CN115795493A - Access control policy deployment method, related device and access control system - Google Patents

Abstract

The embodiment of the application discloses an access control strategy deployment method, a related device and an access control system, wherein the method comprises the following steps: acquiring a target strategy plug-in template corresponding to a target access control strategy to be deployed; the target strategy plug-in template comprises control information and strategy content of a target access control strategy, wherein the control information is used for indicating an execution mode of the target access control strategy, and the strategy content comprises an access control rule under the target access control strategy; constructing a target strategy execution plug-in corresponding to the target access control strategy based on the target strategy plug-in template; deploying the target strategy execution plug-in on a strategy execution plug-in chain in the target component based on the control information in the target strategy plug-in template; the strategy execution plug-in chain comprises strategy execution plug-ins corresponding to the deployed access control strategies in the target component. The method can effectively improve the deployment flexibility of the access control strategy.

Description

Access control policy deployment method, related device and access control system

Technical Field

The present application relates to the field of communications technologies, and in particular, to an access control policy deployment method, a related apparatus, and an access control system.

Background

With the rapid development of technologies such as cloud native technology, big data and the like, the network security boundary of an enterprise is broken, the types of access requests for accessing enterprise intranet business resources are increasingly diversified, the access to the enterprise intranet business resources is more frequent, the business resources in the enterprise intranet frequently flow among different systems or applications, and the risk of business resource leakage and abuse is easily increased. In order to ensure the security of the service resources of the enterprise intranet, a manager of the enterprise intranet usually needs to deploy an access control policy in components on an access channel of the enterprise intranet, so that the components check an access request requesting to access the service resources of the enterprise intranet based on the access control policy deployed therein.

In the related art, the access control policy deployed in a component on an access channel of an intranet is usually a static access control policy, and such a static access control policy usually includes a plurality of fixed access control rules; after receiving the access request, the component correspondingly matches the access request with each access control rule in the access control strategy deployed by the component one by one so as to search the access control rule suitable for verifying the access request, and further, whether the access request is legal or not is verified by using the searched access control rule.

However, the static access control policy has extremely low flexibility, and when it is necessary to adapt to a specific scene or set or adjust a corresponding access control rule in response to an emergency, it is often necessary to adjust the access control rule based on actual requirements through a management terminal, and perform overall adjustment on a deployed access control policy by using the adjusted access control rule, and further globally replace the deployed access control policy in the component by using the adjusted access control policy. It can be seen that static access control policies are difficult to be adjusted quickly and flexibly, and under the trend of increasingly complicated access control rules, such static access control policies are difficult to meet the actual access control requirements.

Disclosure of Invention

The embodiment of the application provides an access control strategy deployment method, a related device and an access control system, which can effectively improve the deployment flexibility of the access control strategy.

In view of this, a first aspect of the present application provides an access control policy deployment method, where the method includes:

acquiring a target strategy plug-in template corresponding to a target access control strategy to be deployed; the target policy plug-in template comprises control information and policy content of the target access control policy, wherein the control information is used for indicating an execution mode of the target access control policy, and the policy content comprises an access control rule under the target access control policy;

constructing a target strategy execution plug-in corresponding to the target access control strategy based on the target strategy plug-in template; the target policy execution plug-in is used for verifying the access request based on the access control rule included in the policy content;

deploying the target policy execution plug-in on a policy execution plug-in chain in a target component based on the control information in the target policy plug-in template; the policy execution plug-in chain comprises a policy execution plug-in corresponding to each deployed access control policy in the target component, and the target component is used for finishing verification on an access request based on the policy execution plug-in deployed on the policy execution plug-in chain.

A second aspect of the present application provides an access control system, which is characterized in that the system includes an access agent, a client, a server and a gateway; the access agent, the client, the server and the gateway deploy the access control policy by the access control policy deployment method of the first aspect;

the access agent is used for executing a plug-in unit to intercept an access request based on a strategy deployed in the access agent and transmitting request parameters and process information of the access request to the client;

the client is used for executing the plug-in based on the strategy deployed in the client and carrying out primary verification on the access request according to the request parameter and the process information of the access request; after the access request is confirmed to pass the primary verification, transmitting request parameters and process information of the access request to the server;

the server is used for executing the plug-in based on the strategy deployed in the server and performing secondary verification on the access request according to the request parameter and the process information of the access request; issuing an access bill corresponding to the access request to the client according to a secondary verification result of the access request;

the client is also used for forwarding the access ticket to the access agent;

the access agent is further used for sending the access ticket and the access request to the gateway;

the gateway is used for executing plug-in based on the strategy deployed in the gateway and sending the access bill to the server for verification; and executing a plug-in based on the strategy deployed in the access request, and controlling the access request to access the intranet service resource according to the verification result of the service end on the access bill.

A third aspect of the present application provides an access control policy deployment apparatus, including:

the template acquisition module is used for acquiring a target strategy plug-in template corresponding to a target access control strategy to be deployed; the target policy plug-in template comprises control information and policy content of the target access control policy, wherein the control information is used for indicating an execution mode of the target access control policy, and the policy content comprises an access control rule under the target access control policy;

the plug-in construction module is used for constructing a target strategy execution plug-in corresponding to the target access control strategy based on the target strategy plug-in template; the target policy execution plug-in is used for verifying the access request based on the access control rule included in the policy content;

the plug-in deployment module is used for deploying the target strategy execution plug-in on a strategy execution plug-in chain in the target component based on the control information in the target strategy plug-in template; the policy execution plug-in chain comprises a policy execution plug-in corresponding to each deployed access control policy in the target component, and the target component is used for finishing verification on an access request based on the policy execution plug-in deployed on the policy execution plug-in chain.

A fourth aspect of the present application provides an apparatus comprising a processor and a memory:

the memory is used for storing a computer program;

the processor is configured to perform the steps of the access control policy deployment method according to the first aspect as described above, according to the computer program.

A fifth aspect of the present application provides a computer-readable storage medium for storing a computer program for executing the steps of the access control policy deployment method according to the first aspect.

A sixth aspect of the application provides a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and executes the computer instructions, so that the computer device executes the steps of the access control policy deployment method according to the first aspect.

According to the technical scheme, the embodiment of the application has the following advantages:

the embodiment of the application provides an access control strategy deployment method, which innovatively provides a dynamic plug-in type access control strategy deployment mode; when the component on the communication channel deploys the access control policy based on the manner, the policy execution plug-in corresponding to the access control policy to be deployed can be constructed based on the policy plug-in template corresponding to the access control policy to be deployed, and then the policy execution plug-in is deployed on the policy execution plug-in chain in the component, so that the component can implement verification on the access request based on the policy execution plug-in deployed on the policy execution plug-in chain. When the deployed access control policy needs to be locally adjusted (for example, part of the access control rules in the deployed access control policy is adjusted), or an access control policy is newly added, in an embodiment of the present application, a policy plug-in template is issued to a component, so that the component constructs a corresponding policy execution plug-in, and the constructed policy execution plug-in is used to cover a deployed policy execution plug-in, or the constructed policy execution plug-in is inserted into a corresponding position on a policy execution plug-in chain, without globally adjusting the deployed access control policy. Therefore, when the access control rules in the access control policy need to be adapted to a specific scene or deal with an emergency and adjusted, the embodiment of the application can flexibly and quickly deploy the corresponding policy execution plug-in through the access control policy deployment mode, so that the access control policy deployed on the component can quickly adapt to actual requirements.

Drawings

Fig. 1 is a schematic structural diagram of an access control system provided in an embodiment of the present application;

fig. 2 is a schematic diagram of signaling interaction inside an access control system according to an embodiment of the present application;

fig. 3 is a schematic flowchart of an access control policy deployment method according to an embodiment of the present application;

FIG. 4 is a diagram of an exemplary target policy plug-in template provided by an embodiment of the present application;

fig. 5 is a schematic view of a scenario of an access control policy deployment method according to an embodiment of the present application;

fig. 6 is a schematic view of another scenario of an access control policy deployment method according to an embodiment of the present application;

fig. 7 is a schematic view of another scenario of an access control policy deployment method according to an embodiment of the present application;

fig. 8 is a schematic view of another scenario of an access control policy deployment method according to an embodiment of the present application;

fig. 9 is a schematic structural diagram of a first access control policy deployment apparatus according to an embodiment of the present application;

fig. 10 is a schematic structural diagram of a second access control policy deployment apparatus according to an embodiment of the present application;

fig. 11 is a schematic structural diagram of a third access control policy deployment apparatus according to an embodiment of the present application;

fig. 12 is a schematic structural diagram of a fourth access control policy deployment apparatus according to an embodiment of the present application;

fig. 13 is a schematic structural diagram of a fifth access control policy deployment apparatus according to an embodiment of the present application;

fig. 14 is a schematic structural diagram of a sixth access control policy deployment apparatus according to an embodiment of the present application;

fig. 15 is a schematic structural diagram of a terminal device according to an embodiment of the present application;

fig. 16 is a schematic structural diagram of a server according to an embodiment of the present application.

Detailed Description

In order to make the technical solutions of the present application better understood, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

The terms "first," "second," "third," "fourth," and the like in the description and in the claims of the present application and in the drawings described above, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein. Moreover, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

In order to solve the problems that the deployment flexibility of the access control strategy is poor and the actual access control requirement is difficult to adapt quickly in the related technology, the embodiment of the application provides an access control strategy deployment method.

Specifically, in the access control policy deployment method provided in the embodiment of the present application, a target policy plug-in template corresponding to a target access control policy to be deployed is obtained first; the target policy plug-in template comprises control information of a target access control policy and policy content, wherein the control information is used for indicating an execution mode of the target access control policy, and the policy content comprises an access control rule under the target access control policy. Then, based on the target strategy plug-in template, constructing a target strategy execution plug-in corresponding to the target access control strategy; the target policy enforcement plug-in is used for checking the access request based on the access control rule included in the policy content. Further, based on the control information in the target strategy plug-in template, deploying the target strategy execution plug-in on a strategy execution plug-in chain in the target component; the policy execution plug-in chain comprises policy execution plug-ins corresponding to the deployed access control policies in the target component, and the target component can complete verification on the access request based on the policy execution plug-ins deployed in the policy execution plug-in chain.

