JP2015022750A - Information processing system and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To flexibly control requests from clients by managing object information and authority for object processing in the same data structure.SOLUTION: An information processing device 1 manages the information of an object of which at least one of a parent and a child is determined. In a case where a prototype of an access token which is an object having an owner attribute agrees with an owner, a method transmission attached with the access token, is accepted.

Description

  The present invention relates to an information processing system and a program.

  The server that manages the object may process (create, acquire, change, delete, etc.) the object according to the authority of the client that is the processing request source. Here, since the object managed by the server may be created, changed, deleted, etc., if the authority is fixedly linked to the client independently of the object, It may be difficult to process objects flexibly.

JP 09-251425 A

  An object of the present invention is to provide an information processing system and program capable of managing object information and object processing authority with the same data structure and flexibly controlling requests from clients.

  The invention according to claim 1 is an information processing system that manages information on an object for which at least one of a parent and a child is defined, and an access token prototype that is an object having an owner attribute matches the owner. The information processing system includes a processing unit that accepts a method transmission to which an access token is attached.

  According to a second aspect of the present invention, when the prototype of the access token is included in a path in which the parent objects of the owner are sequentially connected, the processing unit transmits the method attached with the access token to the owner The information processing system according to claim 1, wherein the information processing system interprets and accepts the information as authorized by the system.

  The invention according to claim 3 is the information processing system according to claim 2, further comprising a notification unit that notifies the owner that the method transmission is accepted when the method transmission is received by the processing unit.

  According to a fourth aspect of the present invention, when the prototype of an access token, which is an object having an owner attribute, matches the owner in a computer that manages information on an object for which at least one of a parent and a child is defined, the access token Is a program for executing a step of accepting a method transmission to which is attached.

It is a functional block diagram of the information processor concerning this embodiment. It is a figure which shows an example of a tree structure. It is a figure which shows an example of a tree structure. It is a figure which shows an example of a tree structure. It is a figure which shows an example of a tree structure. It is a figure which shows an example of a tree structure. It is a figure which shows an example of the management table which manages data. It is a figure which shows an example of the management table which manages data. It is a figure which shows an example of the management table which manages data. It is a figure which shows an example of the management table which manages data. It is a figure which shows an example of the management table which manages data. It is a figure which shows an example of the management table which manages data. It is a figure which shows an example of the management table which manages data. It is a figure which shows an example of the management table which manages data. It is a figure which shows an example of a tree structure.

  Hereinafter, embodiments for carrying out the present invention (hereinafter referred to as embodiments) will be described with reference to the drawings.

[1. Description of functions provided in information processing apparatus]
FIG. 1 shows a functional block diagram of the information processing apparatus 1 according to the present embodiment. As illustrated in FIG. 1, the information processing apparatus 1 includes a tree structure data management unit 11, a request reception unit 12, an authority information acquisition unit 13, a verification unit 14, a request processing unit 15, and a processing data providing unit 16.

  The functions of the above-described units included in the information processing apparatus 1 are stored in a storage unit in a computer including a control unit such as a CPU (Central Processing Unit), a storage unit such as a semiconductor memory or a magnetic disk device, and a communication unit such as a network interface. It may be realized by the control means executing the program to be executed. Note that the program may be supplied to the information processing apparatus 1 in a state of being stored in an information storage medium, or may be supplied to the information processing apparatus 1 via a data communication unit such as the Internet. Hereinafter, details of each unit provided in the information processing apparatus 1 will be described.

  The tree structure data management unit 11 manages two or more objects constituting the tree structure. Here, the object has only one parent object (prototype) except for the root object that exists only in the system. The root object does not have its own prototype. When object A is a prototype of object B, object B is also said to be an artifact of object A. Prototype relationships between objects introduce a tree structure into the set of all objects. If the tree structure is not destroyed, it is possible to reshape the tree structure by reconnecting the prototype. An object managed by the tree structure data management unit 11 can have a value. In the context of REST (REpresentational State Transfer Architecture Style), objects are sometimes called resources and values are called representations. Some objects having values represent authority information called access tokens. An object can be simply a pure identity consisting only of an object identifier and prototype, representing data with a value of any content type, an access token that is a credential that certifies access, or the owner of the object It may be included that represents an entity such as a resource owner or an application (client) that accesses an object under the authorization of the resource owner. These objects are contained in one tree structure. Then, the tree structure data management unit 11 executes addition, update, information reading, deletion, and the like of the managed object in accordance with the command received from the client device 2. Hereinafter, an example of data managed by the tree structure data management unit 11 will be described.

