CN117938485A - Low-code SDN access control method and system - Google Patents
Low-code SDN access control method and system Download PDFInfo
- Publication number
- CN117938485A CN117938485A CN202410080054.7A CN202410080054A CN117938485A CN 117938485 A CN117938485 A CN 117938485A CN 202410080054 A CN202410080054 A CN 202410080054A CN 117938485 A CN117938485 A CN 117938485A
- Authority
- CN
- China
- Prior art keywords
- atomic
- user
- service
- access control
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 31
- 238000011217 control strategy Methods 0.000 claims abstract description 32
- 238000005516 engineering process Methods 0.000 claims description 7
- 230000006870 function Effects 0.000 claims description 7
- 238000001514 detection method Methods 0.000 claims description 6
- 238000012544 monitoring process Methods 0.000 claims description 4
- 238000011084 recovery Methods 0.000 claims description 4
- 230000008569 process Effects 0.000 claims description 3
- 238000004590 computer program Methods 0.000 claims description 2
- 238000011161 development Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 4
- 238000012795 verification Methods 0.000 description 4
- 238000013475 authorization Methods 0.000 description 3
- 239000002131 composite material Substances 0.000 description 3
- 239000008186 active pharmaceutical agent Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 206010063385 Intellectualisation Diseases 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a low-code SDN access control method and a system, wherein the method comprises the following steps: acquiring current user and service attributes, acquiring conditions of the current user service, matching an access control strategy with the conditions according to the user and service attributes, checking a pre-authorized atomic capacity set in an atomic capacity library when the matching is successful, providing an atomic capacity registration suggestion according to network state information if the pre-authorized atomic capacity set cannot meet network service requirements, determining whether to send an atomic capacity registration request by a system administrator, automatically generating atomic capacity according to the atomic capacity registration request, and putting the atomic capacity into the atomic capacity library; if the preauthorized atomic capacity set can meet the network service requirement, judging whether the authorized atomic capacity exists between the user services, and if so, determining whether to activate the atomic capacity according to the priority of the user services. The invention can reasonably distribute the atomic capacity use authority, improve the atomic capacity management efficiency and enhance the network security.
Description
Technical Field
The invention relates to the field of network security, in particular to a low-code SDN access control method and system.
Background
Software Defined Networking (SDN) is a revolutionary paradigm of networking. The SDN decouples the network device control plane from the data plane, and a user may orchestrate network applications according to network traffic requirements based on interfaces provided by the SDN. As shown in FIG. 1, there are a variety of applications for the application plane; the control plane main component comprises a network controller and a network information base; the data plane is made up of various network devices (e.g., switches, virtual switches, routers, virtual routers). The application programs program arrange business logic through the north interface, the business logic is transmitted to the network controller, and the network controller communicates with the devices on the data plane through the south interface.
The low code development is an application construction method based on a graphical user interface, and allows a service developer to construct an application program through a simple drag-and-drop component and model-driven logic. The development platform enables a developer to not need to go deep into coding work, so that the burden of a non-technical background developer is reduced, and meanwhile, support is provided for professional developers. By utilizing the low-code platform, a developer can quickly build and push out business application, so that the development efficiency and productivity are improved, meanwhile, the cost is reduced, the flexibility is enhanced, and the business development is further promoted.
The architecture of the low-code SDN provides users with flexible and efficient low-code orchestration capabilities, as shown in fig. 2. The SDN control layer provides atomic capacity according to network service requirements; the atomic capacity is provided with a corresponding graphical interface, and a user can arrange service logic in a dragging mode according to own service requirements; furthermore, the user may register new atomic capabilities with the SDN control layer according to the development of own traffic. The SDN controller may also directly open atomic capabilities to the user according to the network state, so that the user may use the existing open interface to orchestrate services.
While low-code SDN provides users with flexible and efficient low-code orchestration capabilities, the security and development of SDN is limited. At present, the atomic capacity arrangement needs manual arrangement by professionals, the manual arrangement belongs to labor-intensive work, and professional error is easy to occur, so that the atomic capacity arrangement is wrong, and serious network security accidents can occur. If the atomic capacity is improperly managed, unauthorized use of the atomic capacity by the user is easily caused. For example, a user who does not need to know information about a certain network device may override the device information due to excessive authorization of atomic capabilities. Because SDN network users are various, service types are various and changeable, the access control of SDN to atomic capacity needs to consider multiple factors so as to flexibly realize the authorization of the atomic capacity, and the safety of SDN is further enhanced. The existing SDN access control system cannot overcome the security and development limitations faced by the low-code SDN.
