, wherein the notified operation authority query result comprises a first operation authority value, and the first operation authority value is used for indicating whether the first network equipment has reading authority for the notification.
In a second aspect, a method for querying operation rights is provided, the method including: the method comprises the steps that first network equipment obtains a first identifier of a first resource of operation permission to be queried, the first identifier is packaged to obtain a first Remote Procedure Call (RPC) instruction, and the first RPC instruction is used for indicating the operation permission of querying the first resource; the first network equipment sends a first RPC instruction to the second network equipment; the first network equipment receives a first response message sent by the second network equipment according to a first RPC instruction, wherein the first response message comprises an operation authority query result of a first resource, the first response message is obtained by the second network equipment according to the operation authority query result of the first resource, and the value of the first operation authority is used for indicating whether the first network equipment has the first operation authority to the first resource; the first network equipment analyzes the first response message to obtain an operation authority query result of the first resource.
In one possible implementation, encapsulating the first identification of the first resource to obtain the first remote procedure call RPC instruction includes: the first network device obtains a second identifier, wherein the second identifier is used for indicating whether the value of the first operation authority is packaged or not under the condition of not having the first operation authority; the first network device encapsulates the first identifier and the second identifier to obtain a first RPC instruction.
In one possible implementation manner, the first network device parses the first response message to obtain an operation permission query result of the first resource, including: the first network device analyzes the first response message, the obtained operation permission query result of the first resource comprises a value of the first operation permission, the first response message is based on the fact that the value of the first operation permission is a non-target value, or the value of the first operation permission is a target value and the second identifier indicates that the value of the first operation permission is packaged under the condition that the first operation permission is not available, the second network device packages the operation permission query result of the first resource according to the second identifier, wherein the value of the first operation permission is a target value and is used for indicating that the first network device does not have the first operation permission on the first resource, and the value of the first operation permission is a non-target value and is used for indicating that the first network device has the first operation permission on the first resource.
In one possible implementation manner, the first network device parses the first response message to obtain an operation permission query result of the first resource, including: the first network device analyzes the first response message, the obtained operation permission query result of the first resource does not comprise a value of the first operation permission, the first response message is based on the value of the first operation permission as a target value, the second identifier indicates that the value of the first operation permission is not packaged under the condition of not having the first operation permission, and the second network device packages the operation permission query result of the first resource according to the indication of the second identifier, wherein the value of the first operation permission is the target value and is used for indicating that the first network device does not have the operation permission on the first resource.
In one possible implementation manner, after the first network device parses the first response message to obtain the operation permission query result of the first resource, the method further includes: the first network device obtains a third identifier of a second resource of which the operation authority is to be updated, the third identifier is used for the second network device to obtain a value of the second operation authority corresponding to each target network device, the value of the second operation authority corresponding to any one target network device is used for indicating whether any one target network device has the second operation authority to the second resource, the value of the updated second operation authority is obtained based on the fact that the value of the second operation authority corresponding to any one target network device is detected to be updated, the updated value of the second operation authority is obtained, notification information is obtained by packaging the value of the updated second operation authority, and the notification information is sent to any one target network device; the first network device encapsulates the third identifier to obtain a second RPC instruction, and sends the second RPC instruction to the second network device.
In one possible implementation manner, the first network device encapsulates the third identifier to obtain the second RPC instruction, including: the first network equipment acquires a user identifier, wherein the user identifier is used for the second network equipment to take the network equipment indicated by the user identifier as target network equipment; the first network equipment encapsulates the second identifier and the user identifier to obtain a second RPC instruction.
In one possible implementation manner, the first resource is another next generation YANG file, the first identifier is a file name, the file name is used for determining at least one sub-resource included in the YANG file by the second network device, the at least one sub-resource includes at least one of a data node, a protocol operation and a notification, any sub-resource has a corresponding sub-identifier, the first network device analyzes the first response message to obtain an operation authority query result of the first resource, and the method includes: the first network device analyzes the first response message to obtain an operation authority query result of the YANG file, wherein the operation authority query result of the YANG file comprises a value of a third operation authority corresponding to each sub-resource and a sub-identifier, and the sub-identifiers are in one-to-one correspondence with the values of the third operation authorities corresponding to the sub-resources.
In one possible implementation manner, the first resource is a data node, the first identifier is a node path, the node path is used for determining at least one sub-node included in the data node by the second network device, any sub-node has a corresponding sub-path, the first network device analyzes the first response message to obtain an operation authority query result of the first resource, and the method includes: the first network equipment analyzes the first response message to obtain an operation authority query result of the data node, wherein the operation authority query result of the data node comprises a node path, each sub-path, a value of a fourth operation authority and a value of a fifth operation authority corresponding to each sub-node, the node path corresponds to the value of the fourth operation authority, and the sub-paths correspond to the values of the fifth operation authorities corresponding to the sub-nodes one by one.
In one possible implementation manner, the first resource is a protocol operation, the first identifier is an operation path, the first network device parses the first response message to obtain an operation authority query result of the first resource, and the method includes: the first network device analyzes the first response message to obtain an operation authority query result of the protocol operation, wherein the operation authority query result of the protocol operation comprises a value of the first operation authority, and the value of the first operation authority is used for indicating whether the first network device has an execution authority for the protocol operation.
In one possible implementation manner, the first resource is a notification, the first identifier is a notification path, the first network device parses the first response message to obtain an operation permission query result of the first resource, and the method includes: the first network device analyzes the first response message to obtain a notified operation authority query result, wherein the notified operation authority query result comprises a first operation authority value, and the first operation authority value is used for indicating whether the first network device has reading authority for the notification.
In a third aspect, an apparatus for querying an operation authority is provided, where the apparatus includes:
the receiving module is used for receiving a first Remote Procedure Call (RPC) instruction sent by the first network equipment by the second network equipment, wherein the first RPC instruction comprises a first identifier of a first resource, and the first RPC instruction is used for indicating the operation authority for inquiring the first resource;
The analysis module is used for analyzing the first RPC instruction by the second network equipment to obtain a first identifier;
the second network device is used for acquiring a first operation authority value according to the first identifier, wherein the first operation authority value is used for indicating whether the first network device has the first operation authority to the first resource or not;
and the sending module is used for packaging the operation authority query result of the first resource according to the value of the first operation authority by the second network equipment to obtain a first response message and sending the first response message to the first network equipment.
In one possible implementation manner, the first RPC instruction further includes a second identifier, the second identifier is used for indicating whether to encapsulate a value of the first operation right if the first operation right is not available, the sending module is used for indicating that the first network device does not have the first operation right to the first resource based on whether the value of the first operation right is a non-target value, or the value of the first operation right is a target value and the second identifier indicates that the value of the first operation right is encapsulated if the first operation right is not available, the second network device encapsulates an operation right query result of the first resource according to the second identifier to obtain a first response message, and the operation right query result of the first resource includes the value of the first operation right, where the value of the first operation right is the target value and is used for indicating that the first network device does not have the first operation right to the first resource, and the value of the first operation right is not the target value and is used for indicating that the first network device has the first operation right to the first resource.
In one possible implementation manner, the first RPC instruction further includes a second identifier, where the second identifier is used to indicate whether to encapsulate the value of the first operation right if the first operation right is not available, and the sending module is used to obtain the first response message based on the value of the first operation right as the target value and the second identifier indicates that the value of the first operation right is not encapsulated if the first operation right is not available, where the second network device encapsulates the operation right query result of the first resource according to the indication of the second identifier, where the operation right query result of the first resource does not include the value of the first operation right.
In a possible implementation manner, the receiving module is further configured to receive, by the second network device, a second RPC instruction sent by the first network device, where the second RPC instruction includes a third identifier of the second resource; the second network equipment analyzes the second RPC instruction to obtain a third identifier; the second network device determining at least one target network device based on each network device with which the session is established; the second network device obtains the value of the second operation authority corresponding to each target network device according to the third identifier, wherein the value of the second operation authority corresponding to any one target network device is used for indicating whether any one target network device has the second operation authority to the second resource; the second network device obtains an updated value of the second operation authority based on the detection of the update of the second operation authority corresponding to any one of the target network devices; the second network device encapsulates the updated value of the second operation authority and sends the notification message to any one of the target network devices.
In a possible implementation manner, the second RPC instruction further includes a user identifier, and the receiving module is configured to use, by the second network device, a network device indicated by the user identifier in each first network device as a target network device.
In one possible implementation, the first resource is another next generation YANG file, and the first identifier is a file name;
the second network device is used for determining at least one sub-resource included in the YANG file according to the file name, acquiring a value of a third operation authority corresponding to each sub-resource, wherein the value of the third operation authority corresponding to any sub-resource is used for indicating the operation authority of the first network device to any sub-resource, any sub-resource has a corresponding sub-identifier, and at least one sub-resource comprises at least one of a data node, protocol operation and notification;
the sending module is used for packaging the operation authority query result of the YANG file by the second network equipment to obtain a first response message, wherein the operation authority query result of the YANG file comprises the value of the third operation authority corresponding to each sub-resource and the sub-identifier, and the sub-identifiers are in one-to-one correspondence with the value of the third operation authority corresponding to the sub-resource.
In one possible implementation, the first resource is a data node and the first identifier is a node path;
the second network device determines that the data node comprises at least one sub-node according to the node path, acquires a value of a fourth operation authority and a value of a fifth operation authority corresponding to each sub-node, wherein the value of the fourth operation authority is used for indicating the operation authority of the first network device on the data node, the value of the fifth operation authority corresponding to any sub-node is used for indicating the operation authority of the first network device on any sub-node, and any sub-node has a corresponding sub-path;
the sending module is used for packaging an operation authority query result of the data node by the second network equipment to obtain a first response message, wherein the operation authority query result of the data node comprises a node path, each sub-path, a value of a fourth operation authority and a value of a fifth operation authority corresponding to each sub-node, the node path corresponds to the value of the fourth operation authority, and the sub-paths correspond to the values of the fifth operation authorities corresponding to the sub-nodes one by one.
In one possible implementation, the first resource is a protocol operation, and the first identifier is an operation path;
The sending module is used for packaging an operation authority query result of the protocol operation by the second network device to obtain a first response message, wherein the operation authority query result of the protocol operation comprises a value of the first operation authority, and the value of the first operation authority is used for indicating whether the first network device has an execution authority for the protocol operation or not.
In one possible implementation, the first resource is a notification and the first identifier is a notification path;
the sending module is used for packaging the notified operation permission query result by the second network equipment to obtain a first response message, wherein the notified operation permission query result comprises a first operation permission value, and the first operation permission value is used for indicating whether the first network equipment has reading permission for the notification.
In a fourth aspect, an apparatus for querying an operation authority is provided, where the apparatus includes:
the acquisition module is used for acquiring a first identifier of a first resource of the operation authority to be queried by the first network equipment, and packaging the first identifier to obtain a first Remote Procedure Call (RPC) instruction;
the sending module is used for sending a first RPC instruction to the second network equipment by the first network equipment;
the first network device is used for receiving a first response message sent by the second network device according to the first RPC instruction, wherein the first response message comprises an operation authority query result of the first resource, the first response message is obtained by encapsulating the operation authority query result of the first resource according to a value of the first operation authority by the second network device, and the value of the first operation authority is used for indicating whether the first network device has the first operation authority to the first resource;
The analysis module is used for analyzing the first response message by the first network equipment to obtain an operation authority query result of the first resource.
In one possible implementation, the obtaining module is configured to obtain, by the first network device, a second identifier, where the second identifier is used to indicate whether to encapsulate a value of the first operation right without having the first operation right; the first network device encapsulates the first identifier and the second identifier to obtain a first RPC instruction.
In one possible implementation manner, the parsing module is configured to parse a first response message by using a first network device, where the obtained operation authority query result of the first resource includes a value of a first operation authority, the first response message is based on that the value of the first operation authority is a non-target value, or the value of the first operation authority is a target value and the second identifier indicates that the value of the first operation authority is encapsulated without the first operation authority, and the second network device encapsulates the operation authority query result of the first resource according to the second identifier, where the value of the first operation authority is a target value and is used to indicate that the first network device does not have the first operation authority on the first resource, and the value of the first operation authority is a non-target value and is used to indicate that the first network device has the first operation authority on the first resource.
In one possible implementation manner, the parsing module is configured to parse a first response message by using a first network device, where the obtained operation authority query result of the first resource does not include a value of the first operation authority, the first response message is based on that the value of the first operation authority is a target value, and the second identifier indicates that the value of the first operation authority is not encapsulated under the condition that the first operation authority is not provided, and the second network device encapsulates the operation authority query result of the first resource according to the indication of the second identifier, where the value of the first operation authority is a target value and is used to indicate that the first network device does not have the operation authority on the first resource.
In a possible implementation manner, the obtaining module is further configured to obtain, by the first network device, a third identifier of the second resource to be updated in operation authority to be detected, where the third identifier is used for the second network device to obtain a value of the second operation authority corresponding to each target network device, the value of the second operation authority corresponding to any target network device is used to indicate whether any target network device has the second operation authority on the second resource, obtain, based on detecting the value update of the second operation authority corresponding to any target network device, the value of the updated second operation authority, encapsulate the obtained notification message of the updated value of the second operation authority, and send the notification message to any target network device;
The sending module is further configured to encapsulate the third identifier by using the first network device to obtain a second RPC instruction, and send the second RPC instruction to the second network device.
In one possible implementation manner, the sending module is configured to obtain, by the first network device, a user identifier, where the user identifier is used by the second network device to use, as the target network device, a network device indicated by the user identifier; the first network equipment encapsulates the second identifier and the user identifier to obtain a second RPC instruction.
In one possible implementation manner, the first resource is another next generation YANG file, the first identifier is a file name, the file name is used for determining at least one sub-resource included in the YANG file by the second network device, the at least one sub-resource includes at least one of a data node, a protocol operation and a notification, any sub-resource has a corresponding sub-identifier, an analysis module is used for analyzing the first response message by the first network device to obtain an operation authority query result of the YANG file, the operation authority query result of the YANG file includes a value of a third operation authority corresponding to each sub-resource and the sub-identifier, and the sub-identifier corresponds to the value of the third operation authority corresponding to the sub-resource one by one.
In a possible implementation manner, the first resource is a data node, the first identifier is a node path, the node path is used for determining at least one sub-node included in the data node by the second network device, any sub-node has a corresponding sub-path, the analyzing module is used for analyzing the first response message by the first network device to obtain an operation authority query result of the data node, the operation authority query result of the data node comprises a node path, each sub-path, a value of a fourth operation authority and a value of a fifth operation authority corresponding to each sub-node, the node path corresponds to the value of the fourth operation authority, and the sub-path corresponds to the value of the fifth operation authority corresponding to the sub-node one by one.
In one possible implementation manner, the first resource is a protocol operation, the first identifier is an operation path, and the analyzing module is configured to analyze the first response message by using the first network device to obtain an operation permission query result of the protocol operation, where the operation permission query result of the protocol operation includes a value of the first operation permission, and the value of the first operation permission is used to indicate whether the first network device has an execution permission on the protocol operation.
In one possible implementation manner, the first resource is a notification, the first identifier is a notification path, and the analyzing module is configured to analyze the first response message by the first network device to obtain a notified operation permission query result, where the notified operation permission query result includes a value of a first operation permission, and the value of the first operation permission is used to indicate whether the first network device has a read permission on the notification.
In a fifth aspect, there is provided an apparatus for querying an operation right, the apparatus comprising a memory and a processor; the memory has stored therein at least one instruction that is loaded and executed by the processor to implement the method of the first aspect or any of the possible implementations of the first aspect.
In a sixth aspect, there is provided an apparatus for querying an operation right, the apparatus including a memory and a processor; at least one instruction is stored in the memory, the at least one instruction being loaded and executed by the processor to implement the second aspect or any one of the possible embodiments of the second aspect.
In a seventh aspect, there is provided another communication apparatus, the apparatus comprising: a transceiver, a memory, and a processor. Wherein the transceiver, the memory and the processor are in communication with each other via an internal connection path, the memory being for storing instructions, the processor being for executing the instructions stored by the memory to control the transceiver to receive signals and to control the transceiver to transmit signals, and when the processor executes the instructions stored by the memory, to cause the processor to perform the method of the first aspect or any one of the possible implementation manners of the first aspect.
In an eighth aspect, there is provided another communication apparatus comprising: a transceiver, a memory, and a processor. Wherein the transceiver, the memory and the processor are in communication with each other via an internal connection path, the memory being for storing instructions, the processor being for executing the instructions stored by the memory to control the transceiver to receive signals and to control the transceiver to transmit signals, and when the processor executes the instructions stored by the memory, to cause the processor to perform the method of the second aspect or any one of the possible embodiments of the second aspect.
Optionally, the processor is one or more and the memory is one or more.
Alternatively, the memory may be integrated with the processor or the memory may be separate from the processor.
In a specific implementation process, the memory may be a non-transient (non-transitory) memory, for example, a Read Only Memory (ROM), which may be integrated on the same chip as the processor, or may be separately disposed on different chips.
In a ninth aspect, a system for querying operational rights is provided, the system comprising: the first network device and the second network device are in communication connection; the second network device is for performing the method of the first aspect or any of the possible implementations of the first aspect, and the first network device is for performing the method of the second aspect or any of the possible implementations of the second aspect.
In a tenth aspect, there is provided a computer program (product) comprising: computer program code which, when run by a computer, causes the computer to perform the methods of the above aspects.
In an eleventh aspect, there is provided a readable storage medium storing a program or instructions that when run on a computer perform the method of the above aspects.
In a twelfth aspect, there is provided a chip comprising a processor for calling from a memory and executing instructions stored in the memory, to cause a chip-mounted communication device to perform the method of the above aspects.
In a thirteenth aspect, there is provided another chip comprising: the input interface, the output interface, the processor and the memory are connected through an internal connection path, the processor is used for executing codes in the memory, and when the codes are executed, the processor is used for executing the method in each aspect.
Drawings
Fig. 1 is a schematic diagram of a network architecture according to an embodiment of the present application;
fig. 2 is a layered structure diagram of a netcon f protocol according to an embodiment of the present application;
FIG. 3 is a flowchart of a method for querying operation rights provided by an embodiment of the present application;
FIG. 4 is a schematic diagram of a procedure for defining protocol operations according to an embodiment of the present application;
fig. 5 is a schematic flow chart of an authentication process according to an embodiment of the present application;
FIG. 6 is a schematic diagram of an RPC instruction structure according to an embodiment of the present application;
FIG. 7 is a schematic diagram of a process according to an embodiment of the present application;
FIG. 8 is a schematic diagram of a process according to an embodiment of the present application;
FIG. 9 is a schematic diagram of a process according to an embodiment of the present application;
FIG. 10 is a schematic diagram of a process according to an embodiment of the present application;
FIG. 11 is a schematic diagram of a process according to an embodiment of the present application;
FIG. 12 is a schematic diagram of a process according to an embodiment of the present application;
FIG. 13 is a schematic diagram of a process according to an embodiment of the present application;
FIG. 14 is a schematic diagram of a process according to an embodiment of the present application;
FIG. 15 is a schematic diagram of a process according to an embodiment of the present application;
FIG. 16 is a schematic diagram of a process according to an embodiment of the present application;
FIG. 17 is a schematic diagram of a process according to an embodiment of the present application;
FIG. 18 is a schematic diagram of a process according to an embodiment of the present application;
FIG. 19 is a schematic diagram of a process according to an embodiment of the present application;
FIG. 20 is a schematic diagram of a process according to an embodiment of the present application;
FIG. 21 is a schematic diagram of a process according to an embodiment of the present application;
FIG. 22 is a schematic diagram of a process according to an embodiment of the present application;
FIG. 23 is a schematic diagram of a process according to an embodiment of the present application;
FIG. 24 is a schematic diagram of a process according to an embodiment of the present application;
FIG. 25 is a schematic diagram of a process according to an embodiment of the present application;
FIG. 26 is a schematic diagram of a process according to an embodiment of the present application;
FIG. 27 is a schematic diagram of a process according to an embodiment of the present application;
FIG. 28 is a schematic diagram of a process according to an embodiment of the present application;
FIG. 29 is a schematic diagram of a process according to an embodiment of the present application;
FIG. 30 is a schematic diagram of a process according to an embodiment of the present application;
FIG. 31 is a schematic diagram of a process according to an embodiment of the present application;
FIG. 32 is a schematic diagram of a process according to an embodiment of the present application;
FIG. 33 is a schematic diagram of a process according to an embodiment of the present application;
fig. 34 is a schematic structural diagram of a device for querying operation rights according to an embodiment of the present application;
fig. 35 is a schematic structural diagram of a device for querying operation rights according to an embodiment of the present application;
fig. 36 is a schematic structural diagram of a device for querying operation rights according to an embodiment of the present application.
Detailed Description
The terminology used in the description of the embodiments of the application herein is for the purpose of describing particular embodiments of the application only and is not intended to be limiting of the application.
The embodiment of the application provides a method for inquiring operation authority, which is applied to a network structure shown in figure 1. In fig. 1, a first network device and a second network device are included, the first network device and the second network device being communicatively connected. The first network device is running a Virtual Machine (VM) or an operating system Linux, and a management system (or: network management) deployed in software on the VM or Linux is used as a client (NETCONF client) in the netcom protocol. The management system is illustratively an enterprise management system (enterprise management system, EMS) or a network management system (network management system, NMS), such as U2000, M2000, eSight, DT, etc. management systems. In addition, the second network device is configured to act as a server (NETCONF server) in the netcon protocol. The second network device includes, but is not limited to, a server, a router, and a switch.
In this embodiment, the first network device is configured to send, to the second network device, an RPC instruction for indicating an operation authority for querying a resource, where the RPC instruction includes an identifier of the resource, so that an operation authority query result of the first network device on the resource is obtained according to a response message returned by the second network device based on the RPC instruction. In addition, the first network device is further configured to send an RPC instruction for indicating to detect an update of the operation authority of the resource to the second network device, so that, in a case where the operation authority of the first network device to the resource is updated, a notification (notification) sent by the second network device is received, so that the updated operation authority is obtained according to the notification.
The second network device includes a network interface, a memory, and a processor. The network interface is used for being in communication connection with the first network equipment, and the memory is used for storing the operation authority of each resource. The processor is configured to obtain, after receiving, through the network interface, an RPC instruction sent by the first network device and used for indicating an operation right to query the resource, a value of the operation right of the first network device to the resource according to an identifier of the resource included in the RPC. And returning a response message to the first network equipment through the network interface, wherein the response message carries the operation authority query result of the resource. The processor is further configured to, after receiving, through the network interface, an RPC instruction sent by the first network device and used for indicating to detect an update of an operation right of the resource, obtain the updated operation right based on detecting that the operation right of the first network device is updated on the resource, and return, through the network interface, a notification carrying the updated operation right to the first network device.
In addition, in order to facilitate description of the method provided by the embodiment of the present application, the communication terms related to the embodiment are first described as follows.
Netcon protocol: a network configuration and management protocol based on extensible markup language (extensible markup language, XML) uses the RPC mechanism described above to enable communication between a first network device and a second network device. In the communication process, the data and the information interacted between the first network device and the second network device are in XML format. The data includes configuration data and status data, and the message includes hello (hello) message, RPC message and notification message, where the RPC message refers to the RPC instruction and response message. Referring to fig. 2, the netcon protocol adopts a layered structure including a transport protocol (transport protocol) layer, an RPC layer, a protocol operations (operations) layer, and a content (content) layer. The layers are described as follows:
transport protocol layer: for providing a communication path for communication between a first network device and a second network device, netcon f
The protocol can use any transport layer protocol bearer that meets the basic requirements. Illustratively, the transport layer protocol is a Secure Shell (SSH) protocol.
RPC layer: for providing the RPC mechanism described above.
Protocol operation layer: for defining operations used in the RPC mechanism, operations used in the RPC mechanism are also referred to as RPC operations. Protocol operations are, for example: get configuration (get-config), edit configuration (edit-config), and so on.
Content layer: for describing configuration data involved in network management.
Another next generation (yet another next generation, YANG) model: a data model language (data modeling language) for a protocol operation layer and a content layer in NETCONF protocol. The YANG model defines a hierarchical structure of data describing data and messages interacted between a first network device and a second network device. In the case that the data and the message are described in other formats than the XML format in the first network device or the second network device, the other formats can be converted into the XML format through the YANG model, so that interaction between the first network device and the second network device is facilitated.
Capability (capabilities): for indicating protocol operations that the first network device and the second network device are capable of performing, each capability being identified by a uniform resource identifier (uniform resource identifier, URI). During communication, the first network device and the second network device first establish a session. And then, the first network device and the second network device interact the supported capability and NETCONF protocol version respectively through hello messages. Thus, the RPC instruction sent by the first network device to the second network device is only used to instruct the second network device to perform the protocol operations that the second network device is capable of performing, i.e. to cause the second network device to perform only the protocol operations indicated by the capabilities.
The netcon f protocol defines a basic capability base1.0, which is a set of capabilities that the first network device and the second network device must support, and a set of standard capabilities, which are capabilities that the first network device and the second network device can choose to support. In addition, the first network device and the second network device can also define new capabilities themselves, thereby defining new protocol operations based on the new capabilities.
Based on the network architecture shown in fig. 1, an embodiment of the present application provides a method for querying operation rights, referring to fig. 3, the method includes the following steps 301-308.
301, a first network device obtains a first identifier of a first resource of operation authority to be queried, encapsulates the first identifier to obtain a first RPC instruction, and the first RPC instruction is used for indicating the operation authority of querying the first resource.
Wherein the first resource is a resource defined according to the YANG model, and the first identifier of the first resource is used for uniquely indicating the first resource. Illustratively, the first resource and the first identifier include, but are not limited to, the following four cases:
case one: the first resource is a YANG file. In the YANG model, YANG files (modules) are used as basic units, and YANG files defined by the YANG model are used as YANG files in the embodiment. Accordingly, the first identifier is a file name, i.e., a file name (module-name). Illustratively, the YANG file includes a description (description), a version (version), and other sentences describing the YANG file itself, and at least one of a data node (data node), a protocol operation, and a notification.
And a second case: the first resource is a data node and the first identifier is a node path (data-node-path). Wherein, since the netcon protocol is an XML-based protocol, the node path of the data node is an XML path language (XML path language, XPath).
And a third case: the first resource is a protocol operation and the first identifier is an operation path. Wherein the protocol operation has an operation name (rpc-name). Because the protocol operation is located in the YANG file, an operation path of the protocol operation can be obtained based on the operation name of the protocol operation and the file name of the YANG file in which the protocol operation is located, and the operation path is XPath.
Case four: the first resource is a notification and the first identifier is a notification path. The notification has a notification name (notification-name), and the notification path is XPath including the notification name and the file name of the YANG file where the notification is located.
In this embodiment, a new capability is defined in the second network device. Illustratively, the URI corresponding to the new capability is expressed as follows:
<capability>http://www.huawei.com/netconf/capability/netconf-resource:1.0</capability>
based on this new capability, the present embodiment also defines a new protocol operation for the first RPC instruction sent as the first network device according to fig. 4. The new protocol operation includes an input (input) parameter and an output (output) parameter. Based on the new protocol operation, the second network device is able to return output parameters according to the input parameters provided by the first network device. Therefore, the present embodiment uses the first identifier as an input parameter and the value of the first operation authority as an output parameter. Wherein the value of the first operation right is used to indicate whether the first network device has the first operation right to the first resource.
In fig. 4, the input parameter includes a mandatory (priority) selection (choice) node, which is a node-type shown in fig. 4. As can be seen from fig. 4, the selection node includes two options, module-name and node-path. That is, the first network device provides the file name or XPath to enable the query of the first operation authority. Wherein the option module-name corresponds to the file name in the first case, and the option node-path corresponds to the node path in the second case, the operation path in the third case, and the notification path in the fourth case.
The output parameters include three container (container) nodes data, rpc, and notification. The access operation (access-operations) in each container node is the operation authority. The netcon f protocol provides an authentication mechanism, namely a netcon f access control model (NETCONF access control model, NACM) authentication mechanism. Values of the first operational authority include, but are not limited to, according to the definition of the NACM authentication mechanism: a create for indicating a create right, a delete for indicating a delete right, a read for indicating a read right, an update for indicating an update right, and an exec for indicating an execute right. In addition, a none for indicating no operation authority is also included. According to the knowledge of each container node in the output parameters, the operation authority of the second network device returned to the first network device comprises at least one of the operation authority of the first network device on the data node, the operation authority of the first network device on the protocol operation and the operation authority of the first network device on the notification.
In addition, as can be seen from fig. 4, the input parameter further includes a second identifier (without-none), which will be described later, and will not be described herein.
302, the first network device sends a first RPC instruction to the second network device.
After the first network device encapsulates the first RPC command, the first RPC command may be sent to the second network device through a session between the first network device and the second network device.
303, the second network device receives a first RPC instruction sent by the first network device, where the first RPC instruction includes a first identifier of the first resource, and the first RPC instruction is used to indicate an operation authority for querying the first resource.
Since the first network device transmits the first RPC instruction through the session, the second network device can receive the first RPC instruction transmitted by the first network device through the session.
304, the second network device parses the first RPC instruction to obtain a first identifier.
After the second network device analyzes the first RPC instruction, the second network device can obtain a first identifier carried in the first RPC instruction, and the second network device can determine a first resource of the operation authority to be queried according to the first identifier. Based on the new protocol operation defined in 301, the second network device further obtains a value of the first operation right of the first network device to the first resource, so as to package the operation right query result of the first resource according to the value of the first operation right, and return the operation right query result to the first network device, which is described in detail in 305.
The second network device obtains 305 a value of a first operation right according to the first identification, the value of the first operation right being used to indicate whether the first network device has the first operation right to the first resource.
As can be seen from the description in 301, the values of the first operation authority include, but are not limited to create, delete, read, update, exec and none. Wherein the value of the first operation authority indicates that the first network device has the first operation authority for the first resource based on the value of the first operation authority being at least one of create, delete, read, update and exec. And if the value of the first operation authority is none, indicating that the first network device does not have the first operation authority to the first resource. The manner in which the second network device obtains the value of the first operation authority is also different in the case where the first resources are different, and four cases are respectively described below.
Acquisition mode one corresponding to case one: for the case that the first resource is a YANG file and the first identifier is a file name, the obtaining mode includes: and determining at least one sub-resource included in the YANG file according to the file name, acquiring a value of a third operation authority corresponding to each sub-resource, wherein the value of the third operation authority corresponding to any sub-resource is used for indicating the operation authority of the first network equipment on any sub-resource, and the at least one sub-resource comprises at least one of a data node, a protocol operation and a notification.
That is, in the case where the first resource is a YANG file, the operation authority of the first network device to the various sub-resources included in the YANG file is not acquired by the second network device but is acquired by the first network device. It can be appreciated that in the case where the YANG file includes any one of the child resources, the present embodiment does not limit the number of the child resources included in the YANG file. For example, where the YANG file includes protocol operations, one or more protocol operations can be included in the YANG file.
The value of the third operation authority corresponding to any one data node comprises one or more of create, read, delete, update and exec. For example, the operation authority of the first network device to any one data node is: the first network device can read and delete the data node, and the value of the third operation authority of any data node is read and delete. Or in the case that the first network device does not have any operation authority to any data node, the value of the third operation authority of any resource is none. In addition, the value of the third operation authority corresponding to any protocol operation is exec or none, that is, the first network device can only have the execution authority at most for any protocol operation, but does not have any authority of creation, reading, deletion and updating. The value of the third operation authority corresponding to any notification is read or none, that is, the first network device can only have read authority at most for any notification, but cannot have any authority of creation, deletion, update and execution.
It should be noted that, because XML adopts a tree structure, data nodes included in the YANG file can be divided into multiple layers, and data nodes located at an upper layer can include data nodes located at a lower layer. For example, a top level data node can include one or more layer one data nodes, a layer one data node can include one or more layer two data nodes, and so on. Thus, in the case where the YANG file includes multiple layers of data nodes, the second network device obtains the operation authority of the first network device for each of the reference number of layers of data nodes. It can be understood that the present embodiment does not limit the value of the reference number, and the value of the reference number may be set according to experience or actual needs. Illustratively, the reference number has a value of one, that is, the second network device obtains the operation authority of the first network device on each top-level data node in the YANG file.
In this embodiment, the second network device acquires the operation authority of the first network device to each sub-resource according to the definition in the request for comments (request for comment, RFC) 8341. For any one sub-resource, the acquisition step can be seen in FIG. 5. Wherein after determining that the first network device is enabled, determining whether a session between the first network device and the second network device is a recovery session, in which case an operation is allowed to be performed. Thereafter, it is determined whether the first network device performs a close session (close session) in which case execution of the close session is allowed. In the event that closing of the session is not performed, it is determined whether the user identification identical to the user identification (user-name) of the first network device is included in the respective user group. Wherein a user group is a group comprising one or more users. In case the user identity identical to the user identity of the first network device is included in any one of the user groups, it is indicated that the first network device is a user in that any one of the user groups. And when the rule list matched with any user group is determined, the corresponding rule is further acquired from the matched rule list, so that the operation authority of the first network equipment on the resource is obtained. Then, checking the value of the matching mode 'exec-default' of the authentication rule, and allowing the operation to be executed under the condition that the value is admit, otherwise refusing to execute the operation.
In addition, as can be seen from fig. 5, for three cases that the user group does not have the user identifier of the first network device, there is no rule list matching the user group where the user identifier is located, and there is no matched rule in the rule list, the access control rule needs to be executed. After the access control rule is executed, a matching mode for checking the authentication rule is executed, so that whether the operation is allowed to be executed or the operation is refused to be executed is determined according to whether the value is permission or not. The access control rules corresponding to different sub-resources are also different, and the second, third and fourth acquisition modes are described respectively.
Acquisition mode two corresponding to case two: for the case that the first resource is a data node and the first identifier is a node path, the acquiring manner includes: based on the determination that the data node comprises at least one sub-node according to the node path, acquiring a value of a fourth operation authority and a value of a fifth operation authority corresponding to each sub-node, wherein the value of the fourth operation authority is used for indicating the operation authority of the first network device on the data node, and the value of the fifth operation authority corresponding to any sub-node is used for indicating the operation authority of the first network device on any sub-node, and any sub-node has a corresponding sub-path.
As can be seen from the description in the first acquisition mode, any one data node can include one or more child nodes located below the any one data node. And based on the fact that the data node comprises at least one child node according to the node path, respectively acquiring the value of the fourth operation authority and the value of the fifth operation authority corresponding to each child node. Taking the data node as an example of a layer of data nodes in the YANG file, the child node can be each layer of data nodes in the YANG file. Alternatively, the child nodes can also be two-layer data nodes, three-layer data nodes, and more in the YANG file.
It can be understood that, for the case that the data node corresponding to the node path does not include a child node, that is, the case that the data node corresponding to the node path is the bottom data node in the YANG file, the second network device directly obtains the value of the fourth operation right.
In addition, in the case where the first resource is a data node, the access control rules include, but are not limited to, the following four:
1. any data node definition contains a "namm: default-dense-all" statement, and the data node does not support read and write operations. The write operation includes create operation and delete operation.
2. Any data node definition contains a "namm: default-dense-write" statement, and the data node does not support write operations.
3. The first network device has the right to execute the query operation, namely, the value of the read-default is the limit, and the first network device has the reading right, otherwise, the first network device does not have the reading right.
4. The first network device has the authority to execute configuration operation, namely, the value of the write-default is 'limit', the first network device has the authority to write, otherwise, the first network device does not have the authority to write.
Acquisition mode three corresponding to case three: for the case that the first resource is a protocol operation and the first identifier is an operation path, the obtaining manner includes: and determining a value of a first operation authority according to the operation path, wherein the value of the first operation authority is used for indicating whether the first network equipment has execution authority on the protocol operation.
The first network device can only have execution rights at most for any protocol operation, i.e. the value of the first operation right is exec or none. And indicating that the first network equipment has execution authority to the protocol operation based on the value of the first operation authority as exec. And indicating that the first network equipment does not have execution authority to the protocol operation based on the value of the first operation authority is none.
In the case where the first resource is a protocol operation, the access control rules include, but are not limited to, the following three:
1. the protocol operation defined based on the YANG file contains a namm default-dense-all statement, and then the operation of executing the RPC request is refused.
2. Based on whether the protocol operation is < kill-session > or < delete-config >, the operation to execute the RPC request is denied.
3. The first network device has the execution authority of the protocol operation based on the first network device having the default execution authority of the protocol operation. The first network device does not have the execution authority of the protocol operation based on the first network device not having the default execution authority of the protocol operation.
Acquisition mode four corresponding to case four: for the case that the first resource is a notification and the first identifier is a notification path, the acquiring manner includes: and determining a value of the first operation authority according to the notification path, wherein the value of the first operation authority is used for indicating whether the first network equipment has reading authority for the notification.
The value of the first operation authority is read or none, the read indicating that the first network device has read authority for the notification, and the none indicating that the first network device does not have read authority for the notification. In the case where the first resource is a notification, the access control rules include, but are not limited to, the following two:
1. The notification-based declaration includes a "namm: default-dense-all" declaration, and the notification is not allowed to be read.
2. Based on the first network device having the right to execute the inquiry operation, the first network device has the notified read right. Based on the first network device not having the permission to perform the query operation, the first network device does not have the notified read permission.
306, the second network device encapsulates the operation authority query result of the first resource according to the value of the first operation authority to obtain a first response message, and sends the first response message to the first network device.
Packaging mode one corresponding to case one: under the condition that the first resource is a YANG file, the first operation authority refers to the operation authority of the first network device on each sub-resource in the YANG file, so that the packaging mode comprises: and packaging the operation authority query result of the YANG file to obtain a first response message, wherein the operation authority query result of the YANG file comprises the value of the third operation authority corresponding to each sub-resource and the sub-identifier, and the sub-identifiers are in one-to-one correspondence with the values of the third operation authorities corresponding to the sub-resources.
Wherein any one of the sub-resources has a corresponding sub-identification. The sub-identifier corresponding to the data node is a node path, the sub-identifier corresponding to the protocol operation is an operation path, and the notification corresponding sub-identifier is a notification path. The sub-identifiers and the values of the third operation authorities corresponding to the sub-resources are in one-to-one correspondence, so that the operation authorities of the first network equipment to which sub-resource are indicated by any one of the values of the third operation authorities displayed in the first response message can be indicated conveniently, and the confusion of the values of different third operation authorities is avoided.
For example, in the case where the child resource is a protocol operation, in addition to the operation path being associated with the value of the third operation authority, the operation name of the protocol operation can be associated with the value of the third operation authority. The corresponding manner can also indicate which sub-resource the first network device has the operating rights to indicated by any one of the third operating rights values displayed in the first response message. Accordingly, in the case where the child resource is a notification, in addition to associating the notification path with the value of the third operation authority, the notification name of the notification can also be associated with the value of the third operation authority.
Example one of the packaging scheme one: referring to FIG. 6, FIG. 6 shows a YANG file ietf-interfaces including two top level data nodes interfaces and interfaces-state, without protocol operations and notifications. The first network device sends a first RPC instruction as shown in fig. 7 to the second network device, where the first RPC instruction includes a file name ietf-interfaces. Accordingly, the second network device sends a first response message as shown in fig. 8 to the first network device, where the first response message includes the corresponding node path of the top-level data node interfaces and the corresponding value create, read, update of the third operation right and delete of the interfaces, so as to instruct the first network device to have four rights of creating, reading, updating and deleting the top-level data node interfaces. The first response message further includes a node path of the top-level data node interfaces-state and a value read of a third operation authority corresponding to the interfaces-state, so as to indicate that the first network device has a read authority for the top-level data node interfaces-state.
Example two of packaging scheme one: referring to fig. 9, fig. 9 shows a situation where the YANG file ietf-netconf-monitoring includes a top-level data node netconf-state and a protocol operation get-schema, and no notification is included. The first network device sends a first RPC instruction as shown in fig. 10 to the second network device, where the first RPC instruction includes a file name ietf-netconf-monitoring. Accordingly, the second network device returns a first response message as shown in fig. 11 to the first network device. The first response message includes a node path of the corresponding top-level data node netconf-state and a value read of the third operation authority corresponding to the netconf-state, so that the first network device has the reading operation authority to the top-level data node netconf-state. The first response message further comprises an operation name get-schema of the corresponding protocol operation and a value exec of a third operation authority corresponding to the get-schema, so as to instruct the first network device to have an execution authority for the protocol operation get-schema.
Example three of packaging scheme one: referring to fig. 12, fig. 12 shows a case where the YANG file ietf-netconf-notification includes five notifications netconf-config-change, netconf-capability-change, netconf-session-start, netconf-session-end and netconf-confimed-complete, and does not include data nodes and protocol operations. The first network device sends a first RPC instruction shown in fig. 13 to the second network device, where the first RPC instruction includes a file name ietf-netconf-notification. The second network device returns a first response message as shown in fig. 14 to the first network device, where the first response message includes five values of the third operation authority, which are all reads. It can thus be seen that the first network device has read rights to all five notifications.
Packaging mode two corresponding to case two: based on the data node including at least one child node, the encapsulation mode includes: and encapsulating an operation authority query result of the data node to obtain a first response message, wherein the operation authority query result of the data node comprises a node path, each sub-path, a value of a fourth operation authority and a value of a fifth operation authority corresponding to each sub-node, the node path corresponds to the value of the fourth operation authority, and the sub-paths correspond to the values of the fifth operation authorities corresponding to the sub-nodes one by one.
The value of the fourth operation right and the value of the fifth operation right may be the same or different, and the value of the fifth operation right may be different. Taking the example that the data node comprises two child nodes, the value of the fourth operation authority is read, and the values of the two fifth operation authorities are read and none respectively. The first network device has read rights to the data nodes, and the first network device has read rights to one of the child nodes but does not have any operation rights to the other child node.
Example one of packaging scheme two: referring to fig. 15, fig. 15 shows a case where the data node netconf-state includes five child nodes capabilities, datastores, schemas, sessions and statics. The first network device sends a first RPC instruction shown in fig. 16 to the second network device, where the first RPC instruction includes a node path/netconf/data/ietf-netconf-monitoring of a data node netconf-state. Accordingly, the second network device determines each sub-node included in the data node according to the node path in the first RPC instruction, where any sub-node has a corresponding sub-path.
The second network device obtains the value of the fifth operation authority corresponding to each child node, and sends a first response message shown in fig. 17 to the first network device. The node path/netconf/data/ietf-netconf-monitoring is that the netconf-state corresponds to a value read of the fourth operation authority, so that the first network device is indicated to have the reading authority on the data node netconf-state. In addition, the value of the fifth operation authority corresponding to each child node in the first response message is as follows:
the sub path/netconf/data/ietf-netconf-monitoring that netconf-state/capabilities correspond to the value read of the fifth operation authority corresponding to the child node capabilities;
the sub path/netconf/data/ietf-netconf-monitoring that netconf-state/datastore corresponds to the value read of the fifth operation authority corresponding to the sub node datastore;
the sub path/netconf/data/ietf-netconf-monitoring that netconf-state/schema corresponds to the value read of the fifth operation authority corresponding to the child node schema;
the sub path/netconf/data/ietf-netconf-monitoring that netconf-state/sessions correspond to the value read of the fifth operation authority corresponding to the sub node sessions;
the sub-path/netconf/data/ietf-netconf-monitoring: netconf-state/states corresponds to the value read of the fifth operation authority corresponding to the sub-node states.
Based on the first example of the second packaging mode, the first network device can further package the sub-path of any sub-node based on the sub-path of each sub-node returned in the first response message to obtain a first RPC instruction, and obtain the value of the sub-path and the operation authority of the first network device to each other sub-node included in any sub-node through the first RPC instruction, so as to realize resource discovery.
For example, the first network device encapsulates the sub-path of the above-mentioned sub-node schema to obtain a first RPC message as shown in fig. 18. The second network device returns a first response message to the first network device according to the first RPC message as shown in fig. 19. The first response message comprises the value of the operation authority corresponding to the child node schema, the sub-paths/netconf/data/ietf-netconf-monitoring of other child node schemas-schemas, and the value of the operation authority corresponding to the other child node schemas-schemas, wherein the netconf-state/schema and the value of the operation authority corresponding to the other child node schemas-schemas are read. It can be understood that other child node schemes-schemes are child nodes included in the child node schemes.
Packaging mode three corresponding to case three: after the second network device obtains the value of the first operation authority, the operation authority query result of the protocol operation is encapsulated to obtain a first response message, wherein the operation authority query result of the protocol operation comprises the value of the first operation authority, and the value of the first operation authority is used for indicating whether the first network device has the execution authority for the protocol operation. Illustratively, since the protocol operation does not include a sub-protocol operation, even if the second network device does not encapsulate the operation path or the operation name of any one of the protocol operations, the second network device can directly encapsulate the value of the first operation right without causing confusion of the operation right.
Example one of packaging method three: referring to FIG. 20, FIG. 20 shows the case where the protocol operation is get-schema. The operation path of the protocol operation is/netconf/operations/ietf-netconf-monitoring: get-schema. The first network device sends a first RPC instruction as shown in fig. 21 containing the operation path to the second network device. Then, the second network device returns a first response message as shown in fig. 22 to the first network device, where the first response message includes the operation name get-schema of the protocol operation and the value exec of the first operation authority, so as to instruct the first network device to have the execution authority for the protocol operation get-schema.
Packaging mode four corresponding to case four: after the second network device obtains the value of the first operation right, the notified operation right inquiry result is packaged to obtain a first response message, wherein the notified operation right inquiry result comprises the value of the first operation right, and the value of the first operation right is used for indicating whether the first network device has the reading right to the notification.
Example one of packaging method four: referring to fig. 23, fig. 23 shows a case where the notification number is five. Based on the first network device needing to query the first operation authority to netconf-config-change, the first network device sends a first RPC instruction as shown in fig. 24, where the first RPC instruction includes a notification path of netconf-config-change. Accordingly, the second network device returns a first response message as shown in fig. 25 to the first network device, where the first response message includes the path name netconf-config-change and the value read of the first operation authority, so as to indicate that the first network device has the read authority for the notification of netconf-config-change.
In the above four packaging manners, the second network device can directly use the obtained value of the first operation right as the operation right query result of the first resource. For example, the second network device may determine the operation authority query result of the first resource according to the indication of the identifier, in addition to directly using the value of the first operation authority as the operation authority query result of the first resource.
Thus, in an exemplary embodiment, the first RPC instruction sent by the first network device further includes a second identifier, namely the without-none shown in fig. 4. That is, the first network device encapsulating the first identifier to obtain the first RPC instruction includes: the first network device acquires the second identifier, encapsulates the first identifier and the second identifier, and obtains a first RPC instruction. Wherein the second identifier is used to indicate whether the value of the first operation right is encapsulated without the first operation right.
In this embodiment, whether the first network device has the first operation authority to the first resource is indicated according to whether the value of the first operation authority is a target value, where the target value is none. The value of the first operation authority is a target value and is used for indicating that the first network device does not have the first operation authority to the first resource, and the value of the first operation authority is a non-target value and is used for indicating that the first network device has the first operation authority to the first resource.
For example, in the case where the second flag is true, the second flag is used to indicate that the value of the first operation right is not encapsulated without the first operation right. And in case the second flag is false, the second flag is used to indicate that the value of the first operation right is still encapsulated without the first operation right. Fig. 26 shows a case where the second identifier is true in the first RPC message sent by the first network device.
Accordingly, after the second network device parses the first RPC instruction, a first identifier and the second identifier are obtained. After acquiring the value of the first operation authority according to the obtained first identifier, the second network device determines the encapsulation mode based on the indication of the second identifier.
The first response message is obtained by using the value of the first operation right as the operation right query result of the first resource according to the mode in the description, wherein the value of the first operation right is based on the non-target value, or the value of the first operation right is the target value and the second identifier indicates that the value of the first operation right is still packaged under the condition that the first operation right is not available. For example, fig. 27 shows a case where the value of the first operation authority corresponding to the protocol operation netconf-capability-change is the target numerical value none. And according to the indication of the second identifier, the second network equipment encapsulates the value none of the first operation authority and other values of the first operation authority which are not none, so as to obtain a first response message.
It can be appreciated that in this case, the first response message received by the first network device includes, in the operation authority query result of the first resource, all the values of the first operation authorities acquired by the second network device. The value of each first operation authority is none, or other values than none.
Or based on the value of the first operation right as the target value and the second identifier indicating that the value of the first operation right is not packaged under the condition of not having the first operation right, packaging according to the indication of the second identifier to obtain an operation right query result which does not comprise the value of the first operation right, thereby obtaining the first response message.
Illustratively, the second network device is capable of obtaining a plurality of values of the first operating rights. For example, in the case where the first resource includes a plurality of sub-resources in the first case or in the case where the data node includes at least one sub-node in the second case, the second network device can obtain a plurality of values of the first operation authority. And based on the fact that only part of the values of the first operation authorities are none, and the values of other first operation authorities are not none, the second network equipment encapsulates the first operation authorities which are not none in the values of the first operation authorities. For example, compared to the scenario in which the value of the first operation right corresponding to the protocol operation netconf-capability-change shown in fig. 27 is none, if the value of the first operation right is not encapsulated without the first operation right based on the second identification indication, the first response message shown in fig. 28 is obtained. It can be understood that, in the case where the second network device acquires the values of the plurality of first operation authorities as the target values, or in the case where the second network device acquires the value of one first operation authority and the value is none, the transmitted first response message is null.
Accordingly, in the first response message received by the first network device, the operation permission query result of the first resource only includes the value of the first operation permission which is not the none, and does not include the value of the first operation permission which is the none. Alternatively, the first response message received by the first network device is null.
The second network device, regardless of the manner in which the first response message is encapsulated, transmits the first response message through a session established with the first network device after the first response message is obtained.
307, the first network device receives a first response message sent by the second network device according to the first RPC instruction, where the first response message includes an operation authority query result of the first resource.
Since the second network device transmits the first response message carrying the operation authority query result, the first network device can receive the first response message through the session. The first response message is a message obtained by the second network device according to an operation authority query result of the first resource encapsulated by the value of the first operation authority, and the value of the first operation authority is used for indicating whether the first network device has the first operation authority to the first resource.
308, the first network device analyzes the first response message to obtain an operation authority query result of the first resource.
In the case that the first resources are different, the operation authority query result of the first resources carried in the first response message is also different, and as can be known from the description in 306, the parsing method includes the following four methods.
Resolution one corresponding to case one: analyzing the first response message to obtain an operation authority query result of the YANG file, wherein the operation authority query result of the YANG file comprises the values of the third operation authorities corresponding to the sub-resources and the sub-identifiers, and the sub-identifiers correspond to the values of the third operation authorities corresponding to the sub-resources one by one.
Resolution mode two corresponding to case two: analyzing the first response message to obtain an operation authority query result of the data node, wherein the operation authority query result of the data node comprises a node path, each sub-path, a value of a fourth operation authority and a value of a fifth operation authority corresponding to each sub-node, the node path corresponds to the value of the fourth operation authority, and the sub-paths correspond to the values of the fifth operation authorities corresponding to the sub-nodes one by one.
Resolution method three corresponding to case three: analyzing the first response message to obtain an operation authority query result of the protocol operation, wherein the operation authority query result of the protocol operation comprises a value of the first operation authority, and the value of the first operation authority is used for indicating whether the first network equipment has an execution authority for the protocol operation.
Resolution method four corresponding to case four: analyzing the first response message to obtain a notified operation permission query result, wherein the notified operation permission query result comprises a value of a first operation permission, and the value of the first operation permission is used for indicating whether the first network equipment has reading permission for the notification.
Further, for the operation authority of the first network device on the part of the resources, the embodiment needs to detect the update condition of the operation authority, so that the first network device can acquire in time when the operation authority is updated, and the security is prevented from being influenced. For example: by using the write rights of the resource, aaa/lam/users, new first network devices with arbitrary rights can be added, thus requiring restrictions on the operation rights of the respective first network devices to the resource. Therefore, there is a need to provide a method for enabling a first network device to learn of the update situation of the operation authority of a resource in time.
With reference to fig. 29, this embodiment extends the YANG push capability provided by the YANG model, so that the first network device can make the second network device detect the update condition of the operation authority of any resource by sending an RPC instruction to the second network device. Accordingly, referring to fig. 30, the present embodiment also extends the notification capability provided by the YANG model. Therefore, the second network equipment can timely send the notification message under the condition that the second network equipment detects that the operation authority of any resource is updated, so that the first network equipment can acquire the update of the operation authority of any resource.
In an exemplary embodiment, after the first network device parses the first response message to obtain the operation permission query result of the first resource, the method further includes the following steps 309-315.
309, the first network device obtains a third identifier of the second resource of which the operation authority to be detected is updated, and encapsulates the third identifier to obtain a second RPC instruction.
The process of the first network device obtaining the third identifier is described in the above 301, and will not be described herein. For the process of encapsulating the third identifier by the first network device, in addition to directly encapsulating the third identifier as described in 301 above, in an exemplary embodiment, encapsulating the third identifier to obtain the second RPC instruction includes: the first network device obtains the user identifier, encapsulates the third identifier and the user identifier to obtain a second RPC instruction.
The first network equipment corresponds to the user identification one by one. Illustratively, the user identification is used to indicate the first network device itself performing 301, 302, 307, and 308, or the user identification is used to indicate other first network devices than the first network device performing 301, 302, 307, and 308. The number of the user identifications acquired by the first network device is not limited in this embodiment, and the number of the user identifications is determined according to actual needs. After obtaining one or more user identifiers, the first network device encapsulates the third identifier and the obtained one or more user identifiers together, so as to obtain the second RPC instruction.
Referring to fig. 31, fig. 31 illustrates an exemplary second RPC instruction sent by the first network device. The second RPC instruction includes a resource identifier/huawei-aaa of the second resource, aaa/1am/users/user, and a user identifier test1.
The first network device sends 310 a second RPC instruction to the second network device.
The transmission process is described in 302 above, and will not be described again here.
The second network device receives a second RPC instruction sent by the first network device, where the second RPC instruction includes a third identifier of the second resource 311.
The receiving process is described in 303 above, and will not be described again here. Illustratively, the second network device returns a response message as shown in fig. 32 to the first network device after receiving the second RPC instruction sent by the first network device, so that the first network device confirms that the second network device has received the second RPC instruction.
The second network device parses the second RPC instruction to obtain a third identification, and determines at least one target network device based on each network device with which a session is established with the second network device.
And for the case that the second RPC instruction does not contain the user identifier, the second network equipment analyzes the second RPC instruction to obtain only a third identifier, and the second resource of which the operation authority to be detected is updated can be determined according to the third identifier. In this case, the second network device takes all network devices with session established with the local end of the second network device as target network devices. Correspondingly, for the case that the second RPC instruction further includes the user identifier, the second network device analyzes the second RPC instruction to obtain the third identifier and the user identifier, so that the network device indicated by the user identifier is used as the target network device. It can be appreciated that the target network device is a first network device for transmitting the second RPC instruction, or is another first network device than the first network device for transmitting the second RPC instruction, or includes both the first network device for transmitting the second RPC instruction and the other first network device than the first network device for transmitting the second RPC instruction.
313, the second network device obtains the value of the operation authority corresponding to each target network device according to the third identifier, where the value of the operation authority corresponding to any one target network device is used to indicate the operation authority of any one target network device to the second resource.
The second network device may refer to the description in 304 for obtaining the value of the operation authority corresponding to each target network device, which is not described herein. After the acquisition is completed, the second network device can also store the operation authority of each target network device on the second resource, so as to detect the update condition of the operation authority.
314, based on the second network device detecting the update of the value of the second operation authority corresponding to any one of the target network devices, acquiring the updated value of the second operation authority, where the value of the second operation authority corresponding to any one of the target network devices is used to indicate whether any one of the target network devices has the second operation authority on the second resource.
Under the condition that the authentication mechanism is changed, the operation authority of the target network equipment on the second resource can be updated, so that the value of the second operation authority corresponding to the target network equipment is updated. Therefore, for any one of the target network devices, if the second network device detects that the authentication mechanism changes, the value of the second operation authority corresponding to the any one of the target network devices is redetermined according to the changed authentication mechanism. In response to the redetermined value of the operation authority being the same as the stored value of the second operation authority, it is interpreted that a change in the authentication mechanism does not result in an update of the operation authority of the second resource by the any one of the target network devices. In response to the redetermined value of the operation authority being different from the stored value of the second operation authority, a change in the authentication mechanism is interpreted such that the operation authority of the second resource is updated by the any one of the target users. Therefore, the present embodiment takes the redetermined value of the operation authority as the updated value of the second operation authority.
And 315, the second network device encapsulates the updated value of the second operation authority to obtain a notification message, and sends the notification message to any one of the target network devices.
For any one of the target network devices, the second network device encapsulates the user identifier of the any one of the target network devices, the third identifier of the second resource, the value of the second operation right corresponding to any one of the target network devices stored in 313, and the updated value of the second operation right, so as to obtain the notification message. Of course, the notification message may not include 313 the stored value of the second operation right corresponding to any target network device, and may include only the updated value of the second operation right, which is not limited in this embodiment.
After the notification message is obtained, the second network device may send the notification message to any one of the target network devices. After the notification message is received by any one of the target network devices, the updated operation authority of the second resource by any one of the target network devices can be determined by analyzing the notification message. Then, any one of the target network devices can perform other operations, such as adjusting an authentication mechanism, based on the updated operation authority.
Referring to fig. 33, fig. 33 illustrates an exemplary notification message. As can be seen from the front right (pre-auth) in fig. 33, the value of the second operation right corresponding to the user identification test1 is read before the operation right is updated. As can be seen from the current authority (cur-auth) of fig. 33, the value of the updated second operation authority corresponding to the user identifier test1 is create, read, update and delete.
Of course, in this embodiment, the first network device processes the first response message, obtains the operation authority query result of the first resource, and then sends the second RPC instruction for detecting the operation authority update, and may also send the second RPC instruction at other time, which is not limited in this embodiment.
In summary, in this embodiment, by defining an RPC instruction for querying an operation right, the second network device may obtain a value of the first operation right according to a first identifier of a first resource carried by the RPC instruction, where the value of the first operation right is used to indicate whether the first network device has the first operation right to the first resource, so that a first response message encapsulating an operation right query result of the first resource is fed back to the first network device according to the value of the first operation right, so that the first network device may directly obtain the operation right query result of the first resource, thereby implementing a relatively intuitive query manner of the operation right and improving efficiency of querying the operation right.
Based on the same concept, as shown in fig. 34, the embodiment of the present application further provides an apparatus for querying operation rights, where the apparatus is used to execute the steps required to be executed by the second network device in the method shown in fig. 3. The device comprises:
the receiving module 3401 is configured to receive, by the second network device, a first remote procedure call RPC instruction sent by the first network device, where the first RPC instruction includes a first identifier of a first resource, and the first RPC instruction is used to indicate an operation authority for querying the first resource. The steps performed by the receiving module 3401 may be referred to the description in 303 above, and will not be described herein.
The parsing module 3402 is configured to parse the first RPC instruction by the second network device to obtain a first identifier. The steps performed by the parsing module 3402 may be referred to the description of 304 above, and will not be repeated here.
The obtaining module 3403 is configured to obtain, by the second network device, a value of a first operation right according to the first identifier, where the value of the first operation right is used to indicate whether the first network device has the first operation right on the first resource. The steps performed by the acquisition module 3403 may be described in the above 305, and will not be described herein.
And the sending module 3404 is configured to encapsulate, by the second network device, the operation permission query result of the first resource according to the value of the first operation permission to obtain a first response message, and send the first response message to the first network device. The steps performed by the transmission module 3404 may be referred to the description in the above 306, and will not be repeated here.
In a possible implementation manner, the first RPC instruction further includes a second identifier, the second identifier is used for indicating whether to encapsulate a value of the first operation right if the first operation right is not available, the sending module 3404 is used for indicating that the first network device does not have the first operation right to the first resource based on whether the value of the first operation right is a non-target value, or whether the value of the first operation right is a target value and the second identifier indicates that the value of the first operation right is encapsulated if the first operation right is not available, the second network device encapsulates an operation right query result of the first resource according to the second identifier to obtain a first response message, and the operation right query result of the first resource includes the value of the first operation right, where the value of the first operation right is the target value and is used for indicating that the first network device does not have the first operation right to the first resource, and the value of the first operation right is not the target value and is used for indicating that the first network device has the first operation right to the first resource.
In a possible implementation manner, the first RPC instruction further includes a second identifier, where the second identifier is used to indicate whether to encapsulate the value of the first operation right if the first operation right is not available, and the sending module 3404 is configured to, based on that the value of the first operation right is a target value and the second identifier indicates that the value of the first operation right is not encapsulated if the first operation right is not available, encapsulate the operation right query result of the first resource according to the indication of the second identifier, obtain a first response message, where the operation right query result of the first resource does not include the value of the first operation right.
In a possible implementation manner, the receiving module 3401 is further configured to receive, by the second network device, a second RPC instruction sent by the first network device, where the second RPC instruction includes a third identifier of the second resource; the second network equipment analyzes the second RPC instruction to obtain a third identifier; the second network device determining at least one target network device based on each network device with which the session is established; the second network device obtains the value of the second operation authority corresponding to each target network device according to the third identifier, wherein the value of the second operation authority corresponding to any one target network device is used for indicating whether any one target network device has the second operation authority to the second resource; the second network device obtains an updated value of the second operation authority based on the detection of the update of the second operation authority corresponding to any one of the target network devices; the second network device encapsulates the updated value of the second operation authority and sends the notification message to any one of the target network devices.
In a possible implementation manner, the second RPC instruction further includes a user identifier, and the receiving module 3401 is configured to use, by the second network device, a network device indicated by the user identifier in each first network device as a target network device.
In one possible implementation, the first resource is another next generation YANG file, and the first identifier is a file name;
an obtaining module 3403, configured to determine at least one sub-resource included in the YANG file according to the file name by using the second network device, obtain a value of a third operation right corresponding to each sub-resource, where the value of the third operation right corresponding to any sub-resource is used to indicate the operation right of the first network device to any sub-resource, any sub-resource has a corresponding sub-identifier, and the at least one sub-resource includes at least one of a data node, a protocol operation, and a notification;
the sending module 3404 is configured to encapsulate an operation authority query result of the YANG file by using the second network device to obtain a first response message, where the operation authority query result of the YANG file includes a value of a third operation authority corresponding to each sub-resource and a sub-identifier, and the sub-identifiers are in one-to-one correspondence with the value of the third operation authority corresponding to the sub-resource.
In one possible implementation, the first resource is a data node and the first identifier is a node path;
the obtaining module 3403 is configured to determine, by the second network device according to the node path, that the data node includes at least one child node, obtain a value of a fourth operation right and a value of a fifth operation right corresponding to each child node, where the value of the fourth operation right is used to indicate the operation right of the first network device to the data node, the value of the fifth operation right corresponding to any child node is used to indicate the operation right of the first network device to any child node, and any child node has a corresponding child path;
The sending module 3404 is configured to encapsulate an operation authority query result of the data node by using the second network device to obtain a first response message, where the operation authority query result of the data node includes a node path, each sub-path, a value of a fourth operation authority and a value of a fifth operation authority corresponding to each sub-node, the node path corresponds to the value of the fourth operation authority, and the sub-paths correspond to the values of the fifth operation authorities corresponding to the sub-nodes one by one.
In one possible implementation, the first resource is a protocol operation, and the first identifier is an operation path;
the sending module 3404 is configured to encapsulate an operation authority query result of the protocol operation by using the second network device to obtain a first response message, where the operation authority query result of the protocol operation includes a value of a first operation authority, and the value of the first operation authority is used to indicate whether the first network device has an execution authority for the protocol operation.
In one possible implementation, the first resource is a notification and the first identifier is a notification path;
the sending module 3403 is configured to encapsulate the notified operation permission query result by the second network device to obtain a first response message, where the notified operation permission query result includes a value of a first operation permission, and the value of the first operation permission is used to indicate whether the first network device has a read permission for the notification.
In summary, in this embodiment, by defining an RPC instruction for querying an operation right, the second network device may obtain a value of the first operation right according to a first identifier of a first resource carried by the RPC instruction, where the value of the first operation right is used to indicate whether the first network device has the first operation right to the first resource, so that a first response message encapsulating an operation right query result of the first resource is fed back to the first network device according to the value of the first operation right, so that the first network device may directly obtain the operation right query result of the first resource, thereby implementing a relatively intuitive query manner of the operation right and improving efficiency of querying the operation right.
Based on the same concept, as shown in fig. 35, the embodiment of the present application further provides an apparatus for querying operation rights, where the apparatus is used to execute the steps required to be executed by the first network device in the method shown in fig. 3. The device comprises:
the acquiring module 3501 is configured to acquire a first identifier of a first resource of the operation right to be queried by the first network device, and encapsulate the first identifier to obtain a first remote procedure call RPC instruction. The steps performed by the acquisition module 3501 are described above with reference to 301, and will not be described here again.
A sending module 3502, configured to send, by the first network device, the first RPC instruction to the second network device. The steps performed by the transmitting module 3502 are described above with reference to 302, and will not be described herein.
The receiving module 3503 is configured to receive, by the first network device, a first response message sent by the second network device according to the first RPC instruction, where the first response message includes an operation authority query result of the first resource, and the first response message is a message obtained by encapsulating, by the second network device, the operation authority query result of the first resource according to a value of the first operation authority, where the value of the first operation authority is used to indicate whether the first network device has the first operation authority for the first resource. The steps performed by the receiving module 3503 are described above in reference to 307, and will not be described here again.
The parsing module 3504 is configured to parse the first response message by the first network device to obtain an operation authority query result of the first resource. The steps performed by the parsing module 3504 are described above with reference to 308, and will not be described herein.
In one possible implementation, the obtaining module 3501 is configured to obtain, by the first network device, a second identifier, where the second identifier is used to indicate whether to encapsulate the value of the first operation right without having the first operation right; the first network device encapsulates the first identifier and the second identifier to obtain a first RPC instruction.
In a possible implementation manner, the parsing module 3504 is configured to parse, by the first network device, the first response message, where the obtained operation right query result of the first resource includes a value of the first operation right, the first response message is based on that the value of the first operation right is a non-target value, or the value of the first operation right is a target value and the second identifier indicates that the value of the first operation right is encapsulated without the first operation right, and the second network device encapsulates, according to the second identifier, the operation right query result of the first resource, where the value of the first operation right is a target value and is used to indicate that the first network device does not have the first operation right on the first resource, and the value of the first operation right is a non-target value and is used to indicate that the first network device has the first operation right on the first resource.
In a possible implementation manner, the parsing module 3504 is configured to parse, by the first network device, the first response message, where the obtained operation right query result of the first resource does not include a value of the first operation right, the first response message is based on that the value of the first operation right is a target value and the second identifier indicates that the value of the first operation right is not encapsulated under the condition that the first operation right is not provided, and the second network device encapsulates, according to the second identifier, the operation right query result of the first resource, where the value of the first operation right is a target value and is used to indicate that the first network device does not have the operation right on the first resource.
In a possible implementation manner, the obtaining module 3501 is further configured to obtain, by the first network device, a third identifier of the second resource of which the operation authority to be detected is updated, where the third identifier is used for the second network device to obtain a value of the second operation authority corresponding to each target network device, the value of the second operation authority corresponding to any target network device is used to indicate whether any target network device has the second operation authority on the second resource, obtain, based on detecting the value update of the second operation authority corresponding to any target network device, the value of the updated second operation authority, package the obtained notification message of the updated value of the second operation authority, and send the notification message to any target network device;
the sending module 3502 is further configured to encapsulate the third identifier by the first network device to obtain a second RPC instruction, and send the second RPC instruction to the second network device.
In one possible implementation manner, the sending module 3502 is configured to obtain, by the first network device, a user identifier, where the user identifier is used by the second network device to set, as the target network device, a network device indicated by the user identifier; the first network equipment encapsulates the second identifier and the user identifier to obtain a second RPC instruction.
In a possible implementation manner, the first resource is another next generation YANG file, the first identifier is a file name, the file name is used for determining at least one sub-resource included in the YANG file by the second network device, the at least one sub-resource includes at least one of a data node, a protocol operation and a notification, any sub-resource has a corresponding sub-identifier, the parsing module 3504 is used for the first network device to parse the first response message to obtain an operation authority query result of the YANG file, the operation authority query result of the YANG file includes a value of a third operation authority corresponding to each sub-resource and the sub-identifier, and the sub-identifier corresponds to the value of the third operation authority corresponding to the sub-resource one by one.
In a possible implementation manner, the first resource is a data node, the first identifier is a node path, the node path is used for determining at least one sub-node included in the data node by the second network device, any sub-node has a corresponding sub-path, the parsing module 3504 is used for parsing the first response message by the first network device to obtain an operation authority query result of the data node, the operation authority query result of the data node includes a node path, each sub-path, a value of a fourth operation authority and a value of a fifth operation authority corresponding to each sub-node, the node path corresponds to the value of the fourth operation authority, and the sub-path corresponds to the value of the fifth operation authority corresponding to the sub-node one by one.
In one possible implementation manner, the first resource is a protocol operation, the first identifier is an operation path, the parsing module 3504 is configured to parse the first response message by the first network device to obtain an operation permission query result of the protocol operation, where the operation permission query result of the protocol operation includes a value of the first operation permission, and the value of the first operation permission is used to indicate whether the first network device has an execution permission on the protocol operation.
In one possible implementation, the first resource is a notification, the first identifier is a notification path, and the parsing module 3504 is configured to parse the first response message by the first network device to obtain a notified operation permission query result, where the notified operation permission query result includes a value of a first operation permission, and the value of the first operation permission is used to indicate whether the first network device has a read permission on the notification.
In summary, in this embodiment, by defining an RPC instruction for querying an operation right, the second network device may obtain a value of the first operation right according to a first identifier of a first resource carried by the RPC instruction, where the value of the first operation right is used to indicate whether the first network device has the first operation right to the first resource, so that a first response message encapsulating an operation right query result of the first resource is fed back to the first network device according to the value of the first operation right, so that the first network device may directly obtain the operation right query result of the first resource, thereby implementing a relatively intuitive query manner of the operation right and improving efficiency of querying the operation right.
It should be understood that the apparatus provided in fig. 34 and 35 is merely illustrative of the division of the functional modules when implementing the functions thereof, and in practical applications, the functional modules may be allocated to different functional modules according to needs, i.e. the internal structure of the device is divided into different functional modules to complete all or part of the functions described above. In addition, the apparatus and the method embodiments provided in the foregoing embodiments belong to the same concept, and specific implementation processes of the apparatus and the method embodiments are detailed in the method embodiments and are not repeated herein.
Referring to fig. 36, the embodiment of the present application further provides an apparatus 3600 for querying operation rights, where the apparatus 3600 for querying operation rights shown in fig. 36 is used to perform operations related to the method for querying operation rights described above. The apparatus 3600 for querying operation rights includes: the memory 3601, the processor 3602, and the interface 3603 are connected by a bus 3604 between the memory 3601, the processor 3602, and the interface 3603.
The memory 3601 stores at least one instruction, where the at least one instruction is loaded and executed by the processor 3602 to implement any of the methods for querying operational rights described above.
Interface 3603 is for communicating with other devices in a network, the interface 3603 may be implemented in a wireless or wired manner, and the interface 3603 may be a network card, for example. For example, the device 3600 that queries for operational rights may communicate with other devices through the interface 3603.
For example, the device 3600 for querying operation rights shown in fig. 36 is the first network device in fig. 1, and the processor 3602 reads the instructions in the memory 3601, so that the device 3600 for querying operation rights shown in fig. 36 can perform all or part of the operations performed by the first network device.
For another example, the apparatus 3600 for inquiring about operation rights shown in fig. 36 is the network apparatus in fig. 1, and the processor 3602 reads the instructions in the memory 3601, so that the apparatus 3600 for inquiring about operation rights shown in fig. 36 can perform all or part of the operations performed by the second network apparatus.
It should be appreciated that fig. 36 only shows a simplified design of the device 3600 that queries for operational rights. In practice, the device 3600 that queries for operational rights may include any number of interfaces, processors, or memories. Further, the processor may be a central processing unit (Central Processing Unit, CPU), other general purpose processors, digital signal processors (digital signal processing, DSP), application specific integrated circuits (application specific integrated circuit, ASIC), field-programmable gate arrays (field-programmable gate array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or any conventional processor or the like. It is noted that the processor may be a processor supporting an advanced reduced instruction set machine (advanced RISC machines, ARM) architecture.
Further, in an alternative embodiment, the memory may include read only memory and random access memory, and provide instructions and data to the processor. The memory may also include non-volatile random access memory. For example, the memory may also store information of the device type.
In an exemplary embodiment, the present embodiment provides another communication apparatus, including: a transceiver, a memory, and a processor. The transceiver, the memory and the processor are in communication with each other through an internal connection path, the memory is used for storing instructions, the processor is used for executing the instructions stored in the memory to control the transceiver to receive signals and control the transceiver to send signals, and when the processor executes the instructions stored in the memory, the processor is caused to execute a method required to be executed by the first network device.
In an exemplary embodiment, the present embodiment provides another communication apparatus, including: a transceiver, a memory, and a processor. The transceiver, the memory and the processor are in communication with each other through an internal connection path, the memory is used for storing instructions, the processor is used for executing the instructions stored in the memory to control the transceiver to receive signals and control the transceiver to send signals, and when the processor executes the instructions stored in the memory, the processor is caused to execute a method required to be executed by the second network device.
Optionally, the processor is one or more and the memory is one or more.
Alternatively, the memory may be integrated with the processor or the memory may be separate from the processor.
In a specific implementation process, the memory may be a non-transient (non-transitory) memory, for example, a Read Only Memory (ROM), which may be integrated on the same chip as the processor, or may be separately disposed on different chips.
In an exemplary embodiment, a system for querying operational rights is provided, the system comprising: the system comprises first network equipment and second network equipment, wherein the first network equipment and the second network equipment are in communication connection. The method for querying the operation rights executed by the first network device and the second network device may be referred to the descriptions in 301-315, and will not be described herein.
In an exemplary embodiment, a computer program (product) is provided, the computer program (product) comprising: computer program code which, when run by a computer, causes the computer to perform the method in the description above.
In an exemplary embodiment, a readable storage medium is provided, the readable storage medium storing a program or instructions that, when run on a computer, perform the method of the above description.
In an exemplary embodiment, a chip is provided that includes a processor to call from a memory and execute instructions stored in the memory, such that a communication device on which the chip is mounted performs the method in the above description.
In an exemplary embodiment, another chip is provided, comprising: the input interface, the output interface, the processor and the memory are connected through an internal connection path, the processor is used for executing codes in the memory, and when the codes are executed, the processor is used for executing the method in the above description.
It is to be appreciated that the processor described above can be a central processing unit (Central Processing Unit, CPU), but also other general purpose processors, digital signal processors (digital signal processing, DSP), application specific integrated circuits (application specific integrated circuit, ASIC), field-programmable gate arrays (field-programmable gate array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or any conventional processor or the like. It is noted that the processor may be a processor supporting an advanced reduced instruction set machine (advanced RISC machines, ARM) architecture.
Further, in an alternative embodiment, the memory may include read only memory and random access memory, and provide instructions and data to the processor. The memory may also include non-volatile random access memory. For example, the memory may also store information of the device type.
The memory may be volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The nonvolatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an electrically Erasable EPROM (EEPROM), or a flash memory. The volatile memory may be random access memory (random access memory, RAM) which acts as an external cache. By way of example, and not limitation, many forms of RAM are available. For example, static RAM (SRAM), dynamic RAM (dynamic random access memory, DRAM), synchronous DRAM (SDRAM), double data rate synchronous DRAM (DDR SDRAM), enhanced SDRAM (ESDRAM), synchronous DRAM (SLDRAM), and direct memory bus RAM (DR RAM).
The present application provides a computer program which, when executed by a computer, causes a processor or computer to perform the corresponding steps and/or procedures of the above-described method embodiments.
In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the processes or functions in accordance with the present application are produced in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website, computer, second network device, or data center to another website, computer, second network device, or data center by a wired (e.g., coaxial cable, optical fiber, digital subscriber line), or wireless (e.g., infrared, wireless, microwave, etc.) means. The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a second network device, data center, or the like that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid State Disk), etc.
The foregoing is illustrative of the present application and is not to be construed as limiting thereof, but rather, the present application is to be construed as limited to the appended claims.

Claims (22)

1. A method of querying operational rights, the method comprising:
the second network equipment receives a first Remote Procedure Call (RPC) instruction sent by the first network equipment, wherein the first RPC instruction comprises a first identifier of a first resource, and the first RPC instruction is used for indicating the operation authority for inquiring the first resource;
the second network equipment analyzes the first RPC instruction to obtain the first identifier;
the second network device obtains a value of a first operation authority according to the first identifier, wherein the value of the first operation authority is used for indicating whether the first network device has the first operation authority to the first resource;
the second network equipment encapsulates an operation authority query result of the first resource according to the value of the first operation authority to obtain a first response message, and sends the first response message to the first network equipment;
the second network equipment receives a second RPC instruction sent by the first network equipment, wherein the second RPC instruction comprises a third identifier of a second resource;
The second network device analyzes the second RPC instruction to obtain the third identifier;
the second network device determines at least one target network device based on each network device with which a session is established;
the second network device obtains the value of the second operation authority corresponding to each target network device according to the third identifier, wherein the value of the second operation authority corresponding to any one target network device is used for indicating whether any one target network device has the second operation authority to the second resource;
the second network equipment acquires an updated value of a second operation authority based on the fact that the second operation authority corresponding to any one of the target network equipment is detected to be updated;
and the second network equipment encapsulates the updated value of the second operation authority and sends the notification message to any one of the target network equipment.
2. The method of claim 1, wherein the first RPC instruction further includes a second identifier, the second identifier being used to indicate whether to encapsulate the value of the first operation right without having the first operation right, and the second network device encapsulates the operation right query result of the first resource according to the value of the first operation right to obtain the first response message, where the first response message includes:
And based on the value of the first operation authority being a non-target value, or the value of the first operation authority being a target value and the second identifier indicating that the value of the first operation authority is packaged under the condition that the first operation authority is not available, the second network device obtains the first response message according to the operation authority query result of the second identifier packaging the first resource, wherein the operation authority query result of the first resource comprises the value of the first operation authority, the value of the first operation authority being a target value for indicating that the first network device does not have the first operation authority to the first resource, and the value of the first operation authority being a non-target value for indicating that the first network device has the first operation authority to the first resource.
3. The method of claim 1, wherein the first RPC instruction further includes a second identifier, the second identifier being used to indicate whether to encapsulate the value of the first operation right without having the first operation right, and the second network device encapsulates the operation right query result of the first resource according to the value of the first operation right to obtain the first response message, where the first response message includes:
And based on the value of the first operation authority is a target value and the second identifier indicates that the value of the first operation authority is not packaged under the condition that the first operation authority is not provided, the second network equipment packages the operation authority query result of the first resource according to the indication of the second identifier to obtain a first response message, and the operation authority query result of the first resource does not comprise the value of the first operation authority.
4. The method of claim 1, wherein the second RPC instruction further includes a user identification, wherein the second network device determines at least one target network device based on each network device with which a session is established, and wherein the determining includes:
the second network device takes the network device indicated by the user identification in each first network device as the target network device.
5. The method of any one of claims 1-4, wherein the first resource is another next generation YANG file and the first identifier is a file name;
the second network device obtains a value of a first operation authority according to the first identifier, and the method comprises the following steps:
the second network device determines at least one sub-resource included in the YANG file according to the file name, acquires a value of a third operation authority corresponding to each sub-resource, wherein the value of the third operation authority corresponding to any sub-resource is used for indicating the operation authority of the first network device on any sub-resource, any sub-resource has a corresponding sub-identifier, and the at least one sub-resource comprises at least one of a data node, a protocol operation and a notification;
The second network device encapsulates the operation authority query result of the first resource according to the value of the first operation authority to obtain a first response message, including:
and the second network equipment encapsulates the operation permission query result of the YANG file to obtain a first response message, wherein the operation permission query result of the YANG file comprises the values of the third operation permissions corresponding to the sub-resources and sub-identifiers, and the sub-identifiers are in one-to-one correspondence with the values of the third operation permissions corresponding to the sub-resources.
6. The method according to any one of claims 1-4, wherein the first resource is a data node, the first identifier is a node path, and the second network device obtains the value of the first operation right according to the first identifier, including:
the second network device determines that the data node comprises at least one sub-node according to the node path, acquires a value of a fourth operation authority and a value of a fifth operation authority corresponding to each sub-node, wherein the value of the fourth operation authority is used for indicating the operation authority of the first network device on the data node, the value of the fifth operation authority corresponding to any sub-node is used for indicating the operation authority of the first network device on any sub-node, and any sub-node has a corresponding sub-path;
The second network device encapsulates the operation authority query result of the first resource according to the value of the first operation authority to obtain a first response message, including:
the second network device encapsulates an operation authority query result of a data node to obtain a first response message, wherein the operation authority query result of the data node comprises a node path, each sub-path, a value of the fourth operation authority and a value of a fifth operation authority corresponding to each sub-node, the node path corresponds to the value of the fourth operation authority, and the sub-paths correspond to the values of the fifth operation authorities corresponding to the sub-nodes one by one.
7. The method of any of claims 1-4, wherein the first resource is a protocol operation and the first identifier is an operation path;
the second network device encapsulates the operation authority query result of the first resource according to the value of the first operation authority to obtain a first response message, including:
the second network device encapsulates an operation authority query result of the protocol operation to obtain a first response message, wherein the operation authority query result of the protocol operation comprises a value of the first operation authority, and the value of the first operation authority is used for indicating whether the first network device has an execution authority for the protocol operation.
8. The method of any of claims 1-4, wherein the first resource is a notification and the first identifier is a notification path;
the second network device encapsulates the operation authority query result of the first resource according to the value of the first operation authority to obtain a first response message, including:
the second network device packages the notified operation permission query result to obtain a first response message, wherein the notified operation permission query result comprises the value of the first operation permission, and the value of the first operation permission is used for indicating whether the first network device has reading permission for the notification.
9. A method of querying operational rights, the method comprising:
the method comprises the steps that first network equipment obtains a first identifier of a first resource of operation authorities to be queried, and packages the first identifier to obtain a first Remote Procedure Call (RPC) instruction, wherein the first RPC instruction is used for indicating the operation authorities for querying the first resource;
the first network device sends the first RPC instruction to a second network device;
the first network device receives a first response message sent by the second network device according to the first RPC instruction, wherein the first response message comprises an operation authority query result of the first resource, the first response message is obtained by encapsulating the operation authority query result of the first resource according to a value of a first operation authority of the second network device, and the value of the first operation authority is used for indicating whether the first network device has the first operation authority to the first resource;
The first network equipment analyzes the first response message to obtain an operation authority query result of the first resource;
the first network device obtains a third identifier of a second resource of which the operation authority to be detected is updated, the third identifier is used for the second network device to obtain a value of a second operation authority corresponding to each target network device, the value of the second operation authority corresponding to any one target network device is used for indicating whether any one target network device has the second operation authority for the second resource, based on the fact that the value of the second operation authority corresponding to any one target network device is detected to be updated, the value of the updated second operation authority is obtained, notification information obtained by the value of the updated second operation authority is packaged, and the notification information is sent to any one target network device;
and the first network equipment encapsulates the third identifier to obtain a second RPC instruction, and sends the second RPC instruction to the second network equipment.
10. The method of claim 9, wherein said encapsulating the first identification results in a first remote procedure call, RPC, instruction, comprising:
the first network device obtains a second identifier, wherein the second identifier is used for indicating whether the value of the first operation authority is packaged or not under the condition that the first operation authority is not provided;
And the first network equipment encapsulates the first identifier and the second identifier to obtain the first RPC instruction.
11. The method of claim 10, wherein the first network device parsing the first response message to obtain an operation permission query result for the first resource comprises:
the first network device analyzes the first response message, the obtained operation permission query result of the first resource includes a value of the first operation permission, the first response message is based on that the value of the first operation permission is a non-target value, or the value of the first operation permission is a target value and the second identifier indicates that the value of the first operation permission is packaged under the condition that the first operation permission is not available, the second network device packages the operation permission query result of the first resource according to the second identifier, wherein the value of the first operation permission is a target value and is used for indicating that the first network device does not have the first operation permission to the first resource, and the value of the first operation permission is a non-target value and is used for indicating that the first network device has the first operation permission to the first resource.
12. The method of claim 10, wherein the first network device parsing the first response message to obtain an operation permission query result for the first resource comprises:
the first network device analyzes the first response message, the obtained operation permission query result of the first resource does not include the value of the first operation permission, the first response message is based on the fact that the value of the first operation permission is a target value, the second identifier indicates that the value of the first operation permission is not packaged under the condition that the first operation permission is not provided, the second network device packages the operation permission query result of the first resource according to the indication of the second identifier, and the value of the first operation permission is a target value and is used for indicating that the first network device does not have the operation permission to the first resource.
13. The method of claim 9, wherein the first network device encapsulating the third identification to obtain a second RPC instruction comprises:
the first network device obtains a user identifier, and the user identifier is used for the second network device to take the network device indicated by the user identifier as the target network device;
And the first network equipment encapsulates a second identifier and the user identifier to obtain the second RPC instruction.
14. The method according to any one of claims 9-13, wherein the first resource is another next generation YANG file, the first identifier is a file name, the file name is used for the second network device to determine at least one sub-resource included in the YANG file, the at least one sub-resource includes at least one of a data node, a protocol operation, and a notification, any one sub-resource has a corresponding sub-identifier, and the first network device parses the first response message to obtain an operation permission query result of the first resource, including:
the first network device analyzes the first response message to obtain an operation authority query result of the YANG file, wherein the operation authority query result of the YANG file comprises the value of the third operation authority corresponding to each sub-resource and sub-identifiers, and the sub-identifiers are in one-to-one correspondence with the value of the third operation authority corresponding to the sub-resource.
15. The method according to any one of claims 9-13, wherein the first resource is a data node, the first identifier is a node path, the node path is used for the second network device to determine at least one child node included in the data node, any child node has a corresponding child path, and the first network device parses the first response message to obtain an operation authority query result of the first resource, and the method includes:
The first network device analyzes the first response message to obtain an operation authority query result of the data node, wherein the operation authority query result of the data node comprises a node path, each sub-path, a value of a fourth operation authority and a value of a fifth operation authority corresponding to each sub-node, the node path corresponds to the value of the fourth operation authority, the sub-paths correspond to the values of the fifth operation authorities corresponding to the sub-nodes one by one, and the value of the fourth operation authority is used for indicating the operation authority of the first network device on the data node.
16. The method according to any one of claims 9-13, wherein the first resource is a protocol operation, the first identifier is an operation path, and the first network device parses the first response message to obtain an operation permission query result of the first resource, including:
the first network device analyzes the first response message to obtain an operation authority query result of the protocol operation, wherein the operation authority query result of the protocol operation comprises a value of the first operation authority, and the value of the first operation authority is used for indicating whether the first network device has an execution authority for the protocol operation or not.
17. The method of any one of claims 9-13, wherein the first resource is a notification, the first identifier is a notification path, and the first network device parses the first response message to obtain an operation permission query result of the first resource, including:
the first network device analyzes the first response message to obtain a notified operation authority query result, wherein the notified operation authority query result comprises a value of the first operation authority, and the value of the first operation authority is used for indicating whether the first network device has reading authority for the notification.
18. An apparatus for querying operational rights, the apparatus comprising:
the receiving module is used for receiving a first Remote Procedure Call (RPC) instruction sent by first network equipment by second network equipment, wherein the first RPC instruction comprises a first identifier of a first resource, and the first RPC instruction is used for indicating the operation authority for inquiring the first resource;
the analyzing module is used for analyzing the first RPC instruction by the second network equipment to obtain the first identifier;
the second network device is used for acquiring a first operation authority value according to the first identifier, wherein the first operation authority value is used for indicating whether the first network device has the first operation authority to the first resource or not;
A sending module, configured to encapsulate, by the second network device, an operation permission query result of the first resource according to the value of the first operation permission to obtain a first response message, and send the first response message to the first network device;
the receiving module is further configured to receive a second RPC instruction sent by the first network device, where the second RPC instruction includes a third identifier of a second resource;
the parsing module is further configured to parse the second RPC instruction by using the second network device to obtain the third identifier;
the acquisition module is further configured to determine at least one target network device by using the second network device based on each network device with which a session is established with the second network device; the second network device obtains the value of the second operation authority corresponding to each target network device according to the third identifier, wherein the value of the second operation authority corresponding to any one target network device is used for indicating whether any one target network device has the second operation authority to the second resource; the second network equipment acquires an updated value of a second operation authority based on the fact that the second operation authority corresponding to any one of the target network equipment is detected to be updated;
The sending module is further configured to encapsulate the updated value of the second operation authority by using the second network device, and send the notification message to any one of the target network devices.
19. An apparatus for querying operational rights, the apparatus comprising:
the acquisition module is used for acquiring a first identifier of a first resource of the operation authority to be queried by the first network equipment, and packaging the first identifier to obtain a first Remote Procedure Call (RPC) instruction;
a sending module, configured to send, by the first network device, the first RPC instruction to a second network device;
the receiving module is configured to receive, by the first network device, a first response message sent by the second network device according to the first RPC instruction, where the first response message includes an operation permission query result of the first resource, the first response message is a message obtained by encapsulating, by the second network device, the operation permission query result of the first resource according to a value of a first operation permission, where the value of the first operation permission is used to indicate whether the first network device has the first operation permission for the first resource;
the analysis module is used for analyzing the first response message by the first network equipment to obtain an operation authority query result of the first resource;
The obtaining module is further configured to obtain a third identifier of a second resource of which operation authority update is to be detected, where the third identifier is used for the second network device to obtain a value of a second operation authority corresponding to each target network device, the value of the second operation authority corresponding to any target network device is used to indicate whether any target network device has the second operation authority on the second resource, obtain an updated value of the second operation authority based on the detection of the update of the value of the second operation authority corresponding to any target network device, package a notification message obtained by the updated value of the second operation authority, and send the notification message to any target network device;
the sending module is further configured to encapsulate the third identifier by using the first network device to obtain a second RPC instruction, and send the second RPC instruction to the second network device.
20. An apparatus for querying an operational right, the apparatus comprising a memory and a processor; the memory has stored therein at least one instruction that is loaded and executed by the processor to implement the method of querying operational rights of any of claims 1-8 or 9-17.
21. A system for querying operational rights, the system comprising: the system comprises first network equipment and second network equipment, wherein the first network equipment and the second network equipment are in communication connection;
the second network device is configured to perform the method of querying the operation rights according to any of claims 1-8, and the first network device is configured to perform the method of querying the operation rights according to any of claims 9-17.
22. A computer readable storage medium having stored therein at least one instruction that is loaded and executed by a processor to implement the method of querying operational rights in accordance with any of claims 1-17.
CN202010895643.2A 2020-08-31 2020-08-31 Method, device, equipment and computer readable storage medium for inquiring operation authority Active CN114205098B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010895643.2A CN114205098B (en) 2020-08-31 2020-08-31 Method, device, equipment and computer readable storage medium for inquiring operation authority

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010895643.2A CN114205098B (en) 2020-08-31 2020-08-31 Method, device, equipment and computer readable storage medium for inquiring operation authority

Publications (2)

Publication Number Publication Date
CN114205098A CN114205098A (en) 2022-03-18
CN114205098B true CN114205098B (en) 2023-12-15

Family

ID=80644180

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010895643.2A Active CN114205098B (en) 2020-08-31 2020-08-31 Method, device, equipment and computer readable storage medium for inquiring operation authority

Country Status (1)

Country Link
CN (1) CN114205098B (en)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101593260A (en) * 2009-07-03 2009-12-02 杭州华三通信技术有限公司 A kind of application process of privileges of management system and device
CN103023656A (en) * 2012-12-17 2013-04-03 北京普泽天玑数据技术有限公司 Method and system for controlling authority by distributed sequence table
CN106339267A (en) * 2016-09-08 2017-01-18 华为技术有限公司 Object query method and server side
CN107122406A (en) * 2017-03-24 2017-09-01 东华大学 Towards the access control method of data field in a kind of Hadoop platform
CN107748849A (en) * 2017-10-25 2018-03-02 郑州云海信息技术有限公司 A kind of authority control method and system based on NFS
CN107770177A (en) * 2017-10-25 2018-03-06 湖南普天科技集团有限公司 Based on mobile data distributed collaboration service system
CN108173839A (en) * 2017-12-26 2018-06-15 北京奇虎科技有限公司 Right management method and system
CN110535880A (en) * 2019-09-25 2019-12-03 四川师范大学 The access control method and system of Internet of Things
CN111177789A (en) * 2020-01-07 2020-05-19 江苏满运软件科技有限公司 Authority management method, system, device and storage medium
CN111200578A (en) * 2018-11-16 2020-05-26 华为技术有限公司 Communication method, client device and server device

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101593260A (en) * 2009-07-03 2009-12-02 杭州华三通信技术有限公司 A kind of application process of privileges of management system and device
CN103023656A (en) * 2012-12-17 2013-04-03 北京普泽天玑数据技术有限公司 Method and system for controlling authority by distributed sequence table
CN106339267A (en) * 2016-09-08 2017-01-18 华为技术有限公司 Object query method and server side
CN107122406A (en) * 2017-03-24 2017-09-01 东华大学 Towards the access control method of data field in a kind of Hadoop platform
CN107748849A (en) * 2017-10-25 2018-03-02 郑州云海信息技术有限公司 A kind of authority control method and system based on NFS
CN107770177A (en) * 2017-10-25 2018-03-06 湖南普天科技集团有限公司 Based on mobile data distributed collaboration service system
CN108173839A (en) * 2017-12-26 2018-06-15 北京奇虎科技有限公司 Right management method and system
CN111200578A (en) * 2018-11-16 2020-05-26 华为技术有限公司 Communication method, client device and server device
CN110535880A (en) * 2019-09-25 2019-12-03 四川师范大学 The access control method and system of Internet of Things
CN111177789A (en) * 2020-01-07 2020-05-19 江苏满运软件科技有限公司 Authority management method, system, device and storage medium

Also Published As

Publication number Publication date
CN114205098A (en) 2022-03-18

Similar Documents

Publication Publication Date Title
US11799711B2 (en) Service layer resource management for generic interworking and extensibility
US10999380B2 (en) Method and apparatus of interworking M2M and IoT devices and applications with different service layers
CN107211232B (en) Interworking of lightweight machine-to-machine protocols and device management protocols
JP6734404B2 (en) Enable Semantics Inference Service in M2M/IOT Service Layer
US11870873B2 (en) Service layer-based methods to enable efficient analytics of IoT data
KR20150088787A (en) Method and apparatus for updating information regarding specific resource in wireless communication system
US20230262141A1 (en) Service layer message templates in a communications network
EP3335402B1 (en) Methods for enabling en-route resource discovery at a service layer
US20240187495A1 (en) Cross-domain discovery between service layer systems and web of things systems
KR102627115B1 (en) Context-aware permission for data or services in the IOT/M2M service layer
US20230421663A1 (en) Efficient resource representation exchange between service layers
KR20170028878A (en) Method for processing request messages in wireless communication system, and device for same
CN114205098B (en) Method, device, equipment and computer readable storage medium for inquiring operation authority
KR20180084092A (en) Method and apparatus for semantic verification
WO2016109473A1 (en) Resource link management at service layer
Li et al. Efficient oneM2M protocol conversion platform based on NB-IoT access
CN116781795A (en) Data transmission method, gateway and system of Internet of things

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant