Summary of the invention
The technical problem to be solved in the present invention is, for overcoming the deficiencies in the prior art, provides a kind of system and method that utilizes correlation inquiry to carry out authentication, can improve the efficient of authentication and can adjust incidence relation between object at an easy rate.
The technical solution adopted for the present invention to solve the technical problems is, a kind of system that utilizes correlation inquiry to carry out authentication is provided, include the inquiry manager that can receive search request and store the Database Systems of the data of managed object, further comprise: authentication server can be accepted the authentication request information from client, and sends this authentication request information to inquiry manager; Inquiry manager can be resolved this authentication request information, and the generated query statement is inquired about to Database Systems; Object Manager stores the incidence relation figure of the managed object that generates according to the incidence relation configuration information between managed object, comprises at least one root object and non-root object among this incidence relation figure; Store predetermined algorithm in the figure iterator, be used for finding the solution the path among the incidence relation figure in the described Object Manager, this Object Manager returns to inquiry manager with the optimal result of finding the solution; Store the authentication configuration information relevant with root object in the Database Systems, these Database Systems can be returned the information after authentication of being inquired about to inquiry manager.
Utilize in the system that correlation inquiry carries out authentication of the present invention, include two or more nodes among the described incidence relation figure, each node comprises node data and limit data, wherein store the information of managed object in the node data, store incidence relation information between object in the data of limit, the node among the described incidence relation figure can be increased, deletes or revise.
Utilize in the system that correlation inquiry carries out authentication of the present invention, the described authentication configuration information relevant with root object leaves an authority allocation list in, and the described authentication configuration information relevant with root object comprises associated user, authority configuration information and the correlation thereof of this root object.
Utilize in the system that correlation inquiry carries out authentication of the present invention, in described Object Manager, be provided with an auxiliary authority allocation list, should assist the authority allocation list to be used for disposing the incidence relation of non-root object and root object, described non-root object is associated with a root object at least.
The present invention also provides a kind of method of utilizing correlation inquiry to carry out authentication, this method comprises: (a) managed object is divided into root object and non-root object, wherein the root object correspondence has the authority configuration information, and set up incidence relation figure according to the incidence relation between managed object, this incidence relation figure is stored in the Object Manager; (b) the authentication management device receives the authentication request information from client, and sends this authentication request information to inquiry manager; (c) Object Manager is according to the managed object in this authentication request information, and querying server is given in the authentication configuration information loopback that draws the root object relevant with this managed object; (d) inquiry manager generates the correlation inquiry statement, and passes to Database Systems according to the authentication configuration information of replying from the authentication request information and the described Object Manager of authentication management device; (e) Database Systems are inquired about according to described correlation inquiry statement, and Query Result is returned to inquiry manager.
Utilize in the method that correlation inquiry carries out authentication of the present invention, described step (c) further comprises: if (c1) described managed object is a root object, then directly return the authentication configuration information of this root object.
Utilize in the method that correlation inquiry carries out authentication of the present invention, described step (c) further comprises: if (c2) described managed object is non-root object, then find out with relationship object figure in the related root object of this managed object, return the authentication configuration information of this root object related with managed object.
Utilize in the method that correlation inquiry carries out authentication of the present invention, described step (c2) further comprises:
Algorithm in the calling graph iterator is asked for the managed object of this request authentication and the path between the root object, if this pairing root object is more than one, then asks for respectively and the corresponding path of described each root object;
Object Manager generates final path with this mulitpath according to certain rule;
Object Manager should send querying server in final path.
Utilize in the method that correlation inquiry carries out authentication of the present invention, described final path is " the shortest optimum " path in the mulitpath, or merge the path that the back is generated through multipath, multipath merge comprise to described mulitpath carry out " with ", " or ", " non-" calculate or " with ", " or ", the combination calculation of " non-".
Utilize in the method that correlation inquiry carries out authentication of the present invention, the relation between the described managed object can be stored in the incidence relation mapping table; Can obtain the associated path of non-root object by searching described incidence relation mapping table in the step (c) to root object, and the authentication configuration information of the acquisition root object corresponding with described non-root object.
Implement the system and method that utilizes correlation inquiry to carry out authentication of the present invention, has following beneficial effect: in the present invention, set up the object association graph of a relation according to the incidence relation between the managed object of network management system, will be reduced to finding the solution of figure the authentication of object with complicated incidence relation.Can describe the managed object in the telecommunication network management system intuitively, and can be intuitively the data structure of figure be increased, deletes, revises the incidence relation of managing managed object; The figure iterator is an independent entity, can replace different algorithms easily to satisfy different requirements;
In the present invention, managed object is divided into root object and non-root object, the user can reach a large amount of non-root object in other downstreams of control by the authority of the root object of control minority, has reduced the workload of distributing authority, improves the efficient of right assignment;
Only need deposit the authority configuration information of root object in the Object Manager, significantly reduce data volume like this, improve the efficient of authentication, improve the response speed of authentication.
Embodiment
In order to make the purpose, technical solutions and advantages of the present invention clearer, below in conjunction with embodiment and accompanying drawing, the present invention is described in more detail:
Fig. 1 is that the present invention utilizes correlation inquiry to carry out the structural representation of the system of authentication; This system includes authentication server, inquiry manager, Database Systems, Object Manager and figure iterator.
Wherein, authentication server is the backstage service routine that focuses on the authentication service logic, it can accept the authentication request information from client (authentication request side), and can carry out such as operations such as sign-on access control, the controls of superposition operating right, can also under the situation of a large amount of requests of multi-client, carry out load balancing etc. simultaneously.Wherein, the information (relevant information that also promptly needs control of authority) that comprises object name, current user name, request time, request type or the like authentication needs from the authentication request information of client.Authentication server can send this authentication request information to inquiry manager.
Inquiry manager is used to receive the authentication request from authentication server, and be corresponding multistage correlation inquiry request (resolve authentication request process) with its authentication request information translation, the condition that obtains inquiring about and the object of inquiry, generate different query statements according to different objects, inquire about to Database Systems.This inquiry manager can adaptive different Database Systems, the difference of its shielding disparate databases system makes upper strata caller (as authentication server) need not be concerned about the details of Database Systems (how to deposit as type, the managed object of this data database system etc.); Inquiry manager can be according to the result set after the required protocol encapsulation inquiry of different callers, the pairing result set difference of different clients (authentication request side), what for example, undertaken that the client of authentication needs by web browser (IE) is the result set that is packaged into http protocol; Undertaken by the telecommunicatioin network management client authentication needs be to be packaged into abstract syntax notation 1 (Abstract SyntaxNotation 1, ASN1) protocol results collection; Undertaken by other particular devices authentication needs be the result set that encapsulates with specific proprietary protocol, or the like.
Object Manager is used for preserving and managing with the form of incidence relation figure the various relations configurations of managed object; But management object relation strategy (as which kind of business model to use which kind of query strategy etc.) at; And the strategy of management and dispatching figure iterator.It stores the incidence relation figure of the managed object that generates according to the incidence relation configuration information between managed object.In addition, the incidence relation configuration information between the managed object in the Object Manager also can generate by hand-coding or by visualization tool.
The figure iterator can be independently a service or a process, also can be a function library.The figure iterator stores multiple algorithm, can be used to find the solution the path among the incidence relation figure in the described Object Manager, and the result is returned to Object Manager.In the present invention, the figure iterator is independent by a group interface, can conveniently make self-defining algorithm bag like this, also can use the algorithm bag of specialty, perhaps can constantly add algorithm, can improve flexibility and autgmentability.
The data such as tables of data, authority allocation list, subscriber's meter of all managed objects have been stored in the Database Systems.It can receive the inquiry from inquiry manager, returns Query Result to inquiry manager.
Above-mentioned said various servers not necessarily are exactly computer independently on the hardware, also can be independently service processes.Different service processes may operate at and also can operate in respectively on same the computer on the different computers, for example, under the situation very big in data volume, that management object is very many, just each service processes can be operated in respectively independently on the computer.
Fig. 2 is that the object association graph of a relation that utilizes among the present invention carries out the schematic diagram of authentication.The present invention is embodiment with the network management system with the graph of a relation of object association shown in Fig. 2 structure, also simple object association graph of a relation shown in Figure 2 can be considered as a subgraph on the whole network management system object relationship figure.Include a plurality of different Object nodes (as root object 1, non-root object 11 etc.) among this figure, the relevant object information of storage actual needs in the node data among the figure, incidence relation information and other relevant informations (as the traversal control information) between storage object in the limit data among the figure.Represent with the form of connecting line and have incidence relation between the different Object nodes.In the figure, if a newly-increased object (as newly-increased non-root object) only needs to create a node data, then incidence relation information is inserted in the side information of node, the side information that updates simultaneously adjacent node again gets final product, to other node without any influence.In like manner, can delete or operation such as modification node.
In the present invention, be the managed object in the network management system to be divided into " root object " and " non-root object " two classes according to certain rule, for example, regional feature in the managed device obviously (is represented the A city as DN set 0755, and in incidence relation, be in managed object than the upper strata (other managed object data partial index or quote this managed object) at least the B district in office direction 10 expression A cities etc.), as root object.Because regional significantly managed object conforms to user's district management structure when delineation of power, so just can be well when authority is set with the user management model in the role be complementary, the route that just can only manage the B district as the administrative staff in B district, and all equipment relevant with B district route are also returned its management simultaneously.Can certainly distinguish root object and non-root object in conjunction with other features (as related data volume size).
In Database Systems, be provided with an authority allocation list, deposit each root object relevant user and authority configuration information, record root object, user, the such triplet information of user right in this authority allocation list, do not deposit the authority configuration information of non-root object in this authority allocation list.The authority configuration data only just can be utilized in authentication, so can manage or safeguard the data in the authority allocation list separately.In the present invention, can carry out direct authentication to root object by the authority allocation list; And can only carry out implicit authentication to non-root object, and it is by the incidence relation between non-root object and a certain or some root object, passes up to corresponding root object, the authority configuration information of the root object by correspondence carries out authentication to this non-root object.Can be associated with root object 1 by " authentication path 1 ", be associated with root object 2, be associated with new root object as the non-root object 23 among Fig. 2, and carry out authentication by root object 1, root object 2 and new root object respectively by " newly-increased authentication path " by " authentication path 2 ".The present invention adopts different objects is carried out dissimilar authentication modes, reduce the data volume of the authority configuration information in the authority allocation list, thereby improve the efficient of authentication, improve the response speed of authentication, also reduced the workload that administrative staff authorize simultaneously.
In the described incidence relation figure of Fig. 2, all need carry out the managed object of control of authority all must point to an auxiliary authority allocation list directly or indirectly when authentication, otherwise does not have relevant user and authority configuration information, can't carry out authentication.Among the present invention, the path that the incidence relation of non-root object and root object has changed between non-root object and the root object is found the solution, wherein represent query path between non-root object and the root object with the thick lines of arrow, and the authentication path of root object and authority allocation list.Should leave in the Object Manager by auxiliary authority allocation list.Should be used for disposing the relevant information how non-root object passes through the root object authentication by auxiliary authority allocation list, as the root of dependence and the incidence relation between the root or the like, described non-root object is associated with a root object at least.It does not write down root object, user, the such triplet information of user right.Because the incidence relation between non-root object and the root object is stable, and the configuration of the authority of root object is constantly to become, so adopt the mode of separate processes.Root object, user, three no groups of such information of user right are left in the authority allocation list of the above-mentioned document library system of mentioning in addition, when authentication, carry out correlation inquiry more in real time.
In other embodiment, can use the method for analyzing automatically to produce an authority configuration information according to the data of managed object or the characteristics of information.
The present invention at first will pass through the incidence relation between managed object (root object and non-root object), set up the incidence relation graph structure of object, wherein incidence relation can be configuration file, allocation list, allocation plan etc. also, perhaps can be the data that other special instruments produce.Behind the incidence relation graph structure of the single data of setting up Fig. 2 and non-single data, just can carry out authentication to managed object.As shown in Figure 3, be one embodiment of the present of invention the user is carried out the flow chart of authentication.Specify as follows:
Step 1: after the authentication request message of authentication server reception from client, this authentication request message is sent to querying server, include the needed information of authentication such as managed object (calling the authentication object in the following text) title, active user's title, current request time and authentication request type (or claiming authentication request information) of asking authentication in this authentication request message at least.
Step 2: whether querying server to the Object Manager inquiry, is root object to judge this managed object according to the authentication object oriented in this authentication request message.
Step 3: Object Manager returns result's (including among this result whether this authentication of indication is the information of root object, the additional configuration information of this authentication object, as object type, object priority or the like) of its inquiry to querying server.
If it is root object that the result that step 3 is returned represents this authentication object, then carry out the flow process of direct authentication, directly carry out authentication according to the authority configuration data;
In step 4: querying server is according to from the authentication request message of the authentication server authority information in conjunction with this user in the authority configuration data, the generated query statement, and this query statement sent to Database Systems.
Step 5: Database Systems are inquired about the information generated query result relevant with this authentication object according to the querying condition in this query statement, and this Query Result is returned to querying server.For example, described Query Result can be to filter the data that back active user (authority information that can comprise current request person's user when issuing request) has certain managed object of authority through authority, as: 100 routes are arranged in the network in whole A city, but party a subscriber can only be managed 3 route a1, a2, the a3 that wherein belongs to the B district, if with the ID inquiring routing iinformation of " power user ", it can obtain the information of 100 all routes; If with the ID inquiring routing iinformation of " first ", it can only obtain the information of a1, a2, three routes of a3.
Step 6: this querying server is given authentication server with this Query Result (as the information of the information of 100 routes in the step 5 or a1, a2, three routes of a3) passback.
If it is non-root object that the result that step 3 is returned represents this authentication object, then need to carry out the flow process of implicit authentication, find out the root object related with this non-root object, the authority configuration data by this root object carries out authentication, and concrete steps are as follows:
In step 7: querying server is inquired about the pairing root object of this managed object to Object Manager;
Step 8: Object Manager judges whether the root object corresponding with it has many; The root object relevant with non-root object can be for a plurality of.As shown in Figure 1, the non-root object 23 among Fig. 1 is associated with root object 1, root object 2 and new root object along " authentication path 1 ", " authentication path 2 " and " newly-increased authentication path " respectively.This step can obtain by configuration data, also can be to find the solution in conjunction with user-defined identification traversal incidence relation figure by the algorithm in the figure iterator to obtain.
Step 9: if the root object corresponding with the managed object of this request authentication is a plurality of, then the algorithm in the calling graph iterator is asked for the managed object of this request authentication and the path between certain root object.
Step 10: this Object Manager obtains respectively and the corresponding path of described each root object according to the method in the step 9.
Step 11: Object Manager generates final path with this mulitpath according to certain rule; This final path can be " the shortest optimum " path in the mulitpath, also can be to merge the path that the back is generated through multipath, multipath merge be meant according to " with ", " or ", " non-" calculate or " with ", " or ", the path that combination calculation generated of " non-".
Step 12: the path after Object Manager will merge (final path) sends querying server to; The authority configuration information be included in that the path generates and merge logic suffered (many such as whether, the associated root object of non-root object be what or the like);
Step 13: the path (final path) after inquiry manager merges according to this, from the authentication request information and the corresponding authority configuration information of authentication server generates multistage correlation inquiry statement;
Step 14: querying server sends to Database Systems with this query statement;
Step 15: Database Systems are inquired about the information generated query result relevant with this authentication object according to the querying condition in this query statement, and this Query Result is returned to querying server.For example, described Query Result can be to filter the data that back active user (authority information that can comprise current request person's user when issuing request) has certain managed object of authority through authority, as: 100 routes are arranged in the network in whole A city, but party a subscriber can only be managed 3 route a1, a2, the a3 that wherein belongs to the B district, if with the ID inquiring routing iinformation of " power user ", it can obtain the information of 100 all routes; If with the ID inquiring routing iinformation of " first ", it can only obtain the information of a1, a2, three routes of a3.
Step 10 six: this querying server is given authentication server with this Query Result (as the information of the information of 100 routes in the step 15 or a1, a2, three routes of a3) passback.
The above is one embodiment of the present of invention only, is not to be used to limit protection scope of the present invention.
Wherein step 7 also can adopt other method to realize to step 12, for example, utilizes independently instrument to find the solution out the incidence relation of managed object, forms incidence relation mapping table between managed object; Obtain the associated path of non-root object by searching this mapping table then to root object; Carry out authentication by root object at last, this method can be avoided the computing expense of dynamic solution associated path, improves authority-identifying speed.
And when finding the solution the authentication path of non-root object between root object, can be on the incidence relation graph structure, introduce weighting, add controlled flag etc., the figure iterator is found the solution associated path according to these signs by different algorithms, the associated path that realization obtains by the control of different demands, thus can make the authentication process service logic that can superpose easily, and the control that makes authentication is more flexibly and press close to use.