Disclosure of Invention
The invention provides a low-code SDN access control method and a system, which are used for solving the problem of complex low-code SDN network access management under the condition that network users and services are various and change, so that the atomic capacity use permission can be reasonably distributed, the atomic capacity management efficiency is improved, and the network security is enhanced.
The technical scheme adopted by the invention for achieving the purpose is as follows:
a low code SDN access control method comprising the steps of:
1) Acquiring current user and service attributes, acquiring conditions of the current user service, and constructing a pre-authorized atomic capability set according to access control strategies matched with the user and service attributes and the conditions;
2) Judging whether the preauthorized atomic capacity set can meet the network service requirement, if not, registering the atomic capacity according to the network state information, otherwise, executing the step 3);
3) Judging whether the authorized atomic capacity exists between the user services, if so, determining whether to activate the atomic capacity according to the priority of the user services, otherwise, authorizing the atomic capacity.
Said step 1) comprises the steps of:
1.1 Comparing the current user and service attribute A with the user and service attribute B bound by the access control strategy, if B contains all A and the condition of the user service accords with the condition in the access control strategy, successfully matching, reading the pre-authorized atomic capacity in the access control strategy, and if the matching fails, continuing traversing the access control strategy set;
1.2 Traversing all user and business attributes to finally form a pre-authorized atomic capability set.
The format of the access control strategy is as follows: { user, < business, priority >, atomic capability, rights, conditions }, wherein:
the user represents attribute information provided when the user registers;
The service represents attribute information provided during service registration;
The priority represents the access priority corresponding to each service negotiated and formulated by a system administrator and a user around a network service;
the atomic capability representation splits the network function into a minimum and a most basic programmable units;
the rights represent rights that a user can use, read, and modify atomic capabilities;
the condition indicates whether or not the condition of the user in the access control process satisfies the specification.
In the step 2), the atomic capability registration according to the network status information specifically includes:
The system administrator sends out an atomic capability registration request, automatically generates atomic capability according to the atomic capability registration request, and puts the atomic capability into the atomic capability set.
The automatic generation of atomic capacity according to the atomic capacity registration request specifically includes:
(1) A system administrator establishes a network state information knowledge graph comprising a connection mode between network devices, device types, topology description, device configuration information, setting protocols and standard support;
(2) Acquiring the existing atomic capacity automation deployment specification;
(3) Combining with an automatic deployment specification, a connection mode, topology description and equipment configuration information among network equipment in a network state information knowledge graph, and carrying out intelligent analysis on the network state by a large language model through a prompt engineering technology to obtain available equipment and ports;
(4) Based on the intelligent analysis result, according to the network security policy, performance requirement, fault and recovery policy, network service requirement and monitoring requirement provided by a system administrator, the large language model supports automatic atomic generation capability according to the equipment type, equipment configuration information, setting protocol and standard in the network state information knowledge graph through the prompt engineering technology.
The step 3) is specifically as follows:
when the atomic capacity used by the user services simultaneously corresponds to the same entity, the authorized atomic capacity among the user services has conflict, and the priority in the access control strategy is higher, so that the atomic capacity is authorized preferentially.
A low code SDN access control system comprising:
the policy management layer is used for generating and storing access control policies;
And the control implementation layer is used for collecting the current user and service attributes, collecting the conditions of the current user service and performing access control according to the access control strategy.
The policy management layer includes:
The policy library is used for storing access control policies including registration service information, registration user information and a network atom capability library;
The network atomic capability library is used for storing the atomic capability required by the network service;
the network state information base is used for storing network state information;
the network service management module is used for receiving network service registration and generating registration service information;
The user management module is used for receiving user information registration and generating registered user information;
And the atomic capacity dynamic generation module is used for dynamically generating the atomic capacity according to the network state information base and the network atomic capacity registration request.
The control implementation layer includes:
The user and service information acquisition module is used for acquiring the current user and service attribute A and acquiring the condition of the current user service;
The attribute matching module is used for traversing a policy library in the policy management layer, matching an access control policy Px related to the user A from the policy library according to the acquired current user and service attribute A and the condition of the user service to obtain pre-authorized atomic capacity AbilityX in the Px, binding AbilityX and the Px to obtain < AbilityX, px >, and finally obtaining a set M related to < AbilityX, px >;
The conflict detection module is used for traversing pre-authorized atomic capacity AbilityX in the M, searching an access control strategy Py according to AbilityX, comparing service priorities in Px and Py, and authorizing the atomic capacity in Px if the priority in Px is higher.
A computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the low code SDN access control method.
The invention has the following beneficial effects and advantages:
1. The invention can effectively lighten the labor intensity of the atomic capacity arrangement on the person, improve the atomic capacity management efficiency and reduce the possibility of mistakes in the atomic capacity arrangement.
2. The invention carries out access control on the atomic capacity based on the attribute, can adapt to the complex and changeable conditions of network users and services, and can flexibly realize the authorization of the atomic capacity.
3. The invention improves the efficiency of network management and improves the level of network intellectualization.
Drawings
Fig. 1 is a diagram of an SDN architecture for illustrating the background of the invention.
Fig. 2 is a diagram of a low-code SDN architecture for illustrating the background of the invention.
Fig. 3 is a main flow chart of a low code SDN access control method.
Fig. 4 is a schematic diagram of a low-code SDN access control system provided by the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples.
The low-code SDN access control method provided by the invention comprises the following steps:
acquiring current user and service attributes, acquiring conditions of the current user service, matching an access control strategy according to the user and service attributes and the conditions, and checking atomic capacity expressed in the access control strategy when the matching is successful, so as to finally form a preauthorized atomic capacity set;
judging whether the preauthorized atomic capacity set can meet the network service requirement, if so, judging whether the authorized atomic capacity between the user services has conflict, and if so, determining whether to activate the atomic capacity according to the priority of the user services; if not, atomic capabilities are registered according to the network state information.
The user attribute is prescribed in advance by the system, and the attribute value is provided by the user when the user registers; the service attribute is prescribed in advance by the system, and the attribute value is provided by a system administrator during service registration.
The access control policy is registered by a system administrator in the following format:
{ user, < business, priority >, atomic capability, rights, conditions };
the user is represented by attribute information provided at the time of user registration;
the service is represented by attribute information provided at the time of service registration;
The priority is negotiated and formulated by a system administrator and a user around network service;
the access control strategy is bound with the user and the service attribute;
the atomic capability specifically means that the network function is split into the smallest and most basic programmable units, so that the network function can be flexibly combined and applied to network services, the configuration and management of the network are more flexible and customizable, and a user combines the smallest programmable units according to the network services to form a network application program;
The rights comprise available, readable and modifiable, wherein the available means that a user can use authorized atomic capacity to conduct network service arrangement, meanwhile, the user can read and not modify the rights, the readable means that the user can view the atomic capacity but cannot use and not modify the atomic capacity, the modifiable means that the user can modify the atomic capacity but cannot directly use the modified atomic capacity, the user needs to be submitted to a system administrator for verification, and the rights can be used after the verification is passed; newly registering a user, wherein the authority is the atomic capacity specified in the readable access control strategy under the default condition;
The conditions are that whether the address (including IP, MAC address) of the service submitted by the user, time information and the like meet the regulations or not;
the matching specifically means that the current user and service attribute A is compared with the user and service attribute B bound by the access control strategy, if B contains all A and the condition of the user service accords with the condition in the strategy, the matching is successful, the pre-authorized atomic capacity can be read, and finally a pre-authorized atomic capacity set is formed.
Whether the preauthorized atomic capacity set can meet the network application requirement is judged by the user, the SDN architecture application field is different, and the specific judging method of the user is different.
Whether the authorized atomic capacity between the user services has conflict or not is judged by the access control system, the application fields of the SDN architecture are different, and the specific judging methods of the access control system are different.
The conflict specifically means that the atomic capacity used by the user service corresponds to the same entity at the same time, including network equipment and network ports, but not limited to the above entity;
and determining whether to activate the atomic capacity according to the priority of the user service, specifically, if the priority of the user service is higher, the atomic capacity is authorized preferentially.
The network state information comprises a connection mode between network devices, device types, topology description, device configuration information, setting protocols and standard support, and the network devices comprise non-virtual network devices and virtual network devices;
the system administrator decides whether to send out an atomic capacity registration request, automatically generates atomic capacity according to the atomic capacity registration request, and puts the atomic capacity into an atomic capacity library;
the automatic generation of atomic capacity is completed by an atomic capacity dynamic generation method based on a large language model.