  2 to 6 show display examples in which objects managed by the tree structure data management unit 11 are represented in a tree structure, and FIGS. 7 to 14 show management tables for managing data of each object constituting the tree structure. An example was given. Here, a data configuration example of an object managed by the tree structure data management unit 11 will be described with reference to FIG. 2 and FIG. 7 showing a data configuration example of a management table corresponding to FIG.

  FIG. 7 shows an example of a resource management table that holds the data of the tree structure data shown in FIG. 7A shows an validation management table, FIG. 7B shows an object management table, and FIG. 7C shows a data content management table.

  Here, as shown in FIG. 7A, the validation management table may be a key of each object (object ID, for example, a random number of about 32 bytes generated randomly by the system when the object is generated. In the present embodiment, as an example, a 4-byte value encoded in hexadecimal is used as a key), and one or more records including each item of value (which may be a flag value, for example, a true / false value) are included. The object key of the object “spf” in the tree structure shown in FIG. 2 is “a1f40f99”, the object key of the object “spf_token” is “bfa67956”, and both are validated (“0”). When invalidating an object, the value associated with the object key may be updated to “1” in the validation management table.

  Next, as shown in FIG. 7B, the object management table includes one or more records including items of object key (object ID), prototype value, artifact value, state value, and content type value. . Here, the object ID is stored in the object key, the object ID of the parent object of the object is stored in the prototype value, and the object ID of the object artifact is stored in the artifact value. A record key (for example, a hash value) is stored, and the state value stores a record key (for example, a hash value) in the data content management table indicating the data content of the object. Stores a key (for example, a hash value) of the data content management table indicating the type of the object.

  As shown in FIG. 7C, the data content management table storing the data content of the object is associated with a key (for example, a value stored in the artifact value, state value, or content type value) Corresponding data contents are stored. For example, in the data content management table, information on the list of artifacts of the object is stored in association with the key of the artifact value of the object. For example, in the data content management table, the key stored in the state value associated with the object of the access token includes {“owner”: owner object ID, “client”: client object ID, “scope”. : Character string representing scope} is associated. An access token is attached to all processing requests. Here, the owner is treated as a requester for processing and the client is treated as a proxy requester for processing, and the scope is created (C: create) and updated (U: update). , Information on authorized processing types such as deletion (D: delete) and list acquisition (L: list). It should be noted that the scope may include information on authorized processing. For example, in the data content management table, for example, information related to the data type of the object may be associated with the key stored in the content type value associated with the object.

  The request reception unit 12 receives a request regarding processing of an object managed by the tree structure data management unit 11 from the client device 2. Further, the request reception unit 12 acquires information on an access token (authorization information key) along with the request.

  The authority information acquisition unit 13 acquires authority information (for example, owner information, client information, scope information) related to the received request based on the access token received by the request reception unit 12. For example, when the access token received by the request reception unit 12 is valid in the validation management table, the authority information acquisition unit 13 searches for a corresponding record from the object management table using the access token as a key. Here, the authority information acquisition unit 13 may output a search error to the verification unit 14 when a record using the access token as a key is not searched from the object management table. When the record using the access token as a key is retrieved from the object management table, the authority information acquisition unit 13 uses the value stored in the state value of the retrieved record as a key (specific key) to store the data contents Search the corresponding record from the management table. Here, the authority information acquisition unit 13 may output a search error to the verification unit 14 when a record corresponding to the specific key is not searched from the data content management table. Then, when the record corresponding to the specific key is retrieved from the data content management table, the authority information acquisition unit 13 uses the data (owner information, client information, scope information) stored in the value of the retrieved record. Obtained as authority information, the owner information and client information are verified (whether the owner or client is a valid object ID) and output to the verification unit 14.

  The verification unit 14 executes verification based on a comparison between the authority information acquired by the authority information acquisition unit 13 and the information of the parent object (prototype object) of the access token received by the request reception unit 12. For example, the verification unit 14 outputs a verification error to the request processing unit 15 when a search error is notified by the authority information acquisition unit 13. In addition, the verification unit 14 determines whether the owner information (owner object) included in the authority information acquired by the authority information acquisition unit 13 matches the parent object (prototype object) of the access token received by the request reception unit 12, If the parent object (prototype chain) of the access token is included in the path (prototype chain) that sequentially connects the parent object of the owner object and the parent object, then the parent object (prototype object) of the access token is determined to be successful, otherwise Determines that the verification has failed, and notifies the request processing unit 15 of the verification result.

  Here, processing related to the notification queue will be described. First, when the access token received by the request receiving unit 12 is verified, the prototype of the access token received by the request receiving unit 12 has a queue (notification queue) for storing notifications (the notification queue has an empty queue). Queue is set). In addition, when the access token received by the request receiving unit 12 is verified, if the prototype of the access token is included in the prototype chain of the owner object specified by the access token, an object having a notification queue is selected from the owner object. Searching along the prototype chain, the first object found is set as the notification destination.

  The request processing unit 15 executes the processing related to the request based on the request received by the request receiving unit 12, the authority information acquired by the authority information acquiring unit 13, and the verification result notified from the verification unit 14. Control. For example, the request processing unit 15 includes processing related to the request received by the request receiving unit 12 in the scope information of the authority information acquired by the authority information acquiring unit 13, and is further notified from the verification unit 14. A condition that the verification result is a verification success, and a condition regarding the relationship between the target resource (requested object) and the owner (object) specified by the access token (for example, whether the owner has privileges for the target resource) If the above condition is satisfied, the processing related to the request received by the request receiving unit 12 is executed, and the execution result is output to the processing data providing unit 16. The processing is not accepted and an error is output to the processing data providing unit 16 Good. Further, even if the received request does not satisfy the above conditions, the request processing unit 15 holds the processing (for example, update) and notifies the target resource prototype of the processing (for example, update) request. Also good. If the target resource prototype does not have a notification queue, the object (notification destination object) having the notification queue first in the target resource prototype chain is notified. Here, after knowing the notification stored in the notification queue, the notification destination object may perform processing (for example, value setting) on the target resource using its own access token, or simply queue the notification. You may delete from.

  Hereinafter, when a request from the client apparatus 2 is received, processing executed according to the request received by the request processing unit 15 (artifact list acquisition, artifact generation, object expression acquisition, object expression update, object Delete, prototype acquisition, prototype update, etc.). In the example described below, the request transmitted from the client apparatus 2 to the information processing apparatus 1 uses the REST API with the HTTPS transport, and the HTTP request header includes an access token. This will be described as an example.

  When the received request is “GET /”, the request processing unit 15 searches the corresponding record from the object management table using the owner object included in the authority information as a key, and stores the artifact value included in the searched record. The data content management table is searched based on the value, and the value value included in the searched record is output to the processing data providing unit 16 as a processing result.

  If the received request is “POST /”, the request processing unit 15 generates a key (object ID) of a new object whose parent is the owner object included in the authority information (the object ID is generated by a random number, for example) A record storing the generated object ID and prototype object information is added to the object management table, and the generated object ID is output to the processing data providing unit 16 as a processing result. The request processing unit 15 updates the value of the artifact value for the prototype object, and records a record including the updated value as a key and list information including the newly generated object information in the list in the data content management table. It is good to add to.

  When the received request is “GET / {id}”, the request processing unit 15 searches the corresponding record from the object management table using {id} as an object key, and sets the state value included in the searched record. The stored value is referred to, the data content management table is searched using the referenced value as a key, and the value value included in the searched record is output to the processing data providing unit 16 as a processing result.

  When the received request is “PUT / {id}”, the request processing unit 15 has the privilege specified by the access token for the target object specified by {id} ( In other words, when the owner specified by the access token is included in the prototype chain of the target object), the corresponding record is searched from the object management table using {id} as the object key, and the state value included in the searched record is The stored value is referred to, the data content management table is searched using the referenced value as a key, and the value of the value included in the searched record is updated according to the update information received together with the request.

  When the received request is “DELETE / {id}”, the request processing unit 15 determines that the owner specified by the access token has a privilege for the target object specified by {id} ( That is, when the owner specified by the access token is included in the prototype chain of the target object), the corresponding record is searched from the object management table using {id} as the object key, and the value of the artifact value of the searched record is If not stored (that is, the target object has no artifact), the value corresponding to the object key {id} is updated to the invalidation value (1) in the validation management table, and the retrieved record Arte When the value in fact the value is stored may be outputted error in processing data providing unit 16.

  When the received request is “GET / {id} / prototype”, the request processing unit 15 searches the corresponding record from the object management table using {id} as an object key, and the prototype included in the searched record The value stored in the value is output to the processing data providing unit 16 as a processing result.

  When the received request is “PUT / {id} / prototype” and the request body is a new prototype object ID, the request processing unit 15 sets the owner (requester) specified by the access token as the target resource ({id}). If the current prototype of the specified object) does not destroy the tree structure, a new prototype is reserved. Then, if the requester is reserved as a new prototype and the prototype change does not destroy the tree structure, complete the setting to the new prototype (ie perform a prototype update), and for other cases, request Reject. For example, if the prototype before the change of the object C is A and the prototype after the change is B, a first instruction “requester = A, change destination prototype = B, target object = C”, and “requestor = B , If both of the second instructions with the change target prototype = B and the target object = C ”do not destroy the tree structure at the timing of each instruction, the request processing unit 15 sets the prototype of the object C as A It is good also as performing the process changed from B to B.

  The processing data providing unit 16 provides the processing result notified from the request processing unit 15 to the client device 2. The processing data providing unit 16 may notify the client device 2 of an error when an error is notified from the request processing unit 15.

  In addition, for each object managed by the tree structure data management unit 11, a queue for holding a request that is suspended for the object is prepared, and the owner of the object is held in the queue prepared for the object. It may be possible to view or delete the item. Here, the items held in the queue may be HTTP request headers and body hash values, and the body contents themselves may be stored so that they can be referenced from the hash values. Then, if the content of the request is valid, the owner of the object may execute the request by replay using its own access token. However, if all the original HTTP request headers are stored as they are, the access token that should be kept secret is known to the owner of the object (that is, the owner impersonates the entity that made the original request). The access token in the header is replaced with the hash value assigned to the object identifier (that is, the hash value managed in the data content management table for the object identifier (access token)) instead of the object identifier. It is good to prevent leakage of tokens. In this way, the token contents (JSON object {“owner”: owner object ID, “client”: client object ID, “scope”: character string expressing the scope}) can be specified from the hash value. However, the access token itself is not exposed to the owner.

[2. Explanation of specific examples of processing]
Hereinafter, specific examples of object addition and update processing executed in the information processing apparatus 1 according to the present embodiment will be described with reference to FIGS.

  First, FIG. 2 shows a tree structure formed by objects in an initial state. As shown in FIG. 2, in the tree structure of the object in the initial state, “spf_token” that is an access token for root is provided as an artifact with respect to “spf” that is the root object. 2 corresponds to the management table (validation table, object management table, data content management table) shown in FIG.

  Next, as shown in FIG. 3, processing when adding a “users” object as an artifact of the object “spf” in the tree structure formed by the objects will be described. In this case, first, the client apparatus 2 sends a “POST /” request to the information processing apparatus 1 using the access token “spf_token”. As a result, the information processing apparatus 1 generates a new object key and adds a record for the generated object key to the validation management table (A) and the object management table (B) as shown in FIG. At the same time, with respect to the object management table (B) and the data content management table (C), the value of the artifact value related to the prototype object (here, “spf” object) to which the artifact is added is updated and added. In FIG. 8, data that has changed from FIG. 7 is underlined. The information processing apparatus 1 notifies the client apparatus 2 of the key (e356bf46) of the added object.

  The client device 2 uses the access token “spf_token” to update the information about the object key (e356bf46) notified from the information processing device 1 (PUT / e356bf46), the update content {“name”: “users” } To the information processing apparatus 1. As a result, as shown in FIG. 9, the data content for the object key (e356bf46) is registered in the object management table (B) and the data content management table (C). In FIG. 9, data that has changed from FIG. 8 is underlined.

  Next, as shown in FIG. 4, “temp_users_token” is added as a temporary access token of the object “users”. The client device 2 may add a new object by throwing a “POST /” request using “spf_token”. FIG. 10 shows a management table to which an object (de75e969) of “temp_users_token” is added. In FIG. 10, data that has changed from FIG. 9 is underlined.

  Here, the client apparatus 2 uses the access token “spf_token” to update the information about the object key (de75e969) notified from the information processing apparatus 1 (PUT / de75e969), the update content {“owner”: “/ E35bf46”, “client”: “/ e35bf46”, “scope”: “create update delete list”} is thrown to the information processing apparatus 1. As a result, as shown in FIG. 11, in the object management table (B) and the data content management table (C), authority information having the object “users” as the owner is set for the object key (de75e969). In FIG. 11, data that has changed from FIG. 10 is underlined.

  Next, as illustrated in FIG. 5, the client apparatus 2 adds “users_token” as a child of the object “users” using the access token “temp_users_token”. That is, the client device 2 may add a new object by throwing a “POST /” request using “temp_users_token”. FIG. 12 shows a management table to which the “users_token” object (1ff64df4) is added. In FIG. 12, data that has changed from FIG. 11 is underlined.

  Here, the client device 2 uses the access token “temp_users_token” to update the information about the object key (1ff64df4) notified from the information processing device 1 (PUT / 1ff64df4), the update content {“owner”: “/ E35bf46”, “client”: “/ e35bf46”, “scope”: “create update delete list”} is thrown to the information processing apparatus 1. As a result, as shown in FIG. 13, in the object management table (B) and the data content management table (C), authority information having the object “users” as the owner is set for the object key (1ff64df4). In FIG. 13, data that has changed from FIG. 12 is underlined.

  Next, as illustrated in FIG. 6, the client apparatus 2 adds the artifact “Alice” to the object “users” using the access token “users_token”. That is, the client apparatus 2 may add a new object by throwing a “POST /” request using “users_token”. FIG. 14 shows a management table to which an “Alice” object (87ad557f) is added. In FIG. 14, data that has changed from FIG. 13 is underlined.

  In this way, by adding access tokens, adding objects, and updating, authority information and resources can be provided in the same tree structure, and detailed authority information is set for each resource. It becomes possible to do.

  Next, an example of notification processing executed when the owner specified by the access token and the prototype (parent object) are different will be described with reference to the tree structure of the object shown in FIG. Note that an access token of a type in which the owner specified by the access token is different from the prototype (parent object) of the access token itself is referred to as a unique token.

  As shown in FIG. 15, an object B, which is an artifact for the object A, is an access token, its owner and client are the object A, and the scope is s = “create update delete list”.

  Next, it is assumed that the object C is generated using the token B. At this time, when the token B is used, the object A which is a prototype of the token B has a queue for storing the notification.

  Next, it is assumed that the token D is generated using the token B. Here, it is assumed that the token D has the object A as a prototype, the owner and client are the object C, and the scope is s.

  Next, it is assumed that the token E is generated using the token D. Here, when the token D is verified, it is detected that the token D is a singular token and notified to the object C that is the owner of the token D. Here, an object having a notification queue is searched from the object C along the prototype chain, and the first searched object (object A) is set as a notification destination.

  Next, it is assumed that the object F is generated using the token E. At this time, the token E is verified, and the object C, which is a prototype of the token E, has a queue for storing the notification.

  Further, it is assumed that the object G is generated using the token D. At this time, it is detected that the token D is a singular token, a notification is issued to the object C that is the owner of the token D, and the notification is stored in the queue of the object C.

  If there is a token K whose parent is the object C, the owner of the token K is C, the client (indicating the owner's authority delegation destination) is J, and the scope is s, the object J is a proxy for the object C. For example, an object G that is an artifact of the object C can be generated.

  The present invention can have the following forms, for example.

(1) In the information processing apparatus 1 according to the present embodiment, when the prototype of an object having an owner attribute (referred to as an access token) matches the owner (referred to as a regular access token), the method transmission to which the access token is attached May be interpreted and accepted as authorized by the owner.
(2) In (1), when the prototype of the access token itself is included in the owner's prototype chain (referred to as a unique access token), the method transmission to which the access token is attached is interpreted as being authorized by the owner. It may be accepted.
(3) In (2), when a method transmission is accepted by attaching a singular access token, the owner may be notified of the acceptance.
(4) In (2), when a method transmission is accepted by attaching a singular access token, it may be notified to the prototype of the access token itself.
(5) In (1) to (4), a method (cloning) for object generation may be provided, and the generated object may be an owner clone (that is, the owner is a prototype).
(6) In (1) to (5), the access token has a client attribute, and the method transmission to which the access token is attached may be interpreted as being delegated to the designated client.
(7) In (1) to (6), the access token has a scope attribute, and the method transmission to which the access token is attached may be interpreted as being delegated within the range of the designated scope.
(8) In (1) to (7), a method (clone listing) for obtaining a clone list may be provided, and the owner's clone collection may be returned.
(9) In (1) to (8), a method for acquiring the representation of the target object may be provided.
(10) In (1) to (9), a method for updating the expression of the target object may be provided, and the expression update may be executed only when the method is approved by the prototype of the target object.
(11) In (1) to (10), a method for deleting a target object may be provided, and deletion may be executed only when the method is approved by the prototype of the target object.
(12) In (1) to (11), the method may be executed only when it is included in the scope specified by the access token.
(13) In (1) to (12), if the object included in the prototype chain of the target object is authorized, the method may be executed.
(14) In (1) to (13), when a method is executed after being authorized by an object included in the prototype chain of the target object, the fact that the method has been executed may be notified to the prototype of the target object. .
(15) In (1) to (14), when a method is executed after being authorized by an object included in the prototype chain of the target object, the method transmission owner may be notified that the method has been executed.
(16) In (1) to (15), the object identifier may be randomly generated by the system.
(17) In (1) to (16), the expression may have an identifier determined as a hash value of the expression, and the binding between the object and the expression may be performed via this identifier.
(18) In method execution in which transmission / reception of expressions such as object expression acquisition and object expression update occurs in (1) to (17), an expression identifier may be added to the response.
(19) In method execution where transmission / reception of expressions such as object expression acquisition and object expression update occurs in (1) to (18), an expression identifier is added to method transmission, and method execution is performed according to the added expression identifier May be performed conditionally.
(20) In (1) to (19), the content of the method transmission to the target object whose authority is not satisfied may be saved, and the prototype of the target object may refer to the transmission content.
(21) In (1) to (20), the token added to the method transmission may be replaced.
(22) In (1) to (21), an event may be notified to the prototype of the target object.
(23) In (1) to (22), the notification may be stored in a queue or a stack.
(24) In (1) to (23), the contents of the method transmission to the object and the incidental situation are recorded, and the owner may refer to them.
(25) In (1) to (24), the method transmission transport may be HTTP over TLS (https).
(26) In (1) to (25), the access token may be attached using the Authorization field in the HTTP request message.
(27) In (1) to (26), cloning may be expressed by POST to a factory resource.
(28) In (1) to (27), the clone listing may be expressed as a GET to a factory resource.
(29) In (1) to (28), object representation acquisition may be represented by GET to an entity resource.
(30) In (1) to (29), the object expression update may be expressed by a PUT to an entity resource.
(31) In (1) to (30), the method transmission transport may be WebSocket over TLS (wss).

  Further, in the present embodiment, even if the request received from the client device 2 is not authorized by the access token received together with the request, the prototype information may be provided to the client device 2. .

DESCRIPTION OF SYMBOLS 1 Information processing apparatus, 2 Client apparatus, 11 Tree structure data management part, 12 Request reception part, 13 Authority information acquisition part, 14 Verification part, 15 Request processing part, 16 Process data provision part

Claims (4)

In an information processing system that manages information of an object for which at least one of a parent and a child is defined,
An information processing system including a processing unit that receives a method transmission to which an access token is attached when a prototype of an access token that is an object having an owner attribute matches an owner. When the prototype of the access token is included in a route in which the parent objects of the owner are sequentially connected, the processing unit interprets that the method transmission to which the access token is attached is authorized by the owner. The information processing system according to claim 1. The information processing system according to claim 2, further comprising: a notification unit that notifies the owner that the method transmission is received when the method transmission is received by the processing unit. A computer that manages information on an object for which at least one of a parent and a child is defined,
A program for executing a step of receiving a method transmission to which an access token is attached when a prototype of an access token that is an object having an owner attribute matches an owner.

Images