The access control policy deployment method innovatively provides a dynamic plug-in type access control policy deployment mode, and when local adjustment (for example, adjustment of part of access control rules) needs to be performed on a deployed access control policy or an access control policy is newly added, in the embodiment of the application, a corresponding policy execution plug-in can be constructed through the access control policy deployment mode, and then a deployed policy execution plug-in is covered by the constructed policy execution plug-in, or the constructed policy execution plug-in is inserted into a corresponding position on a policy execution plug-in chain, without global adjustment on the deployed access control policy. Therefore, when the access control rules in the access control policy need to be adapted to a specific scene or adjusted in response to an emergency, the embodiment of the application can flexibly and quickly deploy the corresponding policy execution plug-in through the access control policy deployment mode, so that the access control policy deployed on the component can quickly adapt to actual requirements.

It should be understood that the access control policy deployment method provided in the embodiment of the present application may be executed by an electronic device deployed with a communication component, where the electronic device may be a terminal device, a server, or a gateway device. The terminal device may be a smart phone, a tablet computer, a notebook computer, a desktop computer, a vehicle-mounted terminal, a wearable electronic device, an AR/VR device, and the like, but is not limited thereto. The server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing basic cloud computing services such as cloud service, a cloud database, cloud computing, a cloud function, cloud storage, network service, cloud communication, middleware service, domain name service, security service, CDN, and a big data and artificial intelligence platform.

To facilitate understanding of the access control policy deployment method provided in the embodiment of the present application, an access control system to which the access control policy deployment method is applicable is first described in the following.

Referring to fig. 1, fig. 1 is a schematic structural diagram of an access control system according to an embodiment of the present application. As shown in fig. 1, the access control system includes an access proxy 110, a client 120, a server 130, and a gateway 140. The access agent 110 and the client 120 may be disposed on a terminal device, which may be, for example, a smart phone, a tablet computer, a notebook computer, a desktop computer, etc., and fig. 1 illustrates an example where the access agent 110 and the client 120 are disposed on a desktop computer. The server 130 may be deployed in a server. The gateway 140 is deployed at the entrance of a business resource (e.g., an intra-enterprise application, an intra-enterprise data resource, etc.) in an enterprise. In the embodiment of the present application, the access proxy 110, the client 120, the server 130, and the gateway 140 may deploy an access control policy for verifying the access request in themselves by using the access control policy deployment method provided in the embodiment of the present application.

It should be noted that the access control system provided in the embodiment of the present application may be used to support implementation of a zero trust network access function, in the zero trust network access function, an access right may be granted based on a trusted identity, a trusted device, a trusted application, and a trusted link, and all accesses are forced to be authenticated, authorized, and encrypted, so that where and when a user uses which device can safely access an authorized resource and process any enterprise internal service.

In the access control system, the access agent 110 is configured to intercept an access request based on a policy enforcement plug-in deployed therein, and transmit request parameters and process information of the access request to the client 120; and after receiving the access ticket corresponding to the access request fed back by the client 120, send the access ticket and the access request to the gateway 140.

Specifically, the access agent 110 may execute a plug-in based on a policy deployed therein, and hijack access requests initiated by other applications in the terminal device through the TUN/TAP virtual network card in a corresponding traffic hijack mode; and transmits request parameters and process information of the hijacked access request to the client 120. If the access agent 110 determines that the access request has the right to access the service resource which the access request wants to access according to the access ticket subsequently fed back by the client 120, the access ticket and the access request can be sent to the gateway 140; if the access agent 110 determines that the access request does not have the authority of the service resource which the access agent wants to access according to the access ticket subsequently fed back by the client 120, the connection can be interrupted; or in the case that it is determined that the service resource that the access request requests to access is not the service resource in the enterprise intranet, the access agent 110 may directly send the access request to the corresponding website.

Under normal circumstances, the access control policy issued to the access agent 110 is mainly a traffic hijacking mode of the TUN/TAP virtual network card; the access agent 110 includes two parts, a TUN/TAP virtual network card and a user mode agent process. The access agent 110 hijacks the flow of the terminal equipment through the TUN/TAP virtual network card, and controls the start and stop of the TUN/TAP virtual network card and reads and writes kernel data through a user mode agent process; the access agent 110 processes a data Packet (i.e., an IP Packet) from a network layer through the TUN/TAP virtual network card, and unlike the physical network card, one end of the TUN/TAP virtual network card is connected to the kernel protocol stack, and the other end is connected to a user-mode agent process; the network data sent to the TUN/TAP virtual network card by the kernel protocol stack of the terminal device is all sent to the user mode proxy process, and after certain data conversion processing is performed by the user mode proxy process, the network data is sent to the gateway 140 or a specific service site by the physical network card of the terminal device.

Illustratively, the traffic hijacking patterns supported by the access agent 110 may include the following three: a full traffic hijacking mode, an enterprise resource traffic hijacking mode and a non-direct connection traffic hijacking mode. The full traffic hijacking mode is a mode that all traffic of the terminal device is guided into the access agent 110 by configuring the direction of the TUN/TAP virtual network card as a default route and dynamically adjusting the number of hops to be the lowest, and the access agent 110 initiates traffic forwarding or direct access. The enterprise resource traffic hijacking mode refers to that only the traffic of an IP or an IP section requesting to access the enterprise intranet service resources (such as data, interfaces, application functions and the like) is analyzed, and other traffic (such as the traffic of a user requesting to access a public network site) is not interfered. The non-direct-connection traffic hijacking mode is that an accurate host route is dynamically configured in a routing table of the terminal equipment based on a direct-connection IP list issued by a server, so that an access request requesting to access the IP in the direct-connection IP list bypasses an access agent 110, and an access request requesting to access the IP not belonging to the direct-connection IP list is hijacked by the access agent 110.

The access agent 110 can perform full traffic hijack and hijack all access requests in the terminal device according to the traffic hijack mode issued by the server. Or, the enterprise resource traffic hijacking may be performed, the target access address of the traffic is analyzed, the target access address is compared with the location information of the intranet service resource, and it is determined whether the identified access request for accessing the intranet service resource needs to perform traffic proxy through the gateway 140; that is, the access proxy 110 needs to initiate an authentication request for the access request to the client 120, and determine whether to send the access request to the gateway 140 through the physical network card according to the authentication result returned by the client 120, and the gateway 140 proxies the actual service resource access. Or, the non-direct connection traffic hijacking may be performed, an access request that does not need to be proxied through the gateway 140 is directly sent to the corresponding destination site through the physical network card, and a response message fed back by the destination site is received, so as to implement direct connection access.

It should be understood that, in practical applications, the server may also issue other types of access control policies to the access agent 110, and the application does not set any limit on the types of access control policies deployed in the access agent 110.

In the above access control system, the client 120 is configured to execute a plug-in based on a policy deployed therein, and perform primary verification on an access request according to request parameters and process information of the access request transmitted by the access agent 110; after determining that the access request passes the primary verification, transmitting the request parameters and the process information of the access request to the server 130; in addition, the client 120 is further configured to receive an access ticket issued by the server 130 according to a secondary verification result of the access request, and forward the access ticket to the access agent 110.

Specifically, the client 120 may be an application installed on the terminal device and used for controlling the user to access the intranet service resource, and may verify whether the identity of the user using the terminal device is trusted (for example, whether the user has a right to access the intranet service resource), and also verify whether the terminal device itself is trusted and whether other applications requesting to access the intranet service resource are trusted.

Generally, the access control policy issued to the client 120 may include trusted application characteristics (i.e., characteristics of an application program allowing access to intranet business resources therethrough), a correspondence between a user identity and an intranet business resource accessible thereto, a correspondence between a trusted application characteristic and an intranet business resource accessible thereto, and so on, and it may be preliminarily determined by the access control policy deployed on the client 120 which intranet business resources the user may access through which trusted applications. An exemplary code for representing that a user can access a business system conforming to the ". About. Abc. Com" and "www.abc.cn" features through any application is as follows:

it should be understood that, in practical applications, the server may also issue other types of access control policies to the client 120, and the application does not limit the types of the access control policies deployed in the client 120.

In the above access control system, the server 130 is configured to execute a plug-in based on a policy deployed therein, and perform secondary verification on an access request according to request parameters and process information of the access request transmitted by the client 120; and issues an access ticket corresponding to the access request to the client 120 according to the secondary verification result of the access request.

Specifically, in this embodiment of the present application, the server 130 is configured to generate policy plugin templates corresponding to the access control policies according to access management requirements of a manager for intranet resources, and send the generated policy plugin templates to other components (such as the access agent 110, the client 120, and the gateway 140) in the access control system, respectively, so that the components deploy policy execution components corresponding to the access control policies based on the received policy plugin templates. The server 130 may perform security scheduling on the traffic flow through a policy control engine, for example, the security scheduling may be authorized according to the granularity of user-device-software-application; the server 130 may include an identity authentication module, an equipment authentication module, and an application detection module, where the identity authentication module is configured to generate an access control policy for authenticating the identity of a user, the equipment authentication module is configured to generate an access control policy for authenticating hardware information of an apparatus and/or a security state of the apparatus, and the application detection module is configured to generate an access control policy for detecting whether an application is secure (e.g., whether a bug exists, whether a virus trojan exists, etc.); of course, in practical applications, the server 130 may further include a module for generating other access control policies, and the application does not limit any type of access control policy that the server 130 can generate.

In this embodiment of the application, after determining that the access request passes the primary check, the client 120 may transmit, to the server 130, information about a progress of the access request (e.g., a full path of a process file, MD5, signature information, a process modification time, etc.), uniform Resource Locator (URL) information of the access request, operating system information of a terminal device, hardware information of the terminal device, information about a user currently logged in on the client 120, and a login ticket of the user currently logged in on the client 120; correspondingly, the server 130 may detect whether the access request is to access an intranet service resource, and whether the access request conforms to the access right of the user currently logged in by the client 120 and the service system access rule, and meanwhile, the server 130 may also check whether the corresponding process in the cache is a malicious process, and if no corresponding information of the process exists in the cache, initiate asynchronous check of the application process to the threat intelligence cloud check service; after determining that the access request initiated by the terminal device is compliant through the detection, the server 130 may generate an access ticket corresponding to the access request, and send the access ticket to the access agent 110 through the client 120.

In the access control system, the gateway 140 is configured to receive an access request carrying an access ticket sent by the access agent 110, execute a plug-in based on a policy deployed therein, send the access ticket to the server 130 for verification, and further execute the plug-in based on the policy deployed therein, and control the access request to access the intranet service resource according to a verification result of the server 130 on the access ticket.

Specifically, the gateway 140 (also referred to as an intelligent gateway) is a portal deployed in an intranet service resource (including but not limited to an intranet application and data resource), and is responsible for authenticating, authorizing, and forwarding each session request for accessing the intranet service resource. In the embodiment of the present application, after receiving an access request carrying an access ticket sent by the access agent 110, the gateway 140 may send the access ticket to the server 130 for verification, so that the server 130 verifies the validity and validity of the access ticket; after the server 130 completes the verification of the access ticket, it may feed back a corresponding verification result to the gateway 140, and further, the gateway 140 may execute a plug-in based on the policy deployed therein, and determine whether to allow the access request to access the corresponding enterprise intranet service resource according to the verification result; optionally, the policy enforcement plug-in deployed in the gateway 140 may be refined to control the web pages that the access request may access.

The following describes an exemplary overall flow of the cooperative verification of the access request by each component in the access control system, with reference to the communication direction indication information between each component in the access control system shown in fig. 1 and the signaling interaction diagram inside the access control system shown in fig. 2.

In practical application, after a user initiates an access request to an intranet service resource through an application (which may also be referred to as an access principal) on a terminal device, an access agent 110 in the terminal device may execute a plug-in to hijack the access request based on a policy deployed by the access agent, and send an authentication request for the access request to a client 120; specifically, the access agent may send a request parameter (including a source IP or a domain name, a source port, a destination IP or a domain name, a destination port) of the access request and a Process Identifier (PID) corresponding to the application to the client 120, and accordingly, the client 120 may collect information such as MD5 of the Process, a Process path, a Process latest modification time, copyright information, and signature information based on the Process PID sent by the access agent 110. Then, the client 120 may perform primary verification on the request parameter of the access request transmitted by the access agent 110 and the process information acquired by the client based on the policy enforcement plug-in deployed by the client, and after determining that the request parameter of the access request and the process information pass the primary verification, send the request parameter of the access request and the process information to the server 130 to apply for an access ticket corresponding to the access request. The server 130 may perform secondary verification on the access request according to the request parameter and the process information of the access request transmitted by the client 120, and after determining that the access request passes the secondary verification, issue an access ticket corresponding to the access request to the client 120, and issue the maximum use number and the valid time of the access ticket at the same time. The client 120 forwards the access ticket it received, as well as the maximum number of uses and the validity time of the access ticket, to the access proxy 110. Further, the access proxy 110 may send the access request to the gateway 140, and carry the access ticket in the access request Authorization header field; after receiving the access request, the gateway 140 analyzes the access ticket carried in the header field, and requests the server 130 to verify the access ticket, if the verification is passed, the connection is established between the gateway 140 and the access proxy 110, then the access proxy 110 sends the access request to the gateway 140, and then the gateway 140 forwards the access request to the corresponding service server, thereby proxying the actual application access; if the check fails, the connection between the access proxy 110 and the gateway 140 is interrupted.

It should be noted that the access control policy deployment method provided in the embodiment of the present application may be applied to not only the components in the access control system shown in fig. 1, but also components in other communication systems, and the communication system to which the access control policy deployment method provided in the embodiment of the present application is applied is not limited in any way.

The access control policy deployment method provided by the present application is described in detail below by way of a method embodiment.

Referring to fig. 3, fig. 3 is a schematic flowchart of an access control policy deployment method provided in the embodiment of the present application. For convenience of description, the following embodiments are introduced by taking an execution subject of the access control policy deployment method as an example of a target component; it should be understood that the target component may be any one of the access agent, the client, the server and the gateway in the access control system shown in fig. 1 above, or may be a component in other communication systems, and the application does not limit the target component in any way. As shown in fig. 3, the access control policy deployment method provided in the embodiment of the present application includes the following steps:

step 301: acquiring a target strategy plug-in template corresponding to a target access control strategy to be deployed; the target policy plug-in template includes control information of the target access control policy and policy content, the control information is used to indicate an execution mode of the target access control policy, and the policy content includes an access control rule under the target access control policy.

In the embodiment of the application, a management terminal (manager facing to enterprise intranet service resources) can upload an access control rule to a server terminal in an access control system, wherein the access control rule is used for controlling access of a user to the enterprise intranet service resources; for example, the management side may upload, to the server side, an access control rule set by the management side for the access agent, such as an access control rule for limiting a traffic hijacking mode adopted by the access agent; for another example, the management side may upload, to the server side, access control rules set for the client side, such as access control rules for limiting intranet business resources that can be accessed by users with different identities, access control rules for limiting intranet business resources that can be accessed by different applications, and the like. The access control rule that the management end can set is not specifically limited in the application.

After receiving the access control rules uploaded by the management end, the server end can generate corresponding target access control strategies based on the received access control rules and correspondingly generate target strategy plug-in templates corresponding to the target access control strategies; and then, the generated target strategy plug-in template is issued to a target component needing to deploy the target access control strategy, so that the target component can acquire the target strategy plug-in template corresponding to the target access control strategy to be deployed.

It should be noted that the target access control policy is an executable policy generated based on the access control rule, and may include at least one access control rule. A target policy plug-in template is a templated data structure for describing a corresponding target access control policy, based on which a component may deploy a target policy enforcement plug-in for enforcing the target access control policy.

In an embodiment of the present application, the target policy plug-in template includes at least control information and policy content of the target access control policy. The control information is used to indicate the execution manner of the target access control policy, such as the priority, execution order, execution time limit, execution condition, etc. of the target access control policy. The policy content includes the access control rule under the target access control policy, for example, if the target access control policy is generated by the server based on n access control rules, the policy content in the target policy plug-in template corresponding to the target access control policy should include n access control rules.

In one possible implementation manner, the control information in the target policy plug-in template is control information specified when the server generates the target access control policy, and is used for indicating an execution manner of the target access control policy.

For example, the control information may include an association policy indicating an association relationship between the target access control policy and other reference access control policies. For example, the association policy may be used to indicate a priority relationship between the target access control policy and the reference access control policy; the target access control policy may be preferentially executed in a case where the priority of the target access control policy is higher than the priority of the reference access control policy, whereas the reference access control policy may be preferentially executed in a case where the priority of the target access control policy is lower than the priority of the reference access control policy. For another example, the association policy may be used to indicate an execution precedence order between the target access control policy and the reference access control policy. As another example, the association policy may be used to indicate that when a conflict arises between the target access control policy and another access control policy, a reference access control policy that can be used to resolve the conflict is processed. Of course, in practical application, the association policy may also be used to indicate other types of association relationships, and the application does not make any limitation on the type of association relationship indicated by the association policy.

For example, the control information may also include an association constraint relationship of the target access control policy itself, where the association constraint relationship is used to indicate an access control policy that allows an association relationship to be constructed with the target access control policy and/or an access control policy that does not allow an association relationship to be constructed with the target access control policy. For example, assuming that the control information is used to indicate that the target access control policy is not allowed to construct an association with a reference access control policy, when the reference access control policy requests to construct an association with the target access control policy, the target access control policy should refuse to construct an association with the reference access control policy.

For example, the control information may also include at least one of a split rule and a merge rule of the target access control policy; the splitting rule is used for splitting the target access control strategy according to a specified splitting mode when the target access control strategy meets the specified splitting condition; and the merging rule is used for merging the target access control policy and other access control policies according to the specified merging mode when the target access control policy is indicated to meet the specified merging condition.

For example, the control information may also include an aging characteristic of the target access control policy, the aging characteristic indicating a valid duration of the target access control policy. For example, the age characteristic may be used to indicate a maximum number of uses and/or a maximum time of use for the target access control policy.

Illustratively, the control information may also include a dynamic characteristic of the target access control policy, the dynamic characteristic indicating a dynamic execution condition of the target access control policy. For example, the dynamic characteristic may be used to indicate that a target access control policy is to be executed when its specified dynamic execution condition is met.

It should be noted that, in practical applications, in addition to reflecting the associated policy, the aging characteristic, and the dynamic characteristic related to the target access control policy through the control information, a field for carrying the associated policy, a field for carrying the aging characteristic, and a field for carrying the dynamic characteristic may be separately created in the target policy plug-in template, and the application does not make any limitation on the form of reflecting the associated policy, the aging characteristic, and the dynamic characteristic related to the target access control policy in the target policy plug-in template.

In one possible implementation, the policy content in the target policy plug-in template is the subject of the target access control policy, including static access control rules under the target access control policy. Enforcing the target access control policy essentially is to perform a verification process on the access request based on the access control rules included in the policy content to determine whether the access request meets the compliance conditions defined by the access control rules.

Under the condition that the control information in the target policy plugin template comprises the splitting rule of the target access control policy, splitting processing can be performed on the access control rule contained in the policy content, so that a plurality of target sub-access control policies are split. In the case that the control information in the target policy plug-in template includes the merge rule of the target access control policy, the access control rule included in the policy content may be merged with the access control rule under other access control policies, so as to merge and obtain an access control policy including more access control rules.

Optionally, the target policy plug-in template may further include static attribute information of the target access control policy, where the static attribute information may include a target category to which the target access control policy belongs, a unique identifier, a policy name, policy version information, policy description information, policy generation time, and the like. The target category to which the target access control policy belongs is used to indicate a category to which the target access control policy belongs in various categories to which the access control policy deployed by the target component belongs; for example, assuming that the target component is an access agent, the target class to which the target access control policy belongs may be a policy class for indicating that the target access control policy belongs to a policy for indicating a traffic hijacking mode; for another example, if the target component is a client, the target class to which the target access control policy belongs may be a policy class for indicating that the target access control policy belongs to an access control rule for defining an access control rule under the current network domain, or may be a policy class for indicating that the target access control policy belongs to an access control rule for defining an access control rule corresponding to a different application. Certainly, in practical application, the category to which the access control policy belongs may also be other categories, and the category to which the access control policy belongs is not specifically limited herein; in practical applications, different categories may be distinguished by different category identifiers.

FIG. 4 is a diagram of an exemplary target policy plug-in template provided by an embodiment of the present application. As shown in fig. 4, the target policy plug-in template may include static attribute information, control information, associated policies, policy contents, aging characteristics, and dynamic characteristics of the target access control policy. It should be understood that in practical applications, the target policy plug-in template may also include fewer fields, such as only static attribute information, control information, and policy content; the target policy plug-in template may further include more fields, such as further including a splitting rule and a merging rule of the target access control policy, and the structure of the target policy plug-in template is not specifically limited herein.

Step 302: constructing a target strategy execution plug-in corresponding to the target access control strategy based on the target strategy plug-in template; the target policy execution plug-in is used for checking the access request based on the access control rule included in the policy content.

After the target component obtains the target policy plugin template issued by the server, a target policy execution plugin corresponding to the target access control policy can be constructed based on the target policy plugin template. The target policy enforcement plug-in is a module in the target component for enforcing the target access control policy, and when the target policy enforcement plug-in enforces the target access control policy, the target policy enforcement plug-in may verify the access request that the target component needs to process based on the access control rule included in the policy content in the target policy plug-in template.

When the target policy execution plug-in is specifically constructed, the target component may correspondingly write the content included in each field in the target policy plug-in template into the target policy execution plug-in, so that the target policy execution plug-in can execute the target access control policy according to the execution mode indicated by the target policy plug-in template, that is, verify the access request based on the access control rule under the target access control policy.

In a possible implementation manner, if the control information in the target policy plug-in template is used to indicate at least one of a splitting rule and a merging rule of the target access control policy, when the target component constructs the target policy execution plug-in, the target access control policy may be split or merged based on the splitting rule or the merging rule indicated by the control information, and then the target policy execution plug-in may be constructed based on the split or merged access control policy.

When the control information is used for indicating a splitting rule of the target access control policy, if the target policy plug-in template meets a splitting condition specified by the splitting rule, the target policy plug-in template can be split into a plurality of target sub-policy plug-in templates, and then a plurality of target policy execution plug-ins are constructed based on the plurality of target sub-policy plug-in templates.

For example, assuming that the splitting rule indicated by the control information is that when the number of access control rules under the access control policy exceeds a first preset number, the access control policy is split by using the first preset number as a splitting unit, and before the target component constructs the target policy execution plug-in, it may be determined whether the number of access control rules under the target access control policy exceeds the first preset number, that is, whether the number of access control rules included in the policy content in the target policy plug-in template exceeds the first preset number. If the number of the access control rules under the target access control strategy is judged and determined to exceed the first preset number, the target component can split the target strategy plug-in template corresponding to the target access control strategy by taking the first preset number as a unit to obtain a plurality of target sub-strategy plug-in templates; for example, assuming that the first preset number is 10 and the target access control policy includes 18 access control rules, the target component may split the target policy plugin template corresponding to the target access control policy into two target sub-policy plugin templates, where policy content of one target sub-policy plugin template includes 10 access control rules, policy content of the other target sub-policy plugin template includes 8 access control rules, and control information of the two target sub-policy plugin templates may be the same as control information in the target policy plugin template. Furthermore, the target component may correspondingly construct a plurality of target policy execution plug-ins based on the split plurality of target sub-policy plug-in templates, where the plurality of target policy execution plug-ins and the plurality of target sub-policy plug-in templates have a one-to-one correspondence relationship.

Optionally, in order to improve the calling efficiency of the target policy execution plugin, in this embodiment of the application, the target component may further record, for each split target sub-policy plugin template, an access rule feature corresponding to the split target sub-policy plugin template, and write the access rule feature into a dynamic feature of the target policy execution plugin corresponding to the target sub-policy plugin template, so that the target component may call the target policy execution plugin more conveniently and quickly.

That is, the target component may divide the access control rule included in the policy content in the target policy plug-in target into a plurality of target sub-policy plug-in templates according to a preset policy splitting rule; and aiming at each target sub-policy plug-in template, determining the access rule characteristics corresponding to the target sub-policy plug-in template according to the access control rules included in the target sub-policy plug-in template. And then, constructing a target strategy execution plug-in corresponding to each target sub-strategy plug-in template, and writing the access rule characteristics corresponding to the target sub-strategy plug-in template into the dynamic characteristics included by the target strategy execution plug-in.

Taking as an example that the access control rules included in the target access control policy are used to limit the access rights of the enterprise intranet service resources corresponding to different ips, the target component may sort the access control rules under the target access control policy according to a domain name or an ip dictionary, for example, divide the access control rules with the limited ip initials a to g into a first target sub-policy plug-in template, divide the access control rules with the limited ip initials h to m into a second target sub-policy plug-in template, divide the access control rules with the limited ip initials n to t into a third target sub-policy plug-in template, and divide the access control rules with the limited ip initials u to z into a fourth target sub-policy plug-in template. Furthermore, when a first target policy enforcement plug-in corresponding to the first target sub-policy plug-in template is constructed based on the first target sub-policy plug-in template, the first letters a to g of the ip can be written into the dynamic characteristics of the first target policy enforcement plug-in so as to represent that the first target policy enforcement plug-in is used for verifying the access request of the ip to be accessed, wherein the first letters a to g of the ip are a to g; similarly, for the second target sub-policy plug-in template, the third target sub-policy plug-in template, and the fourth target sub-policy plug-in template, the range of the limited ip initial may be written in the dynamic characteristics thereof accordingly. Therefore, when the target component checks a certain access request, the corresponding target policy execution plug-in can be directly called to check the access request according to the initial letter of the ip to be accessed by the access request, and whether other target policy execution plug-ins are suitable for processing the access request or not is not required to be traversed.

Therefore, for the target strategy execution plug-in constructed based on the split target sub-strategy plug-in template, the corresponding access rule characteristic is configured in the dynamic characteristic, so that the matching efficiency of the strategy execution plug-in can be effectively improved, and the verification efficiency of the access request is further improved.

It should be understood that the above described policy splitting rules and access rule features are only examples, and the application does not limit the policy splitting rules and access rule features in any way.

When the control information is used for indicating a merging rule of a target access control policy, if the target policy plug-in template meets a merging condition specified by the merging rule, a policy to be merged execution plug-in can be searched on a policy execution plug-in chain in the target component, a policy plug-in template corresponding to the policy to be merged execution plug-in and a target policy plug-in template are merged, the target policy execution plug-in is constructed based on the merged policy plug-in template, and the policy to be merged execution plug-in is deleted.

For example, assuming that the merge rule indicated by the control information is that when the number of access control rules under the access control policy is less than the second preset number, the access control policy is merged with other deployed access control policies, and before the target component constructs the target policy execution plug-in, it may be determined whether the number of access control rules under the target access control policy is less than the first preset number, that is, whether the number of access control rules included in the policy content in the target policy plug-in template is less than the second preset number. If the number of the access control rules under the target access control policy is determined to be less than the second preset number by judgment, the target component may search, in the policy execution plug-ins included in the policy execution plug-in chain, the policy execution plug-ins corresponding to the access control policies which have the same category as the target access control policy and include a smaller number of access control policy rules, and use the policy execution plug-ins as the policy execution plug-ins to be merged. Then, the target component may merge the policy plug-in template corresponding to the policy enforcement plug-in to be merged with the target policy plug-in template, that is, merge the policy content in the policy plug-in template corresponding to the policy enforcement plug-in to be merged with the policy content in the target policy plug-in template into one policy content, simultaneously retain the control information in the policy plug-in template corresponding to the policy enforcement plug-in to be merged and the target policy plug-in template, and generate the merged policy plug-in template based on the retained control information and the merged policy content. Furthermore, the target component may construct a target policy enforcement plug-in based on the merged policy plug-in template, and delete the policy enforcement plug-ins to be merged at the same time.

By adopting the method, the access control strategies with less strategy contents are merged, so that the strategy storage pressure of the target component can be reduced to a certain extent, and excessive strategy execution plug-ins are prevented from being deployed in the target component.

Step 303: deploying the target policy execution plug-in on a policy execution plug-in chain in a target component based on the control information in the target policy plug-in template; the policy execution plug-in chain comprises a policy execution plug-in corresponding to each deployed access control policy in the target component, and the target component is used for finishing verification on an access request based on the policy execution plug-in deployed on the policy execution plug-in chain.

After the target component constructs the target policy execution plug-in corresponding to the target access control policy based on the target policy plug-in template, the constructed target policy execution plug-in may be deployed on the policy execution plug-in chain in the target component based on the execution mode of the target access control policy indicated by the control information in the target policy plug-in template.

It should be noted that the policy execution plug-in chain in the target component includes the policy execution plug-in corresponding to each deployed access control policy in the target component. After receiving an access request to be verified or a parameter related to the access request, a target component may process the access request or the parameter related to the access request by using a policy execution plug-in on a policy execution plug-in chain, thereby implementing verification on the access request; when the target component verifies the access request by using the policy execution plug-in the policy execution plug-in chain, the access request may be verified by using a plurality of policy execution plug-ins in the policy execution plug-in chain, or the access request may be verified by using only one policy execution plug-in the policy execution plug-in chain.

In one possible implementation, in a case that the target policy plug-in template further includes static attribute information of the target access control policy, and the static attribute information includes a target category to which the target access control policy belongs, the target component may deploy the target policy execution plug-in on the policy execution plug-in chain by referring to the static attribute information and the control information in the target policy plug-in template at the same time in the following manner:

and searching a target policy execution plug-in set on the policy execution plug-in chain based on the static attribute information in the target policy plug-in template, wherein the target policy execution plug-in set comprises the policy execution plug-in corresponding to the access control policy belonging to the target category. And then, deploying the target strategy execution plug-in the target strategy execution plug-in set based on the control information in the target strategy plug-in template.

Specifically, when the target component deploys the target policy execution plug-in on the policy execution plug-in chain, a target policy execution plug-in set dedicated for deploying the access control policy belonging to the target category may be searched on the policy execution plug-in chain according to the target category to which the target access control policy belongs indicated by the static attribute information in the target policy plug-in template, that is, the deployment range of the target policy execution plug-in on the policy execution plug-in chain is preliminarily located. Furthermore, the target component may correspondingly deploy the target policy execution plug-in the searched target policy execution plug-in set according to the execution mode of the target access control policy indicated by the control information in the target policy plug-in target.

In this way, based on the category to which the access control policy belongs, policy execution plug-ins belonging to the same category are correspondingly deployed at similar positions on the policy execution plug-in chain, and the calling efficiency of the policy execution plug-ins when the target component verifies the access request based on the policy execution plug-in chain can be improved.

In one possible implementation, in a case that the control information includes an association policy (which may also be included in the target policy plug-in template), and the association policy is used to indicate an association relationship between the target access control policy and the reference access control policy, the target component may deploy the target policy execution plug-in on the policy execution plug-in chain by: searching a reference strategy execution plug-in corresponding to the reference access control strategy on the strategy execution plug-in chain; and further, based on the association policy included in the control information, constructing an association relationship between the target policy execution plug-in and the reference policy execution plug-in, and deploying the target policy execution plug-in on the policy execution plug-in chain based on the association relationship.

Specifically, if the association policy included in the control information indicates that an association relationship exists between the target access control policy and the reference access control policy, when the target component deploys the target policy execution plug-in corresponding to the target access control policy in the policy execution plug-in chain, the reference policy execution plug-in corresponding to the reference access control policy may be first searched in the policy execution plug-in chain, and the association relationship between the target policy execution plug-in and the reference policy execution plug-in is constructed based on the association relationship indicated by the association policy; and then, based on the incidence relation between the target strategy execution plug-in and the reference strategy execution plug-in, deploying the target strategy execution plug-in on the strategy execution plug-in chain.

As an example, when the association policy is used to indicate that the priority of the target access control policy is higher than the first reference access control policy, the target component may deploy the target policy execution plug-in on the policy execution plug-in chain at an upper layer of the first reference policy execution plug-in corresponding to the first reference access control policy; and when the execution conditions of the target access control strategy and the first reference access control strategy are simultaneously met, the target strategy execution plug-in is preferentially executed. When the target component deployment target access control policy is required to cover the originally deployed first reference access control policy, the server may set a higher priority for the target access control policy than the first reference access control policy in the manner described above, and accordingly, when the target component deploys the target policy execution plug-in corresponding to the target access control policy, the target policy execution plug-in may be deployed on an upper layer of the first reference policy execution plug-in corresponding to the first reference access control policy, so that the target component preferentially executes the target policy execution plug-in; alternatively, in a case where the target policy execution plug-in is deployed at an upper layer of the first reference policy execution plug-in, the target component may execute only the target policy execution plug-in of the upper layer without executing the first reference policy execution plug-in.

When the association policy is used to indicate that the priority of the target access control policy is lower than the second reference access control policy, the target component may deploy, on the policy enforcement plug-in chain, the target policy enforcement plug-in at a lower layer of the second reference policy enforcement plug-in corresponding to the second reference access control policy; and when the execution conditions of the target access control strategy and the second reference access control strategy are simultaneously met, the second reference strategy execution plug-in is preferentially executed. In the case that the target access control policy needs to be deployed as the alternative access control policy with respect to the second reference access control policy on the target component, the server may set a lower priority for the target access control policy than the second reference access control policy in the manner described above, and accordingly, when the target component deploys the target policy execution plug-in corresponding to the target access control policy, the target policy execution plug-in may be deployed at a lower layer of the second reference policy execution plug-in corresponding to the second reference access control policy, so that the target component preferentially executes the second reference policy execution plug-in, and in the case that the second reference policy execution plug-in cannot be normally executed, the target component may execute the target policy execution plug-in an alternative manner.

As another example, when the association policy is used to indicate that the target access control policy is executed after the third reference access control policy, the target component may connect the target policy execution plug-in after a third reference policy execution plug-in corresponding to the third reference access control policy on the policy execution plug-in chain; when the association policy is used to indicate that the target access control policy is executed before the fourth reference access control policy, the target component may connect the target policy execution plug-in before a fourth reference policy execution plug-in corresponding to the fourth reference access control policy on the policy execution plug-in chain.

In practical application, when a target component verifies an access request by using a policy execution plug-in deployed on a policy execution plug-in chain, the policy execution plug-ins deployed on the policy execution plug-in chain are sequentially called to verify the access request according to a deployment sequence of the policy execution plug-ins on the policy execution plug-in chain, that is, a deployment sequence of the policy execution plug-ins on the policy execution plug-in chain in the target component is actually an execution sequence of an access control policy deployed in the target component. Based on this, when the association policy indicates that the target access control policy is executed after the third reference access control policy, the target component may correspondingly hook the target policy execution plug-in after the third reference policy execution plug-in corresponding to the third reference access control policy; when the association policy indicates that the target access control policy is executed before the fourth reference access control policy, the target component may correspondingly attach the target policy execution plug-in before the fourth reference policy execution plug-in corresponding to the fourth reference access control policy. In this way, the execution sequence of the target access control policies to be deployed is made clearer.

As another example, when the association policy is used to indicate that there is a policy execution conflict for the target access control policy, based on a fifth reference access control policy, the target component may construct a conflict association relationship between the target policy execution plug-in and a fifth reference policy execution plug-in corresponding to the fifth reference access control policy, and deploy the target policy execution plug-in on the policy execution plug-in chain based on the conflict association relationship.

Considering that the target component deploys the target access control policy, there may be a case where the target access control policy conflicts with other access control policies deployed in the target component, and in order to solve the case, when the server generates the control information of the target access control policy, a fifth reference access control policy for resolving an execution conflict of the target access control policy may be set in the association policy included in the control information, that is, when the association policy indicates that the target access control policy conflicts with other access control policies, the fifth reference access control policy is used as a reference. Correspondingly, when the target component deploys the target policy execution plug-in corresponding to the target access control policy on the policy execution plug-in chain, a conflict association relation between the target policy execution plug-in and a fifth reference policy execution plug-in corresponding to the fifth reference access control policy can be constructed based on the association policy, and the target policy execution plug-in is deployed on the policy execution plug-in chain based on the conflict association relation; if the target strategy execution plug-in conflicts with other strategy execution plug-ins when the target component verifies the access request, the fifth reference strategy execution plug-in is correspondingly called to solve the conflicts, and therefore the successful verification process is guaranteed.

It should be understood that, in practical applications, only one of the above-mentioned association policies may be included in the control information or the target policy plug-in template, or multiple association policies may be included in the control information or the target policy plug-in template. Accordingly, when only one association policy is included in the control information or the target policy plug-in template, the target component may deploy the target policy execution plug-in on the policy execution plug-in chain based on the association relationship indicated by the association policy; when multiple association policies are included in the control information or target policy plug-in template, the target component may deploy the target policy execution plug-in on the policy execution plug-in chain based on the association relationships indicated by the multiple association policies, respectively. The application does not set any limit to the number of associated policies included in the control information or target policy plug-in template.

In addition, the three association policies described above are merely examples, and in practical applications, the control information or the target policy plug-in template may further include an association policy for indicating other types of association relationships, and the application also does not limit the association relationships indicated by the association policies.

It should be noted that, in practical application, the control information of the reference access control policy may include an association restriction relationship of the reference access control policy itself, that is, the control information of the reference access control policy may be used to indicate that the association relationship between the reference policy execution plug-in corresponding to the reference access control policy and the target policy execution plug-in is not allowed to be established, and at this time, the target component should deny establishment of the association relationship between the target policy execution plug-in and the reference policy execution plug-in based on the content indicated by the control information of the reference access control policy.

Optionally, when the control information includes an aging characteristic (or the target policy plug-in template includes the aging characteristic), and the aging characteristic is used to indicate an effective duration of the target access control policy, the target component may further monitor a lifetime of the target policy enforcement plug-in, and when it is monitored that the lifetime of the target policy enforcement plug-in reaches the effective duration indicated by the aging characteristic, the target component may determine that the target policy enforcement plug-in fails.

For example, the time-efficient feature may be used to indicate a maximum number of times of use of the target access control policy, in which case the target component may monitor whether the number of times of use of the target policy enforcement plug-in reaches the maximum number of times of use indicated by the time-efficient feature, and if the number of times of use of the target policy enforcement plug-in reaches the maximum number of times of use indicated by the time-efficient feature, may determine that the target policy enforcement plug-in is invalid, and delete the target policy enforcement plug-in. Alternatively, the time efficiency characteristic may be used to indicate a maximum usage time of the target access control policy, in which case the target component may monitor whether the usage time of the target policy enforcement plug-in reaches the maximum usage time indicated by the time efficiency characteristic, and if the usage time of the target policy enforcement plug-in reaches the maximum usage time indicated by the time efficiency characteristic, it may be determined that the target policy enforcement plug-in is invalid, and delete the target policy enforcement plug-in.

Therefore, the flexibility of the deployed strategy execution plug-in can be further improved by setting the aging characteristic for the access control strategy, so that the strategy execution plug-in can automatically fail according to the actual use condition. In a scene that a corresponding access control strategy needs to be deployed in order to deal with a special situation existing in a short time, the access control strategy can be automatically disabled after the processing of the special situation existing in the short time is finished by setting a corresponding aging characteristic for the access control strategy to be deployed, so that the normal execution of other subsequent access control strategies is not influenced, and unnecessary resources are not occupied due to the long-term existence.

Optionally, in a case that the control information includes a dynamic feature (or the dynamic feature is included in the target policy plugin template), and the dynamic feature is used to indicate a dynamic execution condition of the target access control policy, the target component may further monitor whether the access request that needs to be checked satisfies the dynamic execution condition indicated by the dynamic feature, and when it is determined that the access request satisfies the dynamic execution condition indicated by the dynamic feature, the target component may invoke the target policy execution plugin on the policy execution plugin chain to check the access request.

For example, assuming that the dynamic characteristics are used to indicate that the target access control policy is used to verify an access request from a particular network environment, the target component may monitor whether the access request it needs to verify is from that particular network environment; if the access request is verified by the target component, the target policy execution plug-in can be directly called to verify the access request, and if the access request is not verified by the target component, the target policy execution plug-in can not be called. For example, assuming that the dynamic characteristics are used to indicate that the target access control policy is used to verify an access request requesting access to a particular ip address, the target component may monitor whether the access request it needs to verify requests access to that particular ip address; if the access request is verified by the target component, the target policy execution plug-in can be directly called to verify the access request, and if the access request is not verified by the target component, the target policy execution plug-in is not called.

In step 302, when the splitting rule indicated by the control information is used to split the target access control policy, the access control rule feature corresponding to the split target sub-access control policy may be written into the dynamic feature; that is, the dynamic features described above may be adaptively changed according to the relevant operations performed when the plug-in is executed according to the deployment policy.

Therefore, by setting dynamic characteristics aiming at the access control strategy, the execution flexibility of the deployed strategy execution plug-in can be further improved, the target component can be helped to call the access control strategy suitable for the verification access request in the strategy execution plug-in chain more quickly, and the matching efficiency of the access control strategy is improved.

Optionally, in order to enhance traceability and auditability of access control, the target component may determine a policy execution plug-in call path corresponding to the access request according to the policy execution plug-in called on the policy execution plug-in chain when the target component verifies the access request; subsequently, the target component may upload the policy execution plug-in call path corresponding to the access request to the management side, so that the management side tracks the access request based on the received policy execution plug-in call path.

Specifically, in practical application, a target component in the access control system may upload a control flow thereof to the management side, where the control flow may generally include a policy execution plug-in call path, policy execution plug-in filtering details, a policy execution conflict condition, and adjustment details of a policy execution plug-in chain corresponding to the access request; for example, assuming that when a target component performs verification processing on an access request, policy execution plug-ins a1, b1, c1, and d1 on a policy execution plug-in chain are used in sequence, a policy execution plug-in call path corresponding to the access request is a1-b1-c1-d1.

It should be appreciated that in order to conserve communication resources, the target component may upload at intervals the policy enforcement plug-in call paths corresponding to access requests it processes during that interval. In addition, the management terminal may be a server terminal in the access control system, or a management client terminal facing a management user of an intranet service resource.

Therefore, the management terminal can execute the plug-in calling path based on the received strategy, and automatically track and detect the flow security of the business resources of the enterprise intranet; for a sensitive enterprise intranet service system, a manager can construct a stricter access control policy execution path (namely, the policy execution plug-in calling path) based on the received policy execution plug-in calling path, and only an access request passing the verification of the access control policy execution path is allowed to access the enterprise intranet service system; meanwhile, the management terminal can record an illegal strategy path so as to quickly position abnormal flow and enhance the tracking and detection capability of intranet access flow. In addition, the management terminal can count the execution success rate and the execution conflict rate of the access control strategy deployed on the target component based on the strategy execution plug-in calling path uploaded by the target component, and further adjust the distribution condition of the access control strategy according to the statistical result, so that a complete closed loop of access control strategy generation, issuing, execution and filtering audit is realized.

The access control policy deployment method provided by the embodiment of the application innovatively provides a dynamic plug-in type access control policy deployment mode, and when local adjustment (for example, partial access control rules in the deployed access control policy) needs to be performed or an access control policy is newly added, the embodiment of the application can construct a corresponding policy execution plug-in through the access control policy deployment mode, and further, the constructed policy execution plug-in is used for covering a deployed policy execution plug-in, or the constructed policy execution plug-in is inserted into a corresponding position on a policy execution plug-in chain, without performing global adjustment on the deployed access control policy. Therefore, when the access control rules in the access control policy need to be adapted to a specific scene or adjusted in response to an emergency, the embodiment of the application can flexibly and quickly deploy the corresponding policy execution plug-in through the access control policy deployment mode, so that the access control policy deployed on the component can quickly adapt to actual requirements.

In order to further understand the access control policy deployment method provided in the embodiments of the present application, several common access control policy deployment scenarios are exemplarily described below.

A schematic implementation of the first scenario is shown in fig. 5. In the scenario, a policy execution plug-in corresponding to the access control policy c2 belonging to the policy type c is newly added to the target component, and the policy execution plug-in corresponding to the access control policy b2 automatically fails.

As shown in fig. 5, the server may issue a policy plug-in template corresponding to the access control policy c2 to the target component, and the target component may automatically construct a policy execution plug-in corresponding to the access control policy c2 according to the policy plug-in template, and automatically deploy the policy execution plug-in corresponding to the access control policy c2 before the policy execution plug-in corresponding to the access control policy c1 in the policy execution plug-in chain according to the control information in the policy plug-in template. In the case that the access control policy c2 satisfies the merging condition indicated by the merging rule in the control information thereof, the target component may merge the access control policy c2 with the access control policy c1, and generate a policy enforcement plug-in using the merged access control policy.

Meanwhile, because the policy execution plugin corresponding to the access control policy b2 exceeds the maximum use time or the maximum use time corresponding to the policy execution plugin, the policy execution plugin corresponding to the access control policy b2 automatically fails, and accordingly, after the policy execution plugin corresponding to the access control policy b2 fails, the policy execution plugin corresponding to the access control policy b1 automatically points to the policy execution plugin corresponding to the access control policy b3, and the reorganization of the policy execution plugin chain is completed.

The second scenario is implemented as shown in fig. 6. The scenario is that a policy enforcement plug-in corresponding to each of the access control policy b3 and the access control policy d1 applicable to a specific network area is newly added in the target component.

As shown in fig. 6, the server may issue policy plug-in templates corresponding to the access control policy b3 and the access control policy d1 to the target component, and the target component may correspondingly deploy policy execution plug-ins corresponding to the access control policy b3 and the access control policy d1 on the policy execution plug-in chain based on the policy plug-in templates corresponding to the access control policy b3 and the access control policy d1. When the target component receives an access request from a particular network region, it may implement a check for the access request through the policy enforcement plug-in call path above in FIG. 6; when the access request received by the target component does not come from a specific network region, it can implement the verification for the access request through the lower policy enforcement plug-in call path in fig. 6, i.e. neglecting to execute the policy enforcement plug-ins corresponding to the access control policy b3 and the access control policy d1 respectively.

A schematic diagram of the implementation of the third scenario is shown in fig. 7. In this scenario, splitting is performed on the access control policy b1, and merging is performed on the access control policy c1 and the access control policy c 2.

As shown in fig. 7, in the case that the number of access control rules included in the access control policy b1 exceeds the number specified by the splitting rule, the target component may automatically split the access control policy b1 into three sub-access control policies, which are a sub-access control policy b2, a sub-access control policy b3, and a sub-access control policy b4, and further construct policy execution plug-ins corresponding to the sub-access control policy b2, the sub-access control policy b3, and the sub-access control policy b 4. When the sub access control strategy is split, the characteristics of the access control rules included in the sub access control strategy can be correspondingly written into the dynamic characteristics of the sub access control strategy, so that when the target component subsequently checks the access request, the strategy execution plug-in suitable for checking the sub access control strategy of the access request can be automatically and quickly positioned according to the dynamic characteristics.

Further, in a case where the access control policies c1 and c2 each include access control rules less than the number specified by the merge rule, the target component may merge the access control policies c1 and c2 into one access control policy c3, and construct a corresponding policy execution component for the access control policy c 3.

The implementation of the fourth scenario is schematically illustrated in fig. 8. The scenario is suitable for issuing a temporary high-priority access control policy in a rapid risk handling scenario.

As shown in fig. 8, in the fast risk handling scenario, the server may issue an access control policy with high priority to the target component, and set a corresponding aging characteristic for the access control policy, where the policy execution plug-in corresponding to the access control policy is shown as e1 in fig. 7. Aiming at the strategy execution plug-in corresponding to the access control strategy, the target component can automatically insert the strategy execution plug-in into a corresponding position in a strategy execution plug-in chain, the quick processing of the emergency event is realized through the strategy execution plug-in, and after the processing is finished, the original strategy execution plug-in execution logic can be automatically recovered.

For the above described access control policy deployment method, the present application also provides a corresponding access control policy deployment device, so that the above described access control policy deployment method is applied and implemented in practice.

Referring to fig. 9, fig. 9 is a schematic structural diagram of an access control policy deployment apparatus 900 corresponding to the access control policy deployment method shown in fig. 3. As shown in fig. 9, the access control policy deployment apparatus 900 includes:

a template obtaining module 901, configured to obtain a target policy plug-in template corresponding to a target access control policy to be deployed; the target policy plug-in template comprises control information and policy content of the target access control policy, wherein the control information is used for indicating an execution mode of the target access control policy, and the policy content comprises an access control rule under the target access control policy;

a plug-in construction module 902, configured to construct, based on the target policy plug-in template, a target policy execution plug-in corresponding to the target access control policy; the target policy execution plug-in is used for verifying the access request based on the access control rule included in the policy content;

a plug-in deployment module 903, configured to deploy the target policy enforcement plug-in on a policy enforcement plug-in chain in the target component based on the control information in the target policy plug-in template; the policy execution plug-in chain comprises a policy execution plug-in corresponding to each deployed access control policy in the target component, and the target component is used for finishing verification on an access request based on the policy execution plug-in deployed on the policy execution plug-in chain.

Optionally, on the basis of the access control policy deployment apparatus shown in fig. 9, referring to fig. 10, fig. 10 is a schematic structural diagram of another access control policy deployment apparatus 1000 provided in this embodiment of the present application. As shown in fig. 10, in the case that the control information includes an association policy, and the association policy is used to indicate an association relationship between the target access control policy and the reference access control policy, the plug-in deployment module 903 includes:

a plug-in searching submodule 1001 configured to search, on the policy enforcement plug-in chain, a reference policy enforcement plug-in corresponding to the reference access control policy;

the plug-in deployment sub-module 1002 is configured to construct an association relationship between the target policy execution plug-in and the reference policy execution plug-in based on the association policy, and deploy the target policy execution plug-in on the policy execution plug-in chain based on the association relationship.

Optionally, on the basis of the access control policy deployment apparatus shown in fig. 10, the plug-in deployment sub-module 1002 is specifically configured to:

when the association policy is used for indicating that the priority of the target access control policy is higher than that of a first reference access control policy, deploying the target policy execution plug-in at an upper layer of a first reference policy execution plug-in corresponding to the first reference access control policy on the policy execution plug-in chain; when the execution conditions of the target access control strategy and the first reference access control strategy are simultaneously met, the target strategy execution plug-in is preferentially executed;

when the associated policy is used for indicating that the priority of the target access control policy is lower than a second reference access control policy, deploying the target policy execution plug-in at a lower layer of a second reference policy execution plug-in corresponding to the second reference access control policy on the policy execution plug-in chain; and when the execution conditions of the target access control policy and the second reference access control policy are simultaneously met, the second reference policy execution plug-in is preferentially executed.

Optionally, on the basis of the access control policy deployment apparatus shown in fig. 10, the plug-in deployment sub-module 1002 is specifically configured to:

when the associated policy is used for indicating that the target access control policy is executed after a third reference access control policy, connecting the target policy execution plug-in after a third reference policy execution plug-in corresponding to the third reference access control policy on the policy execution plug-in chain;

when the associated policy is used for indicating that the target access control policy is executed before a fourth reference access control policy, connecting the target policy execution plug-in before a fourth reference policy execution plug-in corresponding to the fourth reference access control policy on the policy execution plug-in chain.

Optionally, on the basis of the access control policy deployment apparatus shown in fig. 10, the plug-in deployment sub-module 1002 is specifically configured to:

when the association policy is used for indicating that the target access control policy has a policy execution conflict, and taking a fifth reference access control policy as a reference, constructing a conflict association relationship between the target policy execution plug-in and a fifth reference policy execution plug-in corresponding to the fifth reference access control policy, and deploying the target policy execution plug-in on the policy execution plug-in chain based on the conflict association relationship.

Optionally, on the basis of the access control policy deployment apparatus shown in fig. 10, the plug-in deployment sub-module 1002 is further configured to:

and when the control information of the reference access control policy is used for indicating that the reference policy execution plug-in corresponding to the reference access control policy is not allowed to construct the association relation with the target policy execution plug-in, rejecting to construct the association relation between the target policy execution plug-in and the reference policy execution plug-in.

Optionally, on the basis of the access control policy deployment apparatus shown in fig. 9, when the target policy plug-in template further includes static attribute information of the target access control policy, and the static attribute information includes a target category to which the target access control policy belongs, the plug-in deployment module 903 is specifically configured to:

searching a target policy execution plug-in set on the policy execution plug-in chain based on the static attribute information in the target policy plug-in template; the target strategy execution plug-in set comprises strategy execution plug-ins corresponding to the access control strategies belonging to the target category;

deploying the target policy enforcement plug-in the set of target policy enforcement plug-ins based on the control information in the target policy plug-in template.

Optionally, on the basis of the access control policy deployment apparatus shown in fig. 9, referring to fig. 11, fig. 11 is a schematic structural diagram of another access control policy deployment apparatus 1100 provided in this embodiment of the present application. As shown in fig. 11, in the case that the control information is further used to indicate at least one of a split rule and a merge rule of the target access control policy, the plug-in construction module 902 includes:

the splitting sub-module 1101 is configured to, when the control information is used to indicate a splitting rule of the target access control policy, split the target policy plugin template into a plurality of target sub-policy plugin templates if the target policy plugin template meets a splitting condition specified by the splitting rule, and construct a plurality of target policy execution plugins based on the plurality of target sub-policy plugin templates;

a merging submodule 1102, configured to, when the control information is used to indicate a merging rule of the target access control policy, if the target policy plugin template meets a merging condition corresponding to the merging rule, search a policy execution plugin to be merged on the policy execution plugin chain, merge the policy plugin template corresponding to the policy execution plugin to be merged and the target policy plugin template, construct a target policy execution plugin based on the merged policy plugin template, and delete the policy execution plugin to be merged.

Optionally, on the basis of the access control policy deployment apparatus shown in fig. 11, the splitting sub-module 1101 is specifically configured to:

dividing the access control rules included in the policy contents in the target policy plug-in template into a plurality of target sub-policy plug-in templates according to a preset policy splitting rule; aiming at each target sub-strategy plug-in template, determining the access rule characteristics corresponding to the target sub-strategy plug-in template according to the access control rules contained in the target sub-strategy plug-in template;

and constructing a corresponding target policy execution plug-in for each target sub-policy plug-in template, and writing access rule characteristics corresponding to the target sub-policy plug-in template into dynamic characteristics included by the target policy execution plug-in.

Optionally, on the basis of the access control policy deployment apparatus shown in fig. 9, referring to fig. 12, fig. 12 is a schematic structural diagram of another access control policy deployment apparatus 1200 provided in this embodiment of the present application. As shown in fig. 12, in the case that the control information includes an aging characteristic, where the aging characteristic is used to indicate an effective duration of the target access control policy, the apparatus further includes:

and the plug-in aging detection module 1201 is used for determining that the target policy execution plug-in is invalid when the life time of the target policy execution plug-in reaches the effective time length indicated by the aging characteristic.

Optionally, on the basis of the access control policy deployment apparatus shown in fig. 9, referring to fig. 13, fig. 13 is a schematic structural diagram of another access control policy deployment apparatus 1300 provided in this embodiment of the present application. As shown in fig. 13, in the case that the control information includes a dynamic characteristic indicating a dynamic execution condition of the target access control policy, the apparatus further includes:

an execution condition checking module 1301, configured to invoke the target policy execution plug-in the policy execution plug-in chain to check the access request when the access request that needs to be checked by the target component meets the dynamic execution condition indicated by the dynamic characteristic.

Optionally, on the basis of the access control policy deployment apparatus shown in fig. 9, referring to fig. 14, fig. 14 is a schematic structural diagram of another access control policy deployment apparatus 1400 provided in the embodiment of the present application. As shown in fig. 14, the apparatus further includes:

a policy path uploading module 1401, configured to determine, according to the policy execution plug-in called on the policy execution plug-in chain when the target component verifies the access request, a policy execution plug-in calling path corresponding to the access request; and uploading the policy execution plug-in calling path corresponding to the access request to a management end so that the management end tracks the access request based on the policy execution plug-in calling path.

The access control policy deployment device provided by the embodiment of the application innovatively provides a dynamic plug-in type access control policy deployment mode, and when a deployed access control policy needs to be locally adjusted (for example, part of access control rules in the deployed access control policy is adjusted) or an access control policy is newly added, the embodiment of the application can construct a corresponding policy execution plug-in through the access control policy deployment mode, and then the constructed policy execution plug-in is used for covering a certain deployed policy execution plug-in, or the constructed policy execution plug-in is inserted into a corresponding position on a policy execution plug-in chain, so that the deployed access control policy does not need to be globally adjusted. Therefore, when the access control rules in the access control policy need to be adapted to a specific scene or adjusted in response to an emergency, the embodiment of the application can flexibly and quickly deploy the corresponding policy execution plug-in through the access control policy deployment mode, so that the access control policy deployed on the component can quickly adapt to actual requirements.

The embodiment of the present application further provides a device for deploying an access control policy, where the device may specifically be a terminal device or a server, and the terminal device and the server provided in the embodiment of the present application will be described below from the perspective of hardware materialization.

Referring to fig. 15, fig. 15 is a schematic structural diagram of a terminal device provided in an embodiment of the present application. As shown in fig. 15, for convenience of explanation, only the portions related to the embodiments of the present application are shown, and details of the technology are not disclosed, please refer to the method portion of the embodiments of the present application. The terminal may be any terminal device including a mobile phone, a tablet computer, a Personal Digital Assistant (PDA), a Point of Sales (POS), a vehicle-mounted computer, and the like, taking the terminal as a computer as an example:

fig. 15 is a block diagram showing a partial structure of a computer related to a terminal provided in an embodiment of the present application. Referring to fig. 15, the computer includes: radio Frequency (RF) circuitry 1510, memory 1520, input unit 1530 including touch panel 1531 and other input devices 1532, display unit 1540 including display panel 1541, sensor 1550, audio circuitry 1560 which may connect speaker 1561 and microphone 1562, wireless fidelity (WiFi) module 1570, processor 1580, and power supply 1590. Those skilled in the art will appreciate that the computer architecture shown in FIG. 15 is not intended to be limiting, and may include more or fewer components than those shown, or some components in combination, or a different arrangement of components.

The memory 1520 may be used to store software programs and modules, and the processor 1580 performs various functional applications of the computer and data processing by operating the software programs and modules stored in the memory 1520. The memory 1520 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data (such as audio data, a phonebook, etc.) created according to the use of the computer, etc. Further, the memory 1520 may include high-speed random access memory and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device.

The processor 1580 is a control center of the computer, connects various parts of the entire computer using various interfaces and lines, performs various functions of the computer and processes data by operating or executing software programs and/or modules stored in the memory 1520 and calling data stored in the memory 1520, thereby monitoring the entire computer. Optionally, the processor 1580 may include one or more processing units; preferably, the processor 1580 may integrate an application processor, which mainly handles operating systems, user interfaces, application programs, and the like, and a modem processor, which mainly handles wireless communications. It is to be appreciated that the modem processor may not be integrated into the processor 1580.

In this embodiment, the processor 1580 included in the terminal further has the following functions:

acquiring a target strategy plug-in template corresponding to a target access control strategy to be deployed; the target policy plug-in template comprises control information and policy content of the target access control policy, wherein the control information is used for indicating an execution mode of the target access control policy, and the policy content comprises an access control rule under the target access control policy;

constructing a target strategy execution plug-in corresponding to the target access control strategy based on the target strategy plug-in template; the target policy execution plug-in is used for verifying the access request based on the access control rule included in the policy content;

deploying the target policy execution plug-in on a policy execution plug-in chain in a target component based on the control information in the target policy plug-in template; the policy execution plug-in chain comprises policy execution plug-ins corresponding to the deployed access control policies in the target component, and the target component is used for completing verification of the access request based on the policy execution plug-ins deployed in the policy execution plug-in chain.

Optionally, the processor 1580 is further configured to execute steps of any implementation manner of the access control policy deployment method provided in the embodiment of the present application.

Referring to fig. 16, fig. 16 is a schematic structural diagram of a server 1600 according to an embodiment of the present disclosure. The server 1600 may vary widely by configuration or performance, and may include one or more Central Processing Units (CPUs) 1622 (e.g., one or more processors) and memory 1632, one or more storage media 1630 (e.g., one or more mass storage devices) storing applications 1642 or data 1644. Memory 1632 and storage media 1630 may be transient or persistent storage, among others. The program stored on the storage medium 1630 may include one or more modules (not shown), each of which may include a sequence of instructions operating on a server. Further, central processing unit 1622 may be configured to communicate with storage medium 1630 to execute a series of instruction operations on storage medium 1630 at server 1600.

The Server 1600 may also include one or more power supplies 1626, one or more wired or wireless network interfaces 1650, one or more input-output interfaces 1658, and/or one or more operating systems, such as Windows Server ^TM ，Mac OS X ^TM ，Unix ^TM ,Linux ^TM ，FreeBSD ^TM And so on.

The steps performed by the server in the above embodiment may be based on the server structure shown in fig. 16.

The CPU 1622 is configured to execute the following steps:

acquiring a target strategy plug-in template corresponding to a target access control strategy to be deployed; the target policy plug-in template comprises control information and policy content of the target access control policy, wherein the control information is used for indicating an execution mode of the target access control policy, and the policy content comprises an access control rule under the target access control policy;

constructing a target strategy execution plug-in corresponding to the target access control strategy based on the target strategy plug-in template; the target policy execution plug-in is used for verifying the access request based on the access control rule included in the policy content;

deploying the target policy execution plug-in on a policy execution plug-in chain in a target component based on the control information in the target policy plug-in template; the policy execution plug-in chain comprises a policy execution plug-in corresponding to each deployed access control policy in the target component, and the target component is used for finishing verification on an access request based on the policy execution plug-in deployed on the policy execution plug-in chain.

Optionally, the CPU 1622 may also be configured to execute the steps of any implementation manner of the access control policy deployment method provided in this embodiment of the present application.

The embodiment of the present application further provides a computer-readable storage medium, configured to store a computer program, where the computer program is configured to execute any one implementation manner of the access control policy deployment method described in the foregoing embodiments.

Embodiments of the present application also provide a computer program product or computer program comprising computer instructions stored in a computer-readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and executes the computer instructions, so that the computer device executes any one of the access control policy deployment methods described in the foregoing embodiments.

It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.

In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit may be implemented in the form of hardware, or may also be implemented in the form of a software functional unit.

The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing computer programs.

It should be understood that, in this application, "at least one" means one or more, "a plurality" means two or more. "and/or" for describing an association relationship of associated objects, indicating that there may be three relationships, e.g., "a and/or B" may indicate: only A, only B and both A and B are present, wherein A and B may be singular or plural. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. "at least one of the following" or similar expressions refer to any combination of these items, including any combination of single item(s) or plural items. For example, at least one (one) of a, b, or c, may represent: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", wherein a, b, c may be single or plural.

The above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions in the embodiments of the present application.

Claims (17)

1. An access control policy deployment method, the method comprising:

acquiring a target strategy plug-in template corresponding to a target access control strategy to be deployed; the target policy plug-in template comprises control information and policy content of the target access control policy, wherein the control information is used for indicating an execution mode of the target access control policy, and the policy content comprises an access control rule under the target access control policy;

constructing a target strategy execution plug-in corresponding to the target access control strategy based on the target strategy plug-in template; the target policy execution plug-in is used for verifying the access request based on the access control rule included in the policy content;

deploying the target policy execution plug-in on a policy execution plug-in chain in a target component based on the control information in the target policy plug-in template; the policy execution plug-in chain comprises a policy execution plug-in corresponding to each deployed access control policy in the target component, and the target component is used for finishing verification on an access request based on the policy execution plug-in deployed on the policy execution plug-in chain.

2. The method of claim 1, wherein the control information comprises an association policy indicating an association relationship between the target access control policy and a reference access control policy; the deploying the target policy execution plug-in on a policy execution plug-in chain in the target component based on the control information in the target policy plug-in template includes:

searching a reference strategy execution plug-in corresponding to the reference access control strategy on the strategy execution plug-in chain;

and constructing an association relation between the target policy execution plug-in and the reference policy execution plug-in based on the association policy, and deploying the target policy execution plug-in on the policy execution plug-in chain based on the association relation.

3. The method of claim 2, wherein the building an association between the target policy execution plug-in and the reference policy execution plug-in based on the association policy and deploying the target policy execution plug-in on the chain of policy execution plug-ins based on the association comprises:

when the association policy is used for indicating that the priority of the target access control policy is higher than that of a first reference access control policy, deploying the target policy execution plug-in at an upper layer of a first reference policy execution plug-in corresponding to the first reference access control policy on the policy execution plug-in chain; when the execution conditions of the target access control strategy and the first reference access control strategy are simultaneously met, the target strategy execution plug-in is preferentially executed;

when the associated policy is used for indicating that the priority of the target access control policy is lower than a second reference access control policy, deploying the target policy execution plug-in at a lower layer of a second reference policy execution plug-in corresponding to the second reference access control policy on the policy execution plug-in chain; and when the execution conditions of the target access control policy and the second reference access control policy are simultaneously met, the second reference policy execution plug-in is preferentially executed.

4. The method according to claim 2, wherein the building an association between the target policy execution plug-in and the reference policy execution plug-in based on the association policy and deploying the target policy execution plug-in on the chain of policy execution plug-ins based on the association comprises:

when the associated policy is used for indicating that the target access control policy is executed after a third reference access control policy, connecting the target policy execution plug-in after a third reference policy execution plug-in corresponding to the third reference access control policy on the policy execution plug-in chain;

when the associated policy is used for indicating that the target access control policy is executed before a fourth reference access control policy, connecting the target policy execution plug-in before a fourth reference policy execution plug-in corresponding to the fourth reference access control policy on the policy execution plug-in chain.

5. The method of claim 2, wherein the building an association between the target policy execution plug-in and the reference policy execution plug-in based on the association policy and deploying the target policy execution plug-in on the chain of policy execution plug-ins based on the association comprises:

when the association policy is used for indicating that the target access control policy has a policy execution conflict, and taking a fifth reference access control policy as a reference, constructing a conflict association relationship between the target policy execution plug-in and a fifth reference policy execution plug-in corresponding to the fifth reference access control policy, and deploying the target policy execution plug-in on the policy execution plug-in chain based on the conflict association relationship.

6. The method according to any one of claims 2 to 5, further comprising:

and when the control information of the reference access control policy is used for indicating that the reference policy execution plug-in corresponding to the reference access control policy is not allowed to construct the association relation with the target policy execution plug-in, rejecting to construct the association relation between the target policy execution plug-in and the reference policy execution plug-in.

7. The method of claim 1, wherein the target policy plug-in template further comprises static attribute information of the target access control policy, the static attribute information comprising a target class to which the target access control policy belongs; the deploying the target policy execution plug-in on a policy execution plug-in chain in the target component based on the control information in the target policy plug-in template includes:

searching a target strategy execution plug-in assembly set on the strategy execution plug-in assembly chain based on the static attribute information in the target strategy plug-in assembly template; the target policy execution plug-in set comprises policy execution plug-ins corresponding to the access control policies belonging to the target categories;

deploying the target policy enforcement plug-in the set of target policy enforcement plug-ins based on the control information in the target policy plug-in template.

8. The method of claim 1, wherein the control information is further used to indicate at least one of a split rule and a merge rule of the target access control policy; the constructing of the target policy execution plug-in corresponding to the target access control policy based on the target policy plug-in template includes:

when the control information is used for indicating a splitting rule of the target access control strategy, if the target strategy plug-in template meets the splitting condition specified by the splitting rule, splitting the target strategy plug-in template into a plurality of target sub-strategy plug-in templates, and constructing a plurality of target strategy execution plug-ins based on the plurality of target sub-strategy plug-in templates;

when the control information is used for indicating a merging rule of the target access control strategy, if the target strategy plugin template meets a merging condition corresponding to the merging rule, searching a strategy execution plugin to be merged on the strategy execution plugin chain, merging the strategy plugin template corresponding to the strategy execution plugin to be merged and the target strategy plugin template, constructing a target strategy execution plugin based on the merged strategy plugin template, and deleting the strategy execution plugin to be merged.

9. The method of claim 8, wherein the splitting the target policy plug-in template into a plurality of target sub-policy plug-in templates, and wherein building a plurality of target policy enforcement plug-ins based on the plurality of target sub-policy plug-in templates comprises:

dividing access control rules included in the policy contents in the target policy plugin template into a plurality of target sub-policy plugin templates according to a preset policy splitting rule; aiming at each target sub-strategy plug-in template, determining the access rule characteristics corresponding to the target sub-strategy plug-in template according to the access control rules contained in the target sub-strategy plug-in template;

and constructing a corresponding target policy execution plug-in for each target sub-policy plug-in template, and writing access rule characteristics corresponding to the target sub-policy plug-in template into dynamic characteristics included by the target policy execution plug-in.

10. The method of claim 1, wherein the control information comprises an age characteristic indicating a length of time that the target access control policy is valid; the method further comprises the following steps:

and when the life time of the target strategy execution plug-in reaches the effective duration indicated by the time efficiency characteristic, determining that the target strategy execution plug-in is invalid.

11. The method of claim 1, wherein the control information comprises a dynamic characteristic indicating a dynamic execution condition of the target access control policy; the method further comprises the following steps:

when the access request required to be checked by the target component meets the dynamic execution condition indicated by the dynamic characteristic, calling the target policy execution plug-in the policy execution plug-in chain to check the access request.

12. The method of claim 1, further comprising:

determining a policy execution plug-in calling path corresponding to the access request according to the policy execution plug-in called on the policy execution plug-in chain when the target component checks the access request;

and uploading the policy execution plug-in calling path corresponding to the access request to a management end so that the management end tracks the access request based on the policy execution plug-in calling path.

13. An access control system, characterized in that the system comprises an access agent, a client, a server and a gateway; the access agent, the client, the server and the gateway deploy an access control policy by the access control policy deployment method of any one of claims 1 to 12;

the access agent is used for intercepting an access request based on a policy execution plug-in deployed in the access agent and transmitting request parameters and process information of the access request to the client;

the client is used for executing the plug-in based on the strategy deployed in the client and carrying out primary verification on the access request according to the request parameters and the process information of the access request; after the access request is confirmed to pass the primary verification, transmitting request parameters and process information of the access request to the server;

the server is used for executing the plug-in based on the strategy deployed in the server and performing secondary verification on the access request according to the request parameter and the process information of the access request; issuing an access bill corresponding to the access request to the client according to a secondary verification result of the access request;

the client is also used for forwarding the access ticket to the access agent;

the access agent is further used for sending the access ticket and the access request to the gateway;

the gateway is used for executing plug-in based on the strategy deployed in the gateway and sending the access bill to the server for verification; and executing a plug-in based on the deployed strategy, and controlling the access request to access the intranet service resource according to the verification result of the service end on the access bill.

14. An access control policy deployment apparatus, the apparatus comprising:

the template acquisition module is used for acquiring a target strategy plug-in template corresponding to a target access control strategy to be deployed; the target policy plug-in template comprises control information and policy content of the target access control policy, wherein the control information is used for indicating an execution mode of the target access control policy, and the policy content comprises an access control rule under the target access control policy;

the plug-in construction module is used for constructing a target strategy execution plug-in corresponding to the target access control strategy based on the target strategy plug-in template; the target policy execution plug-in is used for verifying the access request based on the access control rule included in the policy content;

the plug-in deployment module is used for deploying the target strategy execution plug-in on a strategy execution plug-in chain in the target component based on the control information in the target strategy plug-in template; the policy execution plug-in chain comprises a policy execution plug-in corresponding to each deployed access control policy in the target component, and the target component is used for finishing verification on an access request based on the policy execution plug-in deployed on the policy execution plug-in chain.

15. An apparatus, comprising a processor and a memory;

the memory is used for storing a computer program;

the processor is configured to execute the access control policy deployment method of any one of claims 1 to 12 in accordance with the computer program.

16. A computer-readable storage medium for storing a computer program for executing the access control policy deployment method of any one of claims 1 to 12.

17. A computer program product comprising a computer program or instructions, characterized in that the computer program or the instructions, when executed by a processor, implement the access control policy deployment method of any one of claims 1 to 12.

Images