The process involved in automatically generating atomic capabilities is as follows:
1) A system administrator establishes network state information and puts the network state information into a knowledge graph, wherein the knowledge graph specifically comprises a connection mode between network devices, device types, topology description, device configuration information, a setting protocol and standard support;
2) A system administrator provides an atomic capability automation deployment specification;
3) Combining with an automatic deployment specification, a connection mode, topology description and equipment configuration information between network equipment provided by a knowledge graph, carrying out intelligent analysis on a network state by a large language model through a prompt engineering technology, and determining available equipment and ports;
4) Based on the intelligent analysis result, according to the security policy, performance requirement, fault and recovery policy, network service requirement and monitoring requirement in the network, the large language model supports automatic atomic generation capability according to the equipment type, equipment configuration information, setting protocol and standard by prompting engineering technology.
In the step 3), the large language model performs intelligent analysis on the network state, specifically:
1) Converting the automatic deployment specification into a format which can be identified by a large language model, and prompting the information input by the large language model to be used for analyzing all available devices and ports in a network;
2) Inputting the connection mode, topology description and equipment configuration information among the network equipment in the knowledge graph into a large language model;
3) Converting information in the knowledge graph into a format which can be identified by a large language model, and prompting the information input by the large language model to be used for analyzing all available devices and ports in a network;
4) The output format of the intelligent analysis result is prompted to format, and the analysis result comprises all available devices and ports in the network.
In the step 4), the large language model supports automatic atomic capability generation according to the equipment type, the equipment configuration information, the setting protocol and the standard by prompting the engineering technology, and the method comprises the following steps:
1) The analysis result in the step (3) comprises all available devices and ports in the network, and a large language model is prompted to be used for generating atomic capacity;
2) According to the format which can be identified by converting the information in the knowledge graph into the large language model, prompting the information input by the large language model to be used for generating atomic capacity;
3) Converting network security policies, performance requirements, fault and recovery policies, network service requirements and monitoring requirements into formats which can be identified by a large language model, and prompting the information input by the large language model to be used for atomic capacity generation;
4) The prompt large language model finally selects available devices and ports according to 1) 2) 3), automatically generates instructions or APIs of the control device, and packages the instructions or APIs to form atomic capabilities which can be directly called by a user.
The invention provides a low-code SDN access control system, which comprises: policy management layer, control implementation layer.
The policy management layer specifically comprises: the system comprises a policy library, a network atomic capability library, a network state information library, a network service management module, a user management module and an atomic capability dynamic generation module.
The policy repository includes:
An access control strategy in the strategy library is formulated by an administrator according to registration service information, registration user information and a network atom capability library;
the registration service information is registered by a network service management module, wherein the network service comprises all network services in the SDN architecture application field;
the registered user information is registered by the user management module, and the user information comprises a user name, a user ID, a user role, a user network address, a user age and the like, but is not limited to the information;
The network function atomic capability library comprises atomic capabilities required by network services, different atomic capabilities can be combined into new atomic capabilities (composite atomic capabilities), and the atomic capability dynamic generation module automatically generates the atomic capability according to the network state information library and the network atomic capability registration request.
The network atomic capacity library comprises atomic capacities required by network services, different atomic capacities can be combined into new atomic capacities (composite atomic capacities), the atomic capacity dynamic generation module automatically generates network atomic capacity registration requests according to a network state information library, the network atomic capacity registration requests are submitted by a system administrator according to registration service information and processed by the atomic capacity dynamic generation module, and the atomic capacity dynamic generation module is based on an atomic capacity dynamic generation method of a large language model and is used for assisting a human administrator to dynamically arrange the atomic capacities.
The control implementation layer specifically comprises: the system comprises a user and service information acquisition module, an attribute matching module and a conflict detection module.
And the user and service information acquisition module acquires the current user and service attribute A and acquires the condition of the current user service.
The attribute matching module traverses a policy library in a policy management layer, matches an access control policy Px related to the user A from the policy library according to the acquired current user and service attribute A and the condition of the user service to obtain pre-authorized atomic capacity AbilityX in the Px, binds AbilityX with the Px to obtain < AbilityX, px >, and finally obtains a set M related to < AbilityX, px >.
The conflict detection module traverses pre-authorized atomic capacity AbilityX in M, searches access control policy Py according to AbilityX, compares service priority in Px and Py, and authorizes atomic capacity in Px if the priority in Px is higher.
Example 1
The main flow chart of the low-code SDN access control method provided by the invention is shown in fig. 3, and the low-code SDN access control method comprises the following steps:
Step S1: acquiring current user and service attributes, acquiring conditions of current user service, and matching access control strategies according to the user and service attributes and the conditions of the user service; the user attribute is prescribed in advance by the system, and the attribute value is provided by the user when the user registers; the service attribute is prescribed in advance by the system, and the attribute value is provided by a system administrator during service registration.
Step S2: if the matching is successful, checking the atomic capacity expressed in the access control strategy, and finally forming a preauthorized atomic capacity set; the access control strategy is registered by a system administrator, and the format of the access control strategy is { user, < service, priority >, atomic capacity, authority, condition };
the user is represented by attribute information provided at the time of user registration;
the service is represented by attribute information provided at the time of service registration;
The priority is negotiated and formulated by a system administrator and a user around network service;
the access control strategy is bound with the user and the service attribute;
the atomic capability specifically refers to splitting the network function into the smallest and most basic programmable units, so that the network function can be flexibly combined and applied to network services, and the configuration and management of the network are more flexible and customizable;
The rights comprise available, readable and modifiable, wherein the available means that a user can use authorized atomic capacity to conduct network service arrangement, meanwhile, the user can read and not modify the rights, the readable means that the user can view the atomic capacity but cannot use and not modify the atomic capacity, the modifiable means that the user can modify the atomic capacity but cannot directly use the modified atomic capacity, the user needs to be submitted to a system administrator for verification, and the rights can be used after the verification is passed; newly registering a user, wherein the authority is the atomic capacity specified in the readable access control strategy under the default condition;
The conditions include whether the address (including IP, MAC address), time information, etc. of the user submitting service meet the regulations;
the matching specifically means that the current user and service attribute A is compared with the user and service attribute B bound by the access control strategy, if B contains all A and the condition of the user service accords with the condition in the strategy, the matching is successful, the pre-authorized atomic capacity can be read, and finally a pre-authorized atomic capacity set is formed.
Step S3: whether the preauthorized atomic capacity set can meet the network service requirement is judged by a user, the SDN architecture application fields are different, and the specific judging methods of the user are different.
Step S4: when the preauthorized atomic capacity set can meet the network service requirement, judging whether the authorized atomic capacities among the user services have conflict or not, judging by an access control system, wherein the application fields of SDN architecture are different, and the specific judging methods of the access control system are different; the existence conflict specifically refers to that the atomic capability used by the user service corresponds to the same entity at the same time, including, but not limited to, network equipment and network ports.
Step S5: when the authorized atomic capacity between the user services has conflict, determining whether to activate the atomic capacity according to the priority of the user services; and determining whether to activate the atomic capacity according to the priority of the user service, specifically, if the priority of the user service is higher, the atomic capacity is authorized preferentially.
Step S6: when there is no conflict in authorized atomic capabilities between user services, atomic capabilities are activated.
Step S7: registering the atomic capacity according to the network state information when the preauthorized atomic capacity set cannot meet the network service requirement; the network state information comprises a connection mode between network devices, device types, topology description, device configuration information, setting protocols and standard support, and the network devices comprise non-virtual network devices and virtual network devices; the system administrator decides whether to send out an atomic capacity registration request, automatically generates atomic capacity according to the atomic capacity registration request, and puts the atomic capacity into an atomic capacity library; the automatic generation of atomic capacity is completed by an atomic capacity dynamic generation method based on a large language model.
Example two
The architecture diagram of the low-code SDN access control system provided by the invention is shown in fig. 4, and the low-code SDN access control system comprises: a policy management layer and a control implementation layer;
the policy management layer specifically comprises: the system comprises a policy library, a network atomic capability library, a network state information library, a network service management module, a user management module and an atomic capability dynamic generation module.
The policy repository includes an access control policy; the access control strategy is formulated by an administrator according to the registration service information, the registration user information and the network atom capability library;
the registration service information is registered by a network service management module, and the network service comprises all network services in the SDN architecture application field;
The registered user information is registered by the user management module, wherein the user information comprises a user name, a user ID, a user role, a user network address, a user age and the like;
The network atomic capacity library comprises atomic capacities required by network services, different atomic capacities can be combined into new atomic capacities (composite atomic capacities), the atomic capacity dynamic generation module automatically generates network atomic capacity registration requests according to a network state information library, the network atomic capacity registration requests are submitted by a system administrator according to registration service information and processed by the atomic capacity dynamic generation module, and the module is used for assisting a human administrator to realize dynamic arrangement of the atomic capacities based on an atomic capacity dynamic generation method of a large language model;
The control implementation layer specifically comprises: the system comprises a user and service information acquisition module, an attribute matching module and a conflict detection module.
And the user and service information acquisition module acquires the current user and service attribute A and acquires the condition of the current user service.
The attribute matching module traverses a policy library in a policy management layer, matches an access control policy Px related to the user A from the policy library according to the acquired current user and service attribute A and the condition of the user service to obtain pre-authorized atomic capacity AbilityX in the Px, binds AbilityX with the Px to obtain < AbilityX, px >, and finally obtains a set M related to < AbilityX, px >.
The conflict detection module traverses pre-authorized atomic capacity AbilityX in M, searches access control policy Py according to AbilityX, compares service priority in Px and Py, and authorizes atomic capacity in Px if the priority in Px is higher.
It should be understood that, although the steps in the flowcharts of the embodiments of the present invention are shown in order as indicated by the arrows, these steps are not necessarily performed in order as indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in various embodiments may include multiple sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, nor do the order in which the sub-steps or stages are performed necessarily performed in sequence, but may be performed alternately or alternately with at least a portion of the sub-steps or stages of other steps or other steps.
The technical features of the above-described embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above-described embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The foregoing examples illustrate only a few embodiments of the invention and are described in detail herein without thereby limiting the scope of the invention. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the invention, which are all within the scope of the invention. Accordingly, the scope of protection of the present invention is to be determined by the appended claims.
The foregoing description of the preferred embodiments of the invention is not intended to be limiting, but rather is intended to cover all modifications, equivalents, and alternatives falling within the spirit and principles of the invention.
Claims (10)
1. A low-code SDN access control method, comprising the steps of:
1) Acquiring current user and service attributes, acquiring conditions of the current user service, and constructing a pre-authorized atomic capability set according to access control strategies matched with the user and service attributes and the conditions;
2) Judging whether the preauthorized atomic capacity set can meet the network service requirement, if not, registering the atomic capacity according to the network state information, otherwise, executing the step 3);
3) Judging whether the authorized atomic capacity exists between the user services, if so, determining whether to activate the atomic capacity according to the priority of the user services, otherwise, authorizing the atomic capacity.
2. The low-code SDN access control method of claim 1, wherein step 1) includes the steps of:
1.1 Comparing the current user and service attribute A with the user and service attribute B bound by the access control strategy, if B contains all A and the condition of the user service accords with the condition in the access control strategy, successfully matching, reading the pre-authorized atomic capacity in the access control strategy, and if the matching fails, continuing traversing the access control strategy set;
1.2 Traversing all user and business attributes to finally form a pre-authorized atomic capability set.
3. The low-code SDN access control method of claim 2, characterized in that the access control policy is in the format of: { user, < business, priority >, atomic capability, rights, conditions }, wherein: the user represents attribute information provided when the user registers;
The service represents attribute information provided during service registration;
The priority represents the access priority corresponding to each service negotiated and formulated by a system administrator and a user around a network service;
the atomic capability representation splits the network function into a minimum and a most basic programmable units;
the rights represent rights that a user can use, read, and modify atomic capabilities;
the condition indicates whether or not the condition of the user in the access control process satisfies the specification.
4. The low-code SDN access control method of claim 1, wherein in step 2), the atomic capability is registered according to network state information specifically as follows:
The system administrator sends out an atomic capability registration request, automatically generates atomic capability according to the atomic capability registration request, and puts the atomic capability into the atomic capability set.
5. The low-code SDN access control method of claim 4, wherein the automatically generating atomic capabilities according to the atomic capability registration request is specifically:
(1) A system administrator establishes a network state information knowledge graph comprising a connection mode between network devices, device types, topology description, device configuration information, setting protocols and standard support;
(2) Acquiring the existing atomic capacity automation deployment specification;
(3) Combining with an automatic deployment specification, a connection mode, topology description and equipment configuration information among network equipment in a network state information knowledge graph, and carrying out intelligent analysis on the network state by a large language model through a prompt engineering technology to obtain available equipment and ports;
(4) Based on the intelligent analysis result, according to the network security policy, performance requirement, fault and recovery policy, network service requirement and monitoring requirement provided by a system administrator, the large language model supports automatic atomic generation capability according to the equipment type, equipment configuration information, setting protocol and standard in the network state information knowledge graph through the prompt engineering technology.
6. The low-code SDN access control method of claim 1, wherein the step 3) specifically includes:
when the atomic capacity used by the user services simultaneously corresponds to the same entity, the authorized atomic capacity among the user services has conflict, and the priority in the access control strategy is higher, so that the atomic capacity is authorized preferentially.
7. A low code SDN access control system comprising:
the policy management layer is used for generating and storing access control policies;
And the control implementation layer is used for collecting the current user and service attributes, collecting the conditions of the current user service and performing access control according to the access control strategy.
8. The low-code SDN access control system of claim 7, wherein the policy management layer includes:
The policy library is used for storing access control policies including registration service information, registration user information and a network atom capability library;
The network atomic capability library is used for storing the atomic capability required by the network service;
the network state information base is used for storing network state information;
the network service management module is used for receiving network service registration and generating registration service information;
The user management module is used for receiving user information registration and generating registered user information;
And the atomic capacity dynamic generation module is used for dynamically generating the atomic capacity according to the network state information base and the network atomic capacity registration request.
9. The low-code SDN access control system of claim 7, wherein the control implementation layer includes:
The user and service information acquisition module is used for acquiring the current user and service attribute A and acquiring the condition of the current user service;
The attribute matching module is used for traversing a policy library in the policy management layer, matching an access control policy Px related to the user A from the policy library according to the acquired current user and service attribute A and the condition of the user service to obtain pre-authorized atomic capacity AbilityX in the Px, binding AbilityX and the Px to obtain < AbilityX, px >, and finally obtaining a set M related to < AbilityX, px >;
The conflict detection module is used for traversing pre-authorized atomic capacity AbilityX in the M, searching an access control strategy Py according to AbilityX, comparing service priorities in Px and Py, and authorizing the atomic capacity in Px if the priority in Px is higher.
10. A computer readable storage medium, characterized in that the storage medium has stored thereon a computer program which, when executed by a processor, implements a low code SDN access control method as claimed in any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410080054.7A CN117938485A (en) | 2024-01-19 | 2024-01-19 | Low-code SDN access control method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410080054.7A CN117938485A (en) | 2024-01-19 | 2024-01-19 | Low-code SDN access control method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117938485A true CN117938485A (en) | 2024-04-26 |
Family
ID=90758665
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410080054.7A Pending CN117938485A (en) | 2024-01-19 | 2024-01-19 | Low-code SDN access control method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117938485A (en) |
-
2024
- 2024-01-19 CN CN202410080054.7A patent/CN117938485A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7895409B2 (en) | Application inspection tool for determining a security partition | |
| US8869111B2 (en) | Method and system for generating test cases for a software application | |
| US11392675B2 (en) | Request authorization using recipe-based service coordination | |
| US11948005B2 (en) | Managed integration of constituent services of multi-service applications | |
| WO2008057716A1 (en) | Method for management of policy conflict in a policy continuum | |
| CN113794636B (en) | Dynamic routing arrangement method and system based on Spring Cloud Gateway | |
| US11941413B2 (en) | Managed control plane service | |
| CN101730099A (en) | Terminal management method based on authority control and device | |
| US20080104250A1 (en) | Identity migration system apparatus and method | |
| US20100011408A1 (en) | Implementing Organization-Specific Policy During Establishment of an Autonomous Connection Between Computer Resources | |
| CN110266517A (en) | External service call method, device and terminal device based on gateway | |
| WO2022005685A1 (en) | Managed control plane service | |
| JP2009527832A (en) | Virtual role | |
| CN113961332A (en) | Method and device for realizing workflow engine, electronic equipment and storage medium | |
| CN104520821A (en) | Dynamic directory controls | |
| CN117938485A (en) | Low-code SDN access control method and system | |
| JP5426578B2 (en) | Cordless provisioning | |
| KR100930962B1 (en) | Remote security testing device and method of RPC-based software | |
| CN112418720A (en) | Management method and device for mapping of business and process engine, electronic equipment and medium | |
| CN112118247B (en) | Internet of vehicles data encryption method and system | |
| CN111324368A (en) | Data sharing method and server | |
| CN113094078B (en) | Security detection method, device, equipment and medium | |
| CN106714169B (en) | Wireless network characteristic configuration method and system | |
| CN114296738A (en) | Method for determining compiled directory, computer equipment and storage medium | |
| CN118175005A (en) | Network management method, device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |