JP2015121962A - Information processing system for executing access control, information processing device, access control method and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To solve the problem that access control that unitarily manages two relations cannot be achieved: the two relations being a relation between a user and a roll, and a relation between the roll and authority.SOLUTION: An information processing system includes management information storage means for storing information showing a relation between system operation authority and a token showing that a user is authenticated, confirmation means for confirming that a user corresponding to a token included in a confirmation request has authority to a system operation included in the confirmation request on the basis of the information stored in the management information storage means, and processing request means generating and outputting a processing request for replacing the token included in the system operation request with the token corresponding to the user having manager authority to the system operation on the basis of a result of confirmation by the confirmation means.

Description

  The present invention relates to an information processing system, an information processing apparatus, an access control method, and a program that execute access control, and more particularly to an information processing system, an information processing apparatus, an access control method, and a program that control access to resources.

  Various related technologies are known for access control.

  For example, Patent Document 1 discloses an example of a general access control system. The access control system of Patent Literature 1 includes a service providing device and an authorization device that performs authorization determination of an access request from the service providing device to a resource. The authorization device includes a request reception unit, an authorization determination unit, a policy storage unit, and a response unit.

  The request accepting unit accepts an access request to the resource from the user from the service providing apparatus.

  In response to the access request, the authorization determination unit determines whether to permit access to the resource based on the attribute information of the user and the resource using a policy temporarily registered in advance.

  The policy storage unit confirms that there is no policy setting violation in the policy temporarily registered based on the determination result, and registers the policy without the policy setting violation as a verified policy.

  The response unit returns the determination result of the authorization determination unit using the policy with no policy setting violation to the service providing apparatus.

  In recent years, cloud computing has become widespread, and cloud orchestration, cloud orchestrators, cloud infrastructure management, Alternatively, a technology called cloud integrated management has been proposed and developed.

  Among them, as a typical implementation example, a technique called an open stack has been proposed, developed, and spread. Non-Patent Documents 1 and 2 disclose the technique of OpenStack. Hereinafter, the OpenStack technique described in Non-Patent Documents 1 and 2 will be described.

  OpenStack is a technology for constructing a cloud computing platform (Cloud Computing Platform) centered on IaaS (Infrastructure as a Service).

  More specifically, the OpenStack is composed of a plurality of function modules divided for each function necessary for constructing a system constituting the cloud computing platform.

  These function modules have an API (Application Programming Interface) for providing each function to the outside. Here, the outside is, for example, a user, a program, or a device via a user interface. Hereinafter, these outsides are also simply referred to as users. In addition, these functional modules realize cooperation with other functional modules through the API.

  The OpenStack has a function of executing various processes requested via the API. In some cases, the process is completed with one functional module. In addition, OpenStack may execute a large process by requesting a process between function modules through the API to interchange functions.

  With this function, OpenStack has a feature that it can configure and use the cloud computing platform by combining only necessary function modules according to the application of the cloud computing platform to be constructed.

  Examples of main functional modules include cinder, swift, nova, keystone, glance, and quantum. The cinder has a block storage (Block Storage) function for storing data such as a virtual machine (VM). The swift has an object storage function. nova has a compute function for executing a virtual machine. The keystone has an identity function that handles user management and access control information of each functional module. The “glance” has an image function for managing the configuration information of the virtual machine. Quantum has a networking function for controlling communication between virtual machines and the outside.

  Of these, keystone is necessary to determine whether the access is from the correct user for access to the API of each of the function modules (including keystone itself and other function modules). Manage and provide information.

  More specifically, when a subject accesses various APIs possessed by each functional module, the subject needs to request keystone for user authentication processing before the access. Here, the subject is a functional module or the like on the side that requests access to the user or API. Hereinafter, the subject is simply referred to as a user.

  The keystone has a function of accepting registration of user information, and stores the user information.

  When the keystone is requested for user authentication, the keystone matches the user information passed at the time of the request with the stored user information. When the keystone determines that the user information passed at the time of request is real user information, the keystone generates a token that is valid only for a specific period for the user who requested the user authentication. To do. Subsequently, the keystone records the token and issues the token to the requesting user.

  In addition to passing the processing content requested to the API when the access source user accesses the API, the requesting user gives the information that proves that the access to the API is correct by passing the token. Present.

  The accessed API accepts the requested processing contents only when the passed token is issued correctly. At this time, the accessed API makes an inquiry of the token to the keystone in order to confirm whether or not the passed token is correct.

  The keystone compares the information of the already recorded token with the information of the queried token, determines whether or not the user is the correct user and has the correct period, and determines the result of the determination as an API response to the API. To pass.

  The API accepts the access (processing content) if the passed token is valid in the determination result passed from the keystone, and accepts the access if the passed token is invalid. I refuse.

  Furthermore, keysotne has a function of granting a role (role) to a user.

  Roles are used in role-based access control (RBAC). RBAC does not handle combinations of users and individual authorities when linking users and permissions, but handles the authorities in units called roles, making access intuitive and simple. This technology realizes control settings. The role is a set of authorities necessary for performing a role such as a job.

  The RBAC function in OpenStack includes a role assigned to a user and a policy. This is realized by a description of an access control setting file called json.

  For example, policy. json describes an access control rule that permits the exercise of a specific authority on the condition that a specific role is held.

  If the token is valid in the determination result of the token in the above-described user authentication, the API further sets policy. For the role held by the user corresponding to the token. Based on the access control rule of json, the authority exercise permission / inhibition determination is executed.

JP 2012-208554 A

OpenStack Foundation, “OpenStack Operations Guide”, [online], [searched on June 01, 2013], Internet <URL: http://docs.openstack.org/trunk/openstack-ops/content/>.

OpenStack Foundation, “OpenStack Identity API v2.0 Reference”, [online], [06/01/2013 search], Internet <URL: http://docs.openstack.org/api/openstack-identity-service /2.0/content/>

  However, the technology described in the above-mentioned prior art documents cannot realize the access control that centrally manages the two relationships of the relationship between the user and the role and the relationship between the role and the authority. Have

  The reason why the access control that manages the two relations centrally cannot be realized is that the configuration or operation of the technique described in the above-described prior art document is as follows.

  The keystone of Non-Patent Documents 1 and 2, that is, the OpenStack access control information management means manages the association between a user and a role (relationship between access subjects), but associates a role with an authority (for each access subject). (Authority) is not managed.

  The keystone has a function of granting a role to the user. In other words, the keystone manages the relationship between the user and the role.

  On the other hand, each API has a policy. Based on the access control rule of json, the authority exercise permission / inhibition determination is executed. In other words, the relationship between roles and authorities is managed by each API.

  That is, in OpenStack, a series of access control including from the association between a user and a role to the management of the authority set associated with the role cannot be centrally managed from a module having a management function such as keystone.

  Patent document 1 does not mention the relationship between a user and a role.

  An object of the present invention is to provide an information processing system, an information processing apparatus, an access control method, and a program that can solve the above-described problems.

An information processing system according to one aspect of the present invention includes a management information storage unit that stores information indicating a relationship between an authority for system operation of an arbitrary granularity and a token indicating that a user is authenticated,
When a confirmation request including the information specifying the system operation and the token is received, based on the information stored in the management information storage unit, a user corresponding to the token included in the confirmation request A confirmation means for transmitting a confirmation result indicating that the user has authority to operate the system included in the confirmation request;
When a system operation request including information specifying the system operation and a token indicating that the user is authenticated is received, the confirmation request is transmitted to the confirmation unit based on the received system operation request. , A processing request for receiving the confirmation result corresponding to the confirmation request and replacing the token included in the system operation request with a token corresponding to a user having administrator authority for the system operation based on the confirmation result And processing request means for outputting the generated processing request.

A first information processing apparatus according to an aspect of the present invention includes a management information storage unit that stores information indicating a relationship between an authority for system operation of an arbitrary granularity and a token indicating that a user is authenticated,
When a confirmation request including the information specifying the system operation and the token is received, based on the information stored in the management information storage unit, a user corresponding to the token included in the confirmation request A confirmation means for transmitting a confirmation result to the management target device, indicating that the user has authority to operate the system included in the confirmation request, and
When the managed device receives a system operation request including information specifying the system operation and a token indicating that the user is authenticated, the management target device sends the confirmation request based on the received system operation request. Send to the confirmation means, receive the confirmation result corresponding to the confirmation request, and based on the confirmation result, the token included in the system operation request corresponds to a user having administrator authority for the system operation A processing request replaced with a token is generated, and the generated processing request is output.

The second information processing apparatus according to an embodiment of the present invention receives the system operation request including information specifying system operation of an arbitrary granularity and a token indicating that the user is authenticated. Based on the system operation request, a confirmation request including information specifying the system operation and the token is transmitted to the management apparatus, and a user corresponding to the token included in the confirmation request moves to the system operation included in the confirmation request. A confirmation result corresponding to the confirmation request is received from the management apparatus, and a token included in the system operation request is received from the management apparatus based on the confirmation result. Processing request means for generating a processing request replaced with a token corresponding to an authorized user and outputting the generated processing request The management device is stored in the management information storage means for storing information indicating the relationship between the authority for the system operation and the token, and when the confirmation request is received, stored in the management information storage means And confirmation means for transmitting the confirmation result based on the information.

A first access control method according to an aspect of the present invention includes a management information storage unit that stores information indicating a relationship between an authority for system operation of an arbitrary granularity and a token indicating that a user is authenticated. 1 computer
When a confirmation request including the information specifying the system operation and the token is received from the second computer, the token included in the confirmation request is added to the token based on the information stored in the management information storage unit. Sending a confirmation result to the second computer indicating that the corresponding user has authority to operate the system included in the confirmation request;
The second computer comprises:
When a system operation request including information specifying the system operation and a token indicating that the user is authenticated is received, the confirmation request is sent to the first computer based on the received system operation request. Transmitting and receiving the confirmation result corresponding to the confirmation request from the first computer, and based on the confirmation result, a token included in the system operation request is transmitted to a user having administrator authority for the system operation. A processing request replaced with the corresponding token is generated, and the generated processing request is output.

A second access control method according to an aspect of the present invention includes a management information storage unit that stores information indicating a relationship between an authority for system operation of an arbitrary granularity and a token indicating that a user is authenticated,
When a confirmation request including the information specifying the system operation and the token is received, based on the information stored in the management information storage unit, a user corresponding to the token included in the confirmation request A computer connected to the information processing apparatus including confirmation means for transmitting a confirmation result indicating that the user has authority to operate the system included in the confirmation request;
When a system operation request including information specifying the system operation and a token indicating that the user is authenticated is received, the confirmation request is transmitted to the information processing apparatus based on the received system operation request Then, the confirmation result corresponding to the confirmation request is received from the information processing apparatus, and based on the confirmation result, the token included in the system operation request corresponds to a user having administrator authority for the system operation. A processing request replaced with a token is generated, and the generated processing request is output.

A program according to an aspect of the present invention includes a management information storage unit that stores information indicating a relationship between an authority for system operation of an arbitrary granularity and a token indicating that a user is authenticated,
When a confirmation request including the information specifying the system operation and the token is received, based on the information stored in the management information storage unit, a user corresponding to the token included in the confirmation request A computer connected to the information processing apparatus, including a confirmation means for transmitting a confirmation result, indicating that the system operation included in the confirmation request has authority.
When a system operation request including information specifying the system operation and a token indicating that the user is authenticated is received, the confirmation request is transmitted to the information processing apparatus based on the received system operation request Then, the confirmation result corresponding to the confirmation request is received from the information processing apparatus, and based on the confirmation result, the token included in the system operation request corresponds to a user having administrator authority for the system operation. A processing request replaced with a token is generated, and processing for outputting the generated processing request is executed.

  The present invention has an effect that, in access control, it is possible to realize access control that centrally manages the relationship between a user and a role and the relationship between a role and an authority.

FIG. 1 is a block diagram showing an example of the configuration of the access control system according to the first embodiment of the present invention. FIG. 2 is a block diagram illustrating an example of a configuration of an access control system according to related technology. FIG. 3 is a block diagram illustrating a hardware configuration of a computer that implements the user terminal, the management apparatus, and the management target apparatus according to the first embodiment. FIG. 4 is a diagram illustrating an example of user information according to the first embodiment. FIG. 5 is a diagram illustrating an example of token information according to the first embodiment. FIG. 6 is a diagram illustrating an example of authority information according to the first embodiment. FIG. 7 is a sequence diagram showing the operation of the access control system in the related art. FIG. 8 is a sequence diagram showing an operation of the access control system in the first embodiment. FIG. 9 is a sequence diagram illustrating a detailed operation of a process related to a user authentication request by the management target device in the access control system according to the first embodiment. FIG. 10 is a sequence diagram illustrating a detailed operation of a process related to a user authentication request by a user terminal of the access control system according to the first embodiment. FIG. 11 is a sequence diagram illustrating a detailed operation of a process related to a process request by a user terminal of the access control system according to the first embodiment. FIG. 12 is a sequence diagram illustrating a detailed operation of a process related to a process request by a user terminal of the access control system according to the first embodiment. FIG. 13 is a block diagram showing an example of the configuration of the access control system according to the second embodiment of the present invention. FIG. 14 is a diagram illustrating an example of management information according to the second embodiment.

  Embodiments for carrying out the present invention will be described in detail with reference to the drawings. In each embodiment described in each drawing and specification, the same reference numerals are given to the same components, and the description will be omitted as appropriate.

<<< Glossary of terms >>>
“Permission” means an authority indicated by a specific resource (or object) and a specific set of actions. In other words, a specific resource and specific action set as an authority indicates that the authority is specified by the resource and the action set.

  “Access right” means an access right indicated by a set of a specific subject, a specific resource, and a specific action. In other words, a specific subject, a specific resource, and a specific action set as the access right indicate that the access right exists in the subject, the resource, and the action set.

  Therefore, the access right is also a pair of a specific subject and authority. In other words, the subject included in the access right has the authority specified by the set of resources and actions included in the access right.

  A “role” specifies a set of authorities. That is, a set of authorities (system operation authority) necessary for a certain process can be associated with a role. In other words, an access right can be defined for a set of a subject given a role and a set of authorities specified by the role. A certain roll itself is also a kind of subject.

  An identifier is assigned to the role. For example, the identifier may be an identifier such as a department to which the user belongs, a job title, a project, business contents, and a work item. Each role may have a display name for use in a user interface or the like in addition to the identifier. Further, in addition to the identifier indicating the role itself, each role may have a role identifier corresponding to a parent node or a child node, path information, or the like in order to express a role hierarchy.

  “Subject” is an identifier indicating the existence of an access subject, that is, an access source that exercises the access right. In the access control execution function that performs access control based on the access right, an identifier on a system such as a user ID (Identifier) is assigned to a person, software, device, etc., and the assigned identifier is set as a “subject”. used. The identifier is unique information such as a member number, employee number, or manufacturing number, information that identifies an individual such as a name, or a system-specific value that is associated with any of these information. It may be. Further, the subject may have a display name for use in a user interface or the like.

  In “role-based access control (RBAC)”, for example, when an authority is given to a subject user, a role is assigned to the user. By doing so, the authority set associated with the role is given to the user. For this reason, there are two types of methods for changing the relationship between a certain user and authority: a method for changing the relationship between a user and a role, and a method for changing the relationship between a role and an authority. In the general related technology, these two kinds of methods are handled by different functions.

  For example, the related technology OpenStack basically manages the relationship between a user and a role with Keystone, and the policy. Manage with json.

  However, there is a case where a method of directly granting authority to the user is used together without using a role. In this case, the identifier of the user to whom the authority is granted can be regarded as a special role dedicated to one user whose relationship between the user and the role cannot be changed.

  When describing access control information (“authority information” described later), for example, a relationship between roles and authorities and a relationship between users and authorities are described. At this time, if the user is viewed as a special role, both can be treated as a relationship between the role and the authority. Or conversely, if a role is regarded as an abstract virtual user and viewed as a special subject, both can be treated as a relationship between a subject and an authority. Regardless of which one is used, it can be handled in the same description method for convenience, so the actual access control information description method may be mixed.

  The description of authority information of OpenStack, which is a related technology, can also be described by mixing users and roles as elements related to authority. In this embodiment, for the sake of convenience, only when handling as authority information, both the user identifier and the role identifier are handled as subjects. Details of the authority information will be described later.

<<<< first embodiment >>>>
Next, a first embodiment of the present invention will be described with reference to the drawings. In addition, a related technique is shown together and a difference with this embodiment is demonstrated.

=== Access control system (also called information processing system) 401 ===
FIG. 1 is a block diagram showing an example of the configuration of the access control system 401 according to the present embodiment.

  As illustrated in FIG. 1, the access control system 401 includes a management device 210 and a management target device 310. The user terminal 100, the management device 210, and the management target device 310 illustrated in FIG. 1 are connected to each other via a network (not shown).

  Although FIG. 1 shows three user terminals 100a, b, and c and three managed devices 310a, b, and c, the number of user terminals 100 and managed devices 310 is arbitrary. It's okay.

=== Management Device 210 ===
As illustrated in FIG. 1, the management apparatus 210 includes a user authentication unit 201, a management information storage unit 2021, a user confirmation unit 203, and an authority confirmation unit 204. The user authentication unit 201, the management information storage unit 2021, the user confirmation unit 203, and the authority confirmation unit 204 may be constructed by separate computer systems, or part or all of them may be the same computer system. It may be realized.

=== Managed Device 310 ===
As illustrated in FIG. 1, the management target device 310 includes a processing request reception unit 3011, a processing request proxy unit 302, a processing execution unit 303, a lower authority confirmation unit 304, and a lower management information storage unit 305. The processing request accepting unit 3011, the processing request proxy unit 302, the processing execution unit 303, the lower authority confirmation unit 304, and the lower management information storage unit 305 may be constructed by separate computer systems, Part or all may be realized by the same computer system. Although three processing execution units 303a, b, and c are shown in FIG. 1, the management target device 310 may include any number of processing execution units 303.

=== Information Processing System 400 ===
FIG. 2 is a block diagram showing an example of the configuration of the access control system 402 according to related technology.

  As illustrated in FIG. 2, the access control system 402 includes a management device 200 and a management target device 300. The user terminal 100, the management apparatus 200, and the management target apparatus 300 illustrated in FIG. 2 are connected to each other via a network (not shown).

  Although FIG. 2 shows three user terminals 100a, b, and c and three managed devices 300a, b, and c, each of the user terminals 100 and the managed devices 300 is an arbitrary number. It may be.

=== Management Device 200 ===
As illustrated in FIG. 2, the management apparatus 200 includes a user authentication unit 201, a management information storage unit 202, and a user confirmation unit 203. The user authentication unit 201, the management information storage unit 202, and the user confirmation unit 203 may be constructed by separate computer systems, respectively, or part or all may be implemented by the same computer system. .

=== Managed Device 300 ===
As illustrated in FIG. 2, the management target device 300 includes a processing request reception unit 301, a processing execution unit 303, a lower authority confirmation unit 304, and a lower management information storage unit 305. The processing request reception unit 301, the processing execution unit 303, the lower authority confirmation unit 304, and the lower management information storage unit 305 may be constructed by separate computer systems, or part or all of them may be the same. It may be realized by a computer system. Although three processing execution units 303a, b, and c are shown in FIG. 2, the management target device 300 may include any number of processing execution units 303.

  The access control system 401 illustrated in FIG. 1 may be an access control system (information processing system) in which the access control systems 402 are mixed. In this case, the management apparatus 210 may be connected to any management target apparatus 300 and management target apparatus 310. In addition, the management target device 310 may be connected to any one of the management device 200 and the management device 210.

  In addition, the management device 200, the management device 210, the management target device 300, and the management target device 310 may be constructed by separate computer systems, or part or all may be realized by the same computer system. And each apparatus implement | achieved by the same computer system may share the same component.

  Specifically, the user terminal 100 is realized by a CPU (Central Processing Unit) of an information processing apparatus that operates according to a program, a storage medium such as a RAM (Random Access Memory) or a hard disk, and a communication interface. The The communication interface communicates with the management device 200, the management device 210, the management target device 300, and the management target device 310.

  Specifically, the management apparatus 200 and the management apparatus 210 are realized by a CPU of an information processing apparatus that operates according to a program, a storage medium such as a RAM or a hard disk, and a communication interface. The communication interface communicates with the user terminal 100, the management target device 300, and the management target device 310.

  Specifically, the management target device 300 and the management target device 310 are realized by a CPU of an information processing device that operates according to a program, a storage medium such as a RAM or a hard disk, and a communication interface. The communication interface communicates with the user terminal 100, the management device 200, and the management device 210.

  Specifically, the user authentication unit 201, the user confirmation unit 203, the authority confirmation unit 204, the processing request reception unit 301, the processing request reception unit 3011, the processing execution unit 303, and the lower authority confirmation unit 304 are It is realized by a CPU of an information processing apparatus that operates according to a program, a storage medium such as a RAM, and a communication interface.

  Specifically, the management information storage unit 202, the management information storage unit 2021, the processing request proxy unit 302, and the lower management information storage unit 305 are a CPU of an information processing apparatus that operates according to a program, a RAM, a hard disk, and the like. This is realized by a storage medium and a communication interface.

  FIG. 3 is a block diagram illustrating a hardware configuration of an information processing apparatus (hereinafter referred to as a computer) that realizes the management apparatus 210 and the management target apparatus 310.

  As illustrated in FIG. 3, the computer 700 includes a CPU 701, a storage unit (for example, RAM) 702, a storage device (for example, hard disk) 703, an input unit 704, an output unit 705, and a communication unit 706. Furthermore, the computer 700 includes a recording medium (or storage medium) 707 supplied from the outside. For example, the recording medium 707 is a non-volatile recording medium (non-temporary recording medium) that stores information non-temporarily. The recording medium 707 may be a temporary recording medium that holds information as a signal.

  The CPU 701 controls the overall operation of the computer 700 by operating an operating system (not shown). For example, the CPU 701 reads the program and data from the recording medium 707 mounted on the storage device 703 and writes the read program and data to the storage unit 702. Here, the program is, for example, a program for causing each computer 700 to execute the operations of the sequence diagrams shown in FIGS. 7, 8, 9, 10, 11, and 12 described later.

  The CPU 701 follows the read program and based on the read data, the user authentication unit 201, the management information storage unit 2021, the user confirmation unit 203, the authority confirmation unit 204, and the processing request reception unit 301 shown in FIG. The process request receiving unit 3011, the process request proxy unit 302, the process execution unit 303, the lower authority confirmation unit 304, and the lower management information storage unit 305 execute various processes.

  The CPU 701 may download the program and the data to the storage unit 702 from an external computer (not shown) connected to a communication network (not shown).

  The storage unit 702 stores the program and data. The storage unit 702 may be included in a part of the management information storage unit 2021 and the lower management information storage unit 305 illustrated in FIG.

  The storage device 703 is, for example, an optical disk, a flexible disk, a magnetic optical disk, an external hard disk, and a semiconductor memory, and includes a recording medium 707. The storage device 703 (recording medium 707) stores the program in a computer-readable manner. The storage device 703 may store the data. The storage device 703 may be included in a part of the management information storage unit 2021 and the lower management information storage unit 305 illustrated in FIG.

  The input unit 704 receives an input of an operation by an operator and an input of information from the outside. Devices used for the input operation are, for example, a mouse, a keyboard, a built-in key button, a touch panel, and the like.

  The output unit 705 is realized by a display, for example. The output unit 705 is used for confirming an input request, an output, and the like by, for example, a GUI (GRAPHICAL User Interface).

  The communication unit 706 of the management apparatus 210 implements an interface with the user terminal 100, the management target apparatus 300, and the management target apparatus 310. The communication unit 706 of the management apparatus 210 is included as part of the user authentication unit 201, user confirmation unit 203, and authority confirmation unit 204.

  The communication unit 706 of the management target device 310 realizes an interface with the user terminal 100, the management device 200, and the management device 210. The communication unit 706 of the management target device 310 is included as part of the processing request reception unit 3011, the processing request proxy unit 302, and the processing execution unit 303.

  As described above, the functional unit blocks of the management apparatus 210 and the management target apparatus 310 shown in FIG. 1 are realized by the computer 700 having the hardware configuration shown in FIG. However, the means for realizing each unit included in the computer 700 is not limited to the above. In other words, the computer 700 may be realized by one physically coupled device, or may be realized by two or more physically separated devices connected by wire or wirelessly and by a plurality of these devices. .

  Note that the recording medium 707 in which the program code is recorded may be supplied to the computer 700, and the CPU 701 may read and execute the program code stored in the recording medium 707. Alternatively, the CPU 701 may store the code of the program stored in the recording medium 707 in the storage unit 702, the storage device 703, or both. That is, this embodiment includes an embodiment of a recording medium 707 that stores the program (software) executed by the computer 700 (CPU 701) temporarily or non-temporarily. A storage medium that stores information non-temporarily is also referred to as a non-volatile storage medium.

  The components shown in FIG. 1 are not limited to the components divided into the functional units of the above-described computer apparatus, but may be components in hardware units.

  Next, functions related to the present embodiment of each component will be described.

=== User terminal 100 ===
The user terminal 100 transmits a user authentication request to each of the management device 200 and the management device 210. The user terminal 100 receives a user authentication result that is a response to the user authentication request from each of the management device 200 and the management device 210, and stores a token associated with the user authentication result.

  In addition, the user terminal 100 transmits a processing request input (also referred to as a system operation request) to each of the management target device 300 and the management target device 310. The process request input specifies a process to be performed by each of the management target apparatus 300 and the management target apparatus 310. The processing request input is accompanied by a token that the user terminal 100 receives and stores from each of the management device 200 and the management device 210. The user terminal 100 receives a processing result output that is a response to the processing request input from each of the management target device 300 and the management target device 310.

=== Management Device 200 and Management Device 210 ===
The management apparatus 200 and the management apparatus 210 receive a user authentication request from the user terminal 100, execute user authentication based on the user authentication request, and transmit a user authentication result to the user terminal 100.

  Further, the management apparatus 200 and the management apparatus 210 receive user confirmation requests from the management target apparatus 300 and the management target apparatus 310, respectively. Next, the management device 200 and the management device 210 execute user confirmation based on the received user confirmation request. Next, the management apparatus 200 and the management apparatus 210 transmit user confirmation results to the management target apparatus 300 and the management target apparatus 310, respectively. The user confirmation request includes a token included in the processing request input received from the user terminal 100 by the management target device 300 or the management target device 310.

  In addition, the management apparatus 210 receives the authority confirmation request from the management target apparatus 310, executes authority confirmation based on the authority confirmation request, and transmits the authority confirmation result to the management target apparatus 310.

  The user confirmation request and the authority confirmation request are also called a confirmation request.

  The management target device 300 and the management target device 310 receive a processing request input from the user terminal 100, execute processing based on the processing request input, and transmit a processing result output to the user terminal 100.

  In addition, the management target device 300 and the management target device 310 transmit a user confirmation request to each of the management device 200 and the management device 210. Next, the management target device 300 and the management target device 310 receive a user confirmation result that is a response to the user confirmation request from each of the management device 200 and the management device 210.

  In addition, the management target device 310 transmits an authority confirmation request to the management device 210. The managed device 310 receives an authority confirmation result that is a response to the authority confirmation request from the management apparatus 210.

  Note that the management target device 310 may transmit an authority confirmation request to the management device 200, for example. Then, the management target device 310 determines that the management device 200 does not have the authority management function by receiving an invalid response from the management device 200, for example.

  For example, the management target device 310 may store information indicating which management device is the management device 200 and which management device is the management device 210 in the management device group, and refer to the information.

  For example, the management device 210 holds information indicating which device is the management device 200 and which device is the management device 210 in the management device group, and transmits it in a response to the management target device 310. Also good. In this case, the management target device 310 may refer to information included in the response.

  As described above, the management target device 310 determines whether the management device 310 exists by determining the management device 210 and the management device 200. Then, when the management apparatus 310 does not exist, the management target apparatus 310 may not transmit an authority confirmation request and an “authentication request for a user with administrator authority” to be described later. In this way, unnecessary communication can be reduced.

  Next, the operation of the present embodiment will be described in detail with reference to the drawings.

  FIG. 4 is a diagram illustrating an example of user information 810 stored in the management information storage unit 2021. As shown in FIG. 4, the user information 810 includes a user information record 811 that is a set of a user ID 812, a password 813, and a subject 814.

  The user ID 812 is an identifier that identifies the user. The password 813 is a password corresponding to the user ID 812. Note that the password 813 may be handled by performing obfuscation processing such as encryption or hashing. The set of the user ID 812 and the password 813 is also called information necessary for user authentication, credentials, or a part of credentials.

  The subject 814 is information indicating a subject that performs an operation on the management target device 310 corresponding to the user ID 812. The subject 814 may be the same as the user ID 812, for example.

  Further, when a user corresponding to the user ID 812 is given a role (role) as an authority set necessary for some duties, the subject 814 may be a role ID. The role ID indicates, for example, “HR department”, “Accounting department”, “VM operation management”, “VM configuration management”, “Network management”, and the like.

  The user information 810 may include information such as a user name, affiliation name, and contact information (not shown) as necessary.

  FIG. 5 is a diagram illustrating an example of token information 820 stored in the management information storage unit 2021. As shown in FIG. 5, the token information 820 includes a token information record 821 that is a set of a token 822, an expiration date 823, and a user ID 824. The expiration date 823 indicates the expiration date (for example, date and time) of the token 822.

  FIG. 6 is a diagram illustrating an example of authority information 830 stored in the management information storage unit 2021. As shown in FIG. 6, the authority information 830 includes an authority information record 831 that is a set of a subject 832, an action 833, and a resource 834 that constitute an access right.

  Subject 832 is equivalent to subject 814.

  The action 833 is, for example, an API (Application Program Interface), a process request input, a command, an identifier of a process execution function, and the like indicating the operation content.

  The resource 834 indicates an object to be operated, for example, part or all of the user information 810, part or all of the token information 820, part or all of the authority information 830, function module information constituting the system, VM information VM configuration information (image), managed device identifier, NIC (Network Interface Card) identifier, network segment identifier, and the like.

  However, the action 833 does not have a specific resource designation depending on its contents. For example, a list acquisition action for the whole, a status confirmation action for the whole, a system activation and termination action, and the like have no specific resource designation.

  For example, the administrator of the access control system 401 may record the authority information 830 in the management information storage unit 2021 via the input unit 704. Further, the administrator may record the authority information 830 in the management information storage unit 2021 from an administrator terminal (not shown) via the communication unit 706. In other words, the input unit 704 and the communication unit 706 are means for inputting authority information 830 (authority for system operation of an arbitrary granularity).

  FIG. 7 is a sequence diagram showing an operation of the access control system 402 according to the related technique shown in FIG.

(1) Step S100
The user terminal 100 transmits a user authentication request to the management device 200. In addition, the user terminal 100 receives the user authentication result from the management apparatus 200 and stores the token 822 accompanying the user authentication result. Note that the user terminal 100 may temporarily store the token 822.

(2) Step S200
Next, the user terminal 100 transmits a process request input to the management target apparatus 300 and specifies a process to be performed by the management target apparatus 300. The processing request input includes the token 822 that the user terminal 100 has received from the management device 200 and stored.

  Next, the management target device 300 transmits a user confirmation request to the management device 200 and receives a user confirmation result from the management device 200. The user confirmation request includes the token 822 included in the processing request input received from the user terminal 100 by the management target device 300.

  Next, the management target device 300 performs the process specified by the process request input, and obtains a process result. The execution of the process is accompanied by authority confirmation regarding whether or not the authority (user) of the user terminal 100 exists for the execution of the process. Subsequently, the management target device 300 transmits the output of the processing result to the user terminal 100.

  The user terminal 100 receives the processing result output from the management target device 300.

  FIG. 8 is a sequence diagram showing an operation of the access control system 401 shown in FIG.

(1) Step S110
The management target device 310 transmits a user authentication request to the management device 210, receives the user authentication result from the management device 210, and stores the token 822 included in the user authentication result. Hereinafter, the token 822 stored in step S110 is also referred to as a token a.

  In step S110, user authentication is performed using the same protocol as in step S100 shown in FIG. However, the authentication target in the user authentication is not the user of the user terminal 100 to be authenticated in step S100 but a user who has administrator authority over the management target device 310 shown in FIG. Further, the user to be authenticated in the user authentication may be a user having a right holder authority for the access control system 401 shown in FIG.

(2) Step S100
Next, the user terminal 100 transmits a user authentication request to the management apparatus 210, receives a user authentication result from the management apparatus 210, and stores a token 822 accompanying the user authentication result. Note that the user terminal 100 may temporarily store the token 822. Hereinafter, the token 822 stored in step S100 is also referred to as a token u.

  Step S100 is the same as step S100 shown in FIG.

(3) Step S210
Next, the user terminal 100 transmits a process request input to the management target apparatus 310 and specifies a process to be performed by the management target apparatus 310.

  Note that the processing request input includes the token u received by the user terminal 100 from the management apparatus 210 and stored.

  Next, the management target device 310 transmits a user confirmation request to the management device 210 and receives a user confirmation result from the management device 210. The user confirmation request includes the token u included in the received processing request input.

  Next, the management target apparatus 310 transmits an authority confirmation request to the management apparatus 210 and receives an authority confirmation result from the management apparatus 210. The authority confirmation request requests confirmation whether or not the user (user) of the user terminal 100 has the authority necessary for performing the process specified by the process request input.

  When the authority does not exist for the user, the management target device 310 executes a termination process. Since the termination process does not have a direct relationship with the configuration and operation of the present embodiment, description thereof is omitted.

  When the authority exists for the user, the management target device 310 executes a processing request proxy process. Specifically, for the received processing request input, the management target device 310 generates and outputs a replacement processing request in which information related to the processing request source is replaced with information related to a user having administrator authority.

  The management target device 310 performs the process specified by the replacement process request and obtains a process result.

  When the management target device 310 executes the process, the management target device 310 includes an authority confirmation regarding whether or not the user (user) of the user terminal 100 has the authority necessary for executing the process included in the replacement process request. Execute using information about users with administrator authority.

  The user terminal 100 receives the processing result output from the management target device 310.

  Note that step S210 is an extension of step S200 shown in FIG. 7 in the access control system 402 shown in FIG.

  At that time, even in an environment in which the management target device 300 that executes step S200 and the management target device 310 that executes step S210 coexist, the management device 200 or the management device 210 can perform unified management. Other than the expanded part, it is the same as step S200 shown in FIG.

  Thereby, step S210 can provide the following management functions simultaneously. The first management function is a management function based on the technique (the technique of the present embodiment) related to the access control system 401 shown in FIG. 1 for the combination of the management apparatus 210 having an extended portion and the management target apparatus 310. The second management function is a management function similar to the management function based on the technology (related technology) related to the access control system 402 shown in FIG.

  Next, the detailed operation of the present embodiment will be described with reference to FIGS.

  FIG. 9 is a sequence diagram illustrating a detailed operation of a process related to a user authentication request by the management target device 310 of the access control system 401 illustrated in FIG.

(1) Step S1101
The processing request proxy unit 302 transmits an authentication request to the user authentication unit 201.

  The authentication request includes information (credentials) necessary for user authentication.

  The credential is typically a pair of a user ID and a password, for example. For example, a character string such as “k-sato” as the user ID and “passwd” as the password is used. The password may be subjected to obfuscation processing such as encryption or hashing.

  The credentials may be, for example, a bit string that is difficult to predict and unique, a string of arbitrary numbers and characters, or a “signed certificate” based on a specific encryption algorithm or protocol.

  The processing request proxy unit 302 has the administrator authority included in the user ID, role ID, and user information 810 stored in the management information storage unit 2021 of the user having administrator authority (for example, “admin”). It stores authorized person information (not shown) such as a user identifier (user ID 812) and UUID (Universally Unique Identifier).

  Here, the processing request proxy unit 302 transmits an authentication request using a pair of a user ID and a password of “admin”, for example, as a credential corresponding to a user having administrator authority. In this way, the processing request proxy unit 302 acquires the token 822 of the user having administrator authority required by the processing request proxy unit 302 in step S2117 shown in FIG. 12 by the following operations from step S1102 to step S1109.

(2) Step S1102
The user authentication unit 201 outputs a user search request to the management information storage unit 2021.

  The user search request includes some or all of the credentials as information for specifying the user who wants to search.

(3) Step S1103
The management information storage unit 2021 performs a user search on the user information 810 stored in the management information storage unit 2021, and whether there is a user information record 811 corresponding to the credential included in the received user search request. Confirm whether or not.

(4) Step S1104
The management information storage unit 2021 outputs a user search result to the user authentication unit 201.

  The user search result includes information indicating the presence or absence of a specific user information record 811 in the user information 810 stored in the management information storage unit 2021. The specific user information record 811 is a user information record 811 including a user ID 812 and a password 813 corresponding to the credentials included in the received user search request.

  The information indicating the presence / absence of the specific user information record 811 is a true / false value such as true or false, for example. The information indicating the presence or absence may be a numerical value such as “1” or “0”, a part or all of the credentials, a part or all of the user information record 811 obtained as a search result, and the like.

  For example, the information indicating the presence / absence of the user information record 811 is a unique combination of the user ID 812 “k-sato” and the password 813 “passwd” or the user information 810 stored in the management information storage unit 2021. It may be an item (not shown) used as an identifier, for example, UUID “12345678-1234-1234-1234-12345789902”.

(5) Step S1105
When the information indicating the presence / absence of the specific user information record 811 included in the user search result indicates “present”, the user authentication unit 201 provides the token 822 (token a) provided to the designated user. Is generated. If the information indicating the presence / absence of the specific user information record 811 is the content indicating “present”, that is, the user information corresponding to the information specifying the user specified in the received user search request exists. This is the case.

  The token 822 is, for example, a bit string that is difficult to predict and a string of arbitrary numbers and characters, and is typically a UUID.

  For example, the token 822 has the UUID “123345678-1234-1234-1234-2345678890123”.

  The token 822 is valid only for a specific period, for example, a period of one day or one hour immediately after user authentication. Note that the token 822 is not limited to a period and may be continuously valid.

  If the information indicating the presence or absence of the specific user information record 811 is the content indicating “none”, that is, there is user information corresponding to the information specifying the user specified in the received user search request. If not, the user authentication unit 201 does not generate the token 822. Next, processing proceeds to step S1109.

(6) Step S1106
The user authentication unit 201 outputs a token registration request to the management information storage unit 2021. The token registration request includes the token 822 (token a) generated in step S1105.

  When the token 822 has a limited validity period, the token registration request includes the date and time related to the validity period.

  The date / time regarding the validity period is, for example, the generation date / time of the token 822, the last update date / time, the expiration date / time, or the like. For example, the date and time related to the validity period is the expiration date and time “2001-02-03T04: 05: 06 + 09: 0”.

(7) Step S1107
The management information storage unit 2021 executes token registration for the token 822 (token a) included in the received token registration request. That is, the management information storage unit 2021 stores the token information record 821 including the token 822 (token a) included in the received token registration request in the token information 820.

  When the token registration request includes the date and time related to the validity period of the token 822, the management information storage unit 2021 stores the token information record 821 including the pair of the token 822 and the expiration date 823 in the token information 820.

(8) Step S1108
The management information storage unit 2021 outputs a token registration result to the user authentication unit 201.

  The token registration result includes information indicating success or failure of token registration.

  The information indicating the success or failure of token registration is, for example, a true / false value such as true or false. Information indicating success or failure of token registration includes numerical values such as “1” or “0”, part or all of the registered token 822, part or all of the user information record 811 for which the token 822 is issued, It may be.

(9) Step S1109
The user authentication unit 201 transmits an authentication result to the processing request proxy unit 302. The authentication result includes information indicating success or failure of user authentication and a token a.

  The information indicating success or failure of user authentication is a true / false value such as true or false, for example. Information indicating success or failure of the user authentication includes numerical values such as “1” or “0”, part or all of the registered token 822, part or all of the user information record 811 that is the target of issuing the token 822, It may be.

  When the token 822 is used as information indicating success or failure of user authentication, the authentication result may include only the token 822.

  Further, when the information indicating the presence / absence of the specific user information record 811 is the content indicating “none” in step S1105, or the information indicating the success or failure of the token registration is the content indicating “not” in step S1108. In this case, the user authentication unit 201 sets the information indicating success / failure of the user authentication as content indicating “NO”.

  FIG. 10 is a sequence diagram showing a detailed operation of processing related to a user authentication request by the user terminal 100 in the access control system 401 shown in FIG.

(1) Step S1001
The user terminal 100 transmits an authentication request to the user authentication unit 201.

  The authentication request includes information necessary for user authentication. The information is, for example, information called the aforementioned credential.

  Here, the user terminal 100 transmits an authentication request using a pair of a user ID “user01” and a password, for example, as a credential corresponding to the user using the user terminal 100.

  Steps S1002 to S1008 are the same as steps S1102 to S1108 shown in FIG. 9 (however, token a can be read as token u), and thus description thereof is omitted.

(9) Step S1009
The user authentication unit 201 transmits an authentication result to the user terminal 100.

  The authentication result includes information indicating success or failure of user authentication and a token u, similar to step S1109 shown in FIG.

  FIG. 11 and FIG. 12 are sequence diagrams showing detailed operations of processing related to processing requests by the user terminal 100 in the access control system 401 shown in FIG.

(1) Step S2101
The user terminal 100 transmits a process request input to the process request receiving unit 3011.

  The process request input indicates an instruction for performing a process executed using the process execution function (process execution unit 303) of the management target apparatus 310. The instruction is information including a valid token u and a command for the processing request reception unit 3011 of the management target device 310. The valid token u is a token u acquired by user authentication in step S100 shown in FIG. 8 by the user (user) of the user terminal 100 who makes a processing request.

  As a command to the processing request reception unit 3011, typically, for example, a virtual machine (VM) list acquisition command, a specific VM information acquisition command, a specific VM start / end / suspend / resume command, for example. , Create new VM configuration command, delete VM configuration command, browse network configuration command, create new network segment command, delete network segment command, VM network interface card (NIC) and network segment There are linking commands.

  In some cases, the command is not a VM or a virtual network but a physical computer, a network switch, or the like.

  The command input to the processing request receiving unit 3011 has a detailed description format for each command, but basically includes a requested operation (action) and resources such as a VM to be operated. For example, “start” is included as an action and “vm1” is included as a resource.

  Further, the process request accepting unit 3011 transmits a process request input to the process request accepting unit 3011 of the management target apparatus 310 that is present and a plurality of others in the same procedure as the user terminal 100 performs. You can also.

  This means that when a certain process requested by the user is a process that cannot be completed by a single process request input or command, several process request inputs or commands are called in a chain, recursive, or nested manner. This is because a desired processing result can be obtained by integrating the results.

  For example, the process that cannot be completed by one process request input is a process in the case of acquiring a list of VMs across a plurality of management target devices 310. For example, the process that cannot be completed by one command is obtained by acquiring a VM identifier using a command for a compute function that manages execution of a VM, and then executing a command for an image function that manages the configuration of the VM. This is a process for obtaining detailed information.

(2) Step S2102
The processing request reception unit 3011 outputs a user confirmation request to the user confirmation unit 203. The user confirmation request includes the token u included in the processing request input in step S2101.

(3) Step S2103
The user confirmation unit 203 outputs a token search request to the management information storage unit 2021. The token search request includes the token u included in the user confirmation request in step S2102.

(4) Step S2104
The management information storage unit 2021 performs a token search on the token information 820 stored in the management information storage unit 2021, and checks whether or not the token u included in the received token search request exists. In other words, the management information storage unit 2021 confirms whether or not the token u is included in the token information 820.

  Further, when a valid period is set for the token u that has been confirmed to exist, the management information storage unit 2021 confirms whether or not the token u is within the valid period.

(5) Step S2105
The management information storage unit 2021 outputs a token search result to the user confirmation unit 203.

  The token search result includes information indicating the presence / absence of the token u included in the received token search request in the token information 820 stored in the management information storage unit 2021 and information specifying the user corresponding to the token u. .

  However, the information indicating the presence / absence of the token u is included in the token information 820 when the token u has a valid period, and indicates the presence / absence of the token u within the valid period.

  The information indicating the presence / absence of a valid token u is, for example, a true / false value such as true or false. The information indicating the presence / absence of a valid token u may be a numerical value such as “1” or “0”, or a part or all of the token u. Further, the information indicating the presence / absence of a valid token u may be a part or all of the user ID 824 corresponding to the token u.

  The information for identifying the user corresponding to the token u is, for example, the user ID 824. The information for identifying the user corresponding to the token u may be a unique ID (not shown) assigned to the user information record 811 such as a UUID. The information for specifying the user corresponding to the token u may be a set of a user ID 824 and a password (not shown).

(6) Step S2106
The user confirmation unit 203 outputs a user information search request to the management information storage unit 2021.

  The user information search request includes the information for identifying the user corresponding to the token u (in this embodiment, the user ID 824) included in the token search result received in step S2105.

(7) Step S2107
The management information storage unit 2021 executes user information search for the user information 810 stored in the management information storage unit 2021 based on the information (user ID 824) for specifying the user corresponding to the token u, and step S2105. The subject 814 corresponding to the token u whose existence has been confirmed in (1) is acquired.

(8) Step S2108
The management information storage unit 2021 outputs a user information search result to the user confirmation unit 203.

  The user information search result includes user information (subject 814) related to the user specified in the user information search request in the user information 810 stored in the management information storage unit 2021.

(9) Step S2109
The user confirmation unit 203 transmits a user confirmation result to the processing request reception unit 3011.

  The user confirmation result includes user information (subject 814) related to the user corresponding to the token u included in the user confirmation request in step S2102.

  The processing request receiving unit 3011 that has received the user confirmation result refers to the user confirmation result, the token u included in the processing request input in step S2101 is valid, and there is a valid user corresponding to the token u. The user information (for example, subject 814) of the user is acquired.

(10) Step S2110
The processing request reception unit 3011 transmits an authority confirmation request to the authority confirmation unit 204.

  The authority confirmation request includes the action and resource included in the processing request input in step S2101 and the user information (subject 814) in step S2109.

(11) Step S2111
The authority confirmation unit 204 outputs an authority search request to the management information storage unit 2021 based on the authority confirmation request.

  The authority search request includes a subject 814 such as a user ID and a role ID included in the authority confirmation request in step S2110, an action, and a resource that specify the authority to be searched.

(12) Step S2112
The management information storage unit 2021 performs an authority search on the authority information 830 stored in the management information storage unit 2021. Specifically, the management information storage unit 2021 assigns the authority corresponding to the combination of the action and resource included in the authority search request for the subject 814 such as the user ID and role ID included in the authority search request in step S2111. It is confirmed whether or not a description to be given (authorization information record 831) exists.

(13) Step S2113
The management information storage unit 2021 outputs the authority search result to the authority confirmation unit 204.

  The authority search result includes information indicating the presence or absence of the authority specified in the authority search request in the authority information 830 stored in the management information storage unit 2021.

  The information indicating the presence / absence of the authority is, for example, a truth value such as true or false. Information indicating the presence / absence of authority includes numerical values such as “1” or “0”, part or all of the authority information record 831, part or all of the user information record 811 obtained along with the search result, It may be a part or all of the token information record 821.

(14) Step S2114
The authority confirmation unit 204 transmits the authority confirmation result to the processing request reception unit 3011.

  The authority confirmation result includes either the information corresponding to the access right or the authority information record 831. The information corresponding to the access right includes a subject 814, an action, and a resource included in the right confirmation request in step S2110. The authority information record 831 is the authority information record 831 whose existence has been confirmed by the authority search in step S2112.

  For example, the authority confirmation result includes information that the subject “814” of the user “k-sato” has the authority to exercise the action “start” for the resource “VM“ vm1 ”.

  For example, the authority confirmation result includes information that the subject 814 having the role “vm1-admin” has the authority to exercise the action “start” for the resource “VM1”.

  In order to represent the subject 814, actions and resources, a unique identifier such as UUID “123345678-1234-1234-1234-1234567889012” may be used in addition to the easy-to-understand description.

  The process request accepting unit 3011 that has received the authority confirmation result refers to the authority confirmation result, and the authority necessary for executing the contents of the process request input in step S2101 is granted to the user who has performed the process request input. Make sure.

(15) Step S2115
Next, the process request accepting unit 3011 executes process request distribution in order to implement the contents of the process request input. Specifically, the process request accepting unit 3011 selects the process execution unit 303 corresponding to the process content indicated by the process request input, and generates a process request.

  The processing request is, for example, a command having a content such as the action “start” of the resource “vm1”.

  The processing request further includes a token 822 included in the authentication result acquired in step S1009 and a subject 814 such as the user ID and role ID acquired in step S2109 for the user who has input the processing request.

  That is, the processing request includes information corresponding to the access right of the subject 814, the action, and the resource.

  One processing request input may be performed by combining the functions of a plurality of processing execution units 303. In this case, the processing request reception unit 3011 selects a plurality of processing execution units 303, divides the processing request input, and generates a plurality of processing requests to be distributed to each processing execution unit 303.

(16) Step S2116
The processing request reception unit 3011 outputs the generated processing request to the processing request proxy unit 302.

  The processing request receiving unit 301 of the management target apparatus 300 shown in FIG. 2 distributes the generated processing request to the direct processing execution unit 303.

  However, the processing request reception unit 3011 of the management target device 310 of this embodiment illustrated in FIG. 1 does not distribute the processing request generated in the same manner as the processing request reception unit 301 illustrated in FIG. To the processing request proxy unit 302.

(17) Step S2117
When the authority is granted to the user in the authority confirmation result in step S2114, the processing request proxy unit 302 sends information regarding the processing request source for the received processing request to the processing execution unit 303 as follows. Output replacement request. That information about the requester of the process is subject 814 and token u.

  The processing request proxy unit 302 replaces the subject 814 included in the processing request received from the processing request reception unit 3011 with corresponding information included in the authorized person information stored in the processing request proxy unit 302. The authority information stored in the processing request proxy unit 302 is the authority information used when transmitting the authentication request in S1101 shown in FIG. 9, that is, the authority information corresponding to the token a.

  Further, the processing request proxy unit 302 generates a replacement processing request by replacing the token u included in the processing request received from the processing request reception unit 3011 with the token a included in the authentication result acquired in step S1109. Subsequently, the processing request proxy unit 302 outputs the generated replacement processing request to the processing execution unit 303.

  The processing request proxy unit 302 uses the token a included in the authentication result acquired in step S1109 and uses the same procedure as that in steps S2102 to S2109, or the user ID 812 of a user having administrator authority or a role (not shown). The ID may be acquired as authority information. In this case, the processing request proxy unit 302 may not store the authority information.

When the authority is not given to the user in the authority confirmation result in step S2114, the processing request proxy unit 302 outputs the received processing request as it is to the processing execution unit 303.

  If the authority is not given to the user in the authority confirmation result in step S2114, the process request proxy unit 302 may end the process (abnormal end).

(18) Step S2118
The process execution unit 303 outputs a lower authority confirmation request to the lower authority confirmation unit 304.

  The subordinate authority confirmation request includes the action and resource included in the processing request in step S2116 and the subject 814 such as the user ID and role ID included in the authority information in step S2117.

(19) Step S2119
The lower authority confirmation unit 304 outputs a lower authority search request to the lower management information storage unit 305.

  The lower authority search request includes a subject 814 such as a user ID and a role ID, an action, and a resource included in the lower authority confirmation request in step S2118.

(20) Step S2120
The lower management information storage unit 305 performs a lower authority search on the authority information stored in the lower management information storage unit 305 itself, and determines whether or not there is a description corresponding to the lower authority search request in step S2119. Check. The corresponding description gives the authority corresponding to the combination of the action and the resource included in the lower authority search request to the subject 814 such as the user ID and the role ID included in the lower authority search request in step S2119. This is a description indicating that.

  The authority information stored in the lower management information storage unit 305 has, for example, the same structure as the authority information 830 stored in the management information storage unit 2021 described above. In this case, the description for granting the authority corresponding to the combination of action and resource included in the lower authority search request to the subject 814 included in the lower authority search request has the same structure as the authority information record 831. is there.

  The authority information stored in the lower management information storage unit 305 is authority information related to either the management target device 310 or the management target device 300 in which the lower level management information storage unit 305 is included. In other words, the authority information stored in the lower management information storage unit 305 is distributed and managed independently for each of the management target device 310 and the management target device 300.

  Here, the subject 814 included in the lower authority search request in step S2119 is replaced based on the authority information in step S2117. For this reason, the result of the subordinate authority search always has the contents of “existence”.

(21) Step S2121
The lower management information storage unit 305 outputs the lower authority search result to the lower authority confirmation unit 304.

  The lower authority search result output by the lower management information storage unit 305 includes information indicating the presence or absence of the authority specified in the lower authority search request in the authority information stored in the lower management information storage unit 305.

  The information indicating the presence / absence of authority is, for example, a truth value such as true or false. The information indicating the presence / absence of authority is a numerical value such as “1” or “0”, or a part or all of a description for granting authority in the authority information stored in the lower management information storage unit 305. May be.

(22) Step S2122
The lower authority confirmation unit 304 outputs the lower authority confirmation result to the processing execution unit 303.

  The lower authority confirmation result output by the lower authority confirmation unit 304 includes either information corresponding to the access right or the description content of the authority information. The information corresponding to the access right includes the subject 814, the action, and the resource included in the lower-level authority confirmation request in step S2118. The description content of the authority information is a part or all of the description to which the authority confirmed to exist by the lower authority search in step S2120 is given.

  For example, the subordinate authority confirmation result output by the subordinate authority confirmation unit 304 indicates that the subject “user k-sato” has the authority to exercise the action “start” on the resource “VM“ vm1 ””. Contains information.

  For example, the subordinate authority confirmation result output by the subordinate authority confirming unit 304 is that the subject with the role “vm1-admin” has the authority to exercise the action “start” on the resource “VM” “vm1”, etc. Contains information.

  A unique identifier such as UUID “12345678-1234-1234-1234-12345789902” may be used to represent the subject, action, and resource, apart from the easy-to-understand description.

  The process execution unit 303 that has received the lower authority confirmation result refers to the received lower authority confirmation result, and the authority necessary for the execution of the content of the replacement process request in step S2117 is determined by the user who has made the replacement process request. Confirm that it has been granted.

  However, here, the processing execution unit 303 confirms that the necessary authority has been given, assuming that the user is a user with administrator authority replaced in step S2117.

  Steps S2118 to S2122 are essential operations for realizing access control using the management device 200 shown in FIG. However, in the access control system 401 shown in FIG. 1, unified management of access control is realized by the management device 210. Therefore, if the management device 210 and the management target device 310 illustrated in FIG. 1 are not in a mixed environment of the management device 200 illustrated in FIG. 2, the management target device 310 does not have to execute Steps S2118 to S2122. In addition, even in such a mixed environment, when compatibility and compatibility between implementation methods and versions using different technologies are not required, the management target device 310 does not have to execute Steps S2118 to S2122.

(23) Step S2123
The process execution unit 303 executes the process based on the replacement process request received in step S2117. For example, the processing execution unit 303 executes a command having the content of the action “start” of the resource “vm1”.

  In addition, the process execution unit 303 and the other process execution units 303 included in the same management target device 310 and the process request reception unit 3011 included in the other management target devices 310 are processed and received by the process request reception unit 3011 and the processing request. A processing request can also be transmitted in the same procedure as the proxy unit 302 performs.

  This means that if a process you want to perform is a process that cannot be completed with a single process request or command, you can call several process requests or commands arbitrarily in a chained, recursive or nested manner and integrate the results. This is because the desired processing result can be obtained.

  For example, the process that cannot be completed by one process request or command is a process in which the NIC identifier is acquired by a NIC list acquisition command, and then each NIC is designated to obtain detailed information for each NIC. . In addition, the process that cannot be completed with one process request or command is a process for acquiring a list of VMs across a plurality of management target devices 310. Further, the processing that cannot be completed by one processing request or command is obtained by acquiring a VM identifier using a command for a compute function that performs execution management of a VM, and then executing a command for an image function that manages the configuration of the VM. This is a process for obtaining detailed information such as specifications.

(24) Step S2124
The processing execution unit 303 outputs the processing result to the processing request proxy unit 302. The processing result includes some or all of the information obtained from the execution of the process in step S2123, the execution content, the response content, and the status.

(25) Step S2125
The processing request proxy unit 302 outputs the processing result to the processing request reception unit 3011. The processing result output by the processing request proxy unit 302 basically includes the same content as the processing result in step S2124. However, when the processing request proxy unit 302 includes, in the processing result, information indicating the user who has requested execution of the processing, the processing request proxy unit 302 returns the information specifying the user having administrator authority to the information specifying the original user. . Specifically, the processing request proxy unit 302 generates a processing result in which the subject 814 replaced in step S2117 is returned to the subject 814 included in the processing request in step S2116, and outputs the generated processing result.

  For example, the processing request proxy unit 302 returns the subject 814 that was the user “admin” and the role “admin” to the user “k-sato” and the role “vm1-admin”.

(26) Step S2126
If the processing request input is divided into a plurality of processing requests by processing distribution in step S2115 for the processing result received from the processing request proxy unit 302, the processing request reception unit 3011 executes processing result integration processing. In other words, the processing request accepting unit 3011 integrates a plurality of processing results so as to obtain an appropriate granularity and content as a response to the processing request input in step S2101 and generates a processing result output corresponding to the processing request input in S2101.

(27) Step S2127
The processing request reception unit 3011 transmits the generated processing result output to the user terminal 100.

  The processing result output includes some or all of the execution contents of the process executed by the process execution unit 303 of the management target device 310, the response contents, the status, and the obtained information.

  As described above, the access control system 402 based on the related technology shown in FIG. 2 is the authority stored in the lower management information storage unit 305 that is distributed and managed independently in each managed device 300. Based on the information (access control policy, for example, policy.json), the access control determination is performed individually in the unit of the management target device 300, the unit of the processing execution unit 303, or the like.

  Therefore, in the related technology, there is a first problem that it is not possible to realize the access control that centrally manages the two relationships, that is, the relationship between the user and the role and the relationship between the role and the authority. is there. Further, the related technology such as OpenStack has various problems as follows.

  For example, when a certain process is executed, the policy. Judgment based on json is performed.

  An actual process is generally configured as a “large process” in which a plurality of “small processes” are grouped. For this reason, in order to be allowed to execute a certain process, it is not necessary to allow the authority specific to the process, and for the authority to exercise all “small processes” called indirectly in the process, 1 Everything must be allowed.

  If even one of these authorities is not permitted, the process that the user originally wants to execute (hereinafter referred to as request process) is not executed.

  In such a situation, even if a rule permitting only the authority specific to the request processing is described in the access control rule, an expected access control result cannot be obtained. In other words, in order to obtain an expected access control result, a rule permitting “all authority exercised by a“ small process ”other than the requested process” must be listed in the access control rule.

  Or conversely, if a rule that denies (or disallows) the right to process is listed in an access control rule in order to deny only a certain process, that right is part of another “large process”. If it is also used, the other “big processing” is rejected. Therefore, an expected access control result cannot be obtained.

  That is, the designated range of each authority based on the processing unit viewed from the user, and policy. The specified range of each authority that can actually be set for json does not match.

  Therefore, there is a second problem that it is difficult to set access control of contents that the user wants to set. In addition, even if the access control of the content that the user wants to set is set, the complicated access control rule with a poor outlook that is difficult to understand by deriving the processing actually permitted / denied from the description of the access control rule. There is a third problem of becoming.

  In addition, many processes include role assignment in keystone, policy. In addition to the permission by the access control rule in json, it includes contents that require system administrator authority such as OS.

  These processes are configured on the assumption that they are executed by a user having system administrator authority regardless of the presence of the access control setting in OpenStack.

  That is, policy. Even if the authority is permitted by json, there is a process that cannot be executed unless the administrator authority is possessed.

  Moreover, as described above, one process is generally composed of many “small processes”. Therefore, any one of these “small processes” including a process that requires administrator authority can be executed only by a user having administrator authority.

  Further, the administrator authority in OpenStack is fixedly set in advance as a special role called admin.

  In such a case, for a process that requires administrator authority of OpenStack, policy. If the execution permission is given to the admin role with json, any user having the admin role can execute the process requiring the administrator authority. However, for the same process, policy. Even if execution permission is given to an arbitrary role other than admin by json, for example, the role “R1”, the user having “R1” cannot execute the process requiring the administrator authority.

  Furthermore, only a part of the administrator authority associated with the admin role cannot be granted. Therefore, even when only a part of administrator rights should be granted to a user, all administrator rights can only be granted by assigning the admin role. In other words, it is against the principle of least authority.

  For this reason, the RBAC function in OpenStack has a fourth problem that access control with a high degree of freedom such as linking an arbitrary authority set to an arbitrary role cannot be performed by the description of the access control rule.

  In addition, in order to perform access control, logic for requesting access control determination must be described in the program source of the functional module that performs processing.

  In the process requiring the administrator authority as described above, the access control request function itself may be omitted. In addition, when each function module handles a required function for each “small process”, the number of description of the requested function becomes enormous. In addition, the format of information necessary for the access control request function may be different for each process.

  In this situation, if you try to perform access control that links an arbitrary privilege set to an arbitrary role, a huge change to the current program source is required to insert the access control request function. Become. For this reason, it takes time and effort for remodeling, and also induces bugs. Coexistence and compatibility with the version before remodeling, coexistence with other function remodeling unrelated to the remodeling due to version upgrade, etc. Compatibility is greatly impaired.

  The management module side, such as keystone, that is requested to make an access control determination, must also have different functions depending on the access control determination target. For this reason, it takes time and effort to remodel, induces bugs, coexistence and compatibility with the version before the remodeling, and coexistence with other functional modifications unrelated to the remodeling due to version upgrade etc. In addition, the convertibility is greatly impaired.

  In other words, if you try to perform access control that links an arbitrary privilege set to an arbitrary role by describing access control rules, it will take time and effort for modification, induce bugs, and coexist with the version before modification. There is a fifth problem that the compatibility and compatibility with other functional modifications unrelated to the modification accompanying the upgrade or the like due to version upgrade or the like is lowered.

  In addition, all of the authority that is exercised in large quantities and frequently, including the authority that is exercised by many “small processes” included in a process and the authority that is exercised by “small processes” that are used in many large processes. Since the access control determination is performed, there is a sixth problem that a performance degradation or a substantial system stop occurs. The reason for this is that even if the load for each access control determination process is small, the access control determination process itself that is performed frequently and frequently, the time required for passing information for the determination process, the CPU, the memory, and the This is because the load of resource consumption such as communication bandwidth is so large that it cannot be ignored.

  For the related technologies having problems as described above, the access control system 401 of this embodiment shown in FIG. 1 is based on the authority information 830 that is centrally managed by the management information storage unit 2021 of the management apparatus 210. Access control can be performed on all the management target devices 310 and the processing execution unit 303 that are used in combination, in a single, easy-to-understand granularity, without causing policy conflicts.

  That is, this embodiment has the following effects.

  The first effect of the present embodiment described above is that, in access control, it is possible to realize access control that centrally manages the relationship between a user and a role and the relationship between a role and an authority. .

  This is because the following configuration is included. First, the user confirmation unit 203 confirms the user based on the token information 820. Second, the authority confirmation unit 204 confirms the authority based on the authority information 830. Third, the processing request accepting unit 3011 acquires authentication (for example, token a) of a user having administrator authority. Fourth, the processing request proxy unit 302 replaces the information (for example, token u) of the user who requested the processing with the information of the user having administrator authority (for example, token a), and performs processing by the processing execution unit 303. Request.

  The second effect of the present embodiment described above is that a series of access control including “management of authority set associated with role” is centrally managed from a module having a management function such as keystone (for example, management device 210). It becomes possible to do.

  This is because the following configuration is included. First, the management information storage unit 2021 of the management apparatus 210 has information (token information 820 and authority information 830) indicating the relationship between the authority for system operation of an arbitrary granularity and the token 822 indicating that the user is authenticated. ) Is memorized. Second, the user authentication unit 201 authenticates the user and updates the token information 820. Third, the user confirmation unit 203 confirms the user based on the token information 820. Fourth, the authority confirmation unit 204 confirms the authority based on the authority information 830.

  The third effect of the present embodiment described above is that the unit of processing when viewed from the user and the range of authority necessary for execution thereof, and the unit of processing and authority range handled by a module having a management function such as keystone, for example. It is possible to match with. Furthermore, it is possible to set the access control of the content that the user wants to set as a simple rule with good visibility, which makes it easy to derive and understand the processing that is actually permitted / denied.

  The reason is the same as the reason for the second effect.

  The fourth effect of the present embodiment described above is that, according to the access control setting, even in the related technology, even if the process cannot be executed unless the system administrator authority is provided separately from the content of the access control setting by OpenStack. Access control can be performed.

  The reason is the same as the reason for the second effect.

  The fifth effect of the present embodiment described above is that, in the related technology, processing that cannot be executed unless it has the role of administrator authority of OpenStack regardless of the contents of the access control setting, or management that cannot be divided into one authority set. Ability to define an arbitrary authority set associated with an arbitrary role for all processes, including processes that require any of the user authority groups, and perform highly flexible access control This is a possible point.

  The reason is the same as the reason for the second effect.

  The sixth effect of the present embodiment described above is that, for example, when performing centralized management by a module having a management function such as keystone, it is not always necessary to allow all the management target devices to participate. An environment that is not compatible with the present embodiment and that includes a management target apparatus 300 of related technology can be handled.

  The reason is that the management target device 310 includes the lower authority confirmation unit 304 and the lower management information storage unit 305.

  With this sixth effect, simply handling a mixed environment, gradually expanding the application of the implementation method according to the technology of this embodiment, and conversely discontinuing the application of the implementation method according to the technology of this embodiment. It becomes possible to return to the realization method by related technology. In addition, it is possible to change the technology to be applied according to the service request contents that are different for each user of the cloud computing environment. Furthermore, when realizing the present embodiment, the protocol used in the related technology included in the protocol of the present embodiment is not modified. For this reason, the contents at the time of version upgrade in the related technology are not only applied to the related technology, but can be easily integrated into the present embodiment. In addition, when the related technology is upgraded, the management target device 300 can be easily upgraded in advance without waiting for integration and verification of the upgrade content to the technology according to the present embodiment. Become.

  The seventh effect of the present embodiment described above is that, for example, when unified management by a module having a management function such as keystone is applied to all managed devices, that is, in the information processing system, the management device is always the management device 210. If the management target device is always the management target device 310, the load of access control can be further reduced.

  The reason is the same as the reason for the first effect. Specifically, the access control determination by the lower authority confirmation unit 304 can be omitted in each managed device 310. Therefore, in the related technology, even if the content of access control causes a performance degradation or a substantial system stop due to the load of performing access control determination for all of the authority that is exercised frequently and frequently, this implementation is performed. This is because, in the embodiment, by performing access control determination in units of processing as seen from the user, it is possible to perform only a small number of access control determinations and perform access control without applying a large load.

<<< Second Embodiment >>>
Next, a second embodiment of the present invention will be described in detail with reference to the drawings. Hereinafter, the description overlapping with the above description is omitted as long as the description of the present embodiment is not obscured.

  FIG. 13 is a block diagram showing a configuration of the information processing system 400 according to the present embodiment.

  As shown in FIG. 13, the information processing system 400 in this embodiment includes a management information storage unit 2001, a confirmation unit 2004, and a processing request unit 3002.

=== Management Information Storage Unit 2001 ===
The management information storage unit 2001 stores management information 840 as shown in FIG. As illustrated in FIG. 14, the management information 840 includes a management information record 841 including a token 842, an action 843, and a resource 844. A set of the action 843 and the resource 844 is information for specifying a system operation of an arbitrary granularity. In other words, the management information record 841 is information indicating the relationship between the authority for a system operation of an arbitrary granularity and the token 842.

=== Confirmation Unit 2004 ===
The confirmation unit 2004 receives the processing request unit 3002 and the confirmation request.

  Next, based on the management information 840 stored in the management information storage unit 2001, the confirmation unit 2004 has a management information record 841 that matches the set of action, resource, and token 842 included in the received confirmation request. Determine whether or not to do so.

  Next, the confirmation unit 2004 transmits the confirmation result including the determination result to the processing request unit 3002.

  In other words, the confirmation unit 2004 determines that the user corresponding to the token 842 included in the confirmation request has authority for the system operation (a combination of action and resource) included in the confirmation request. To do. Next, the confirmation unit 2004 transmits a confirmation result indicating that the user corresponding to the token 842 has authority to operate the system.

=== Processing Request Unit 3002 ===
For example, the processing request unit 3002 receives a system operation request from a user terminal (not shown). The system operation request includes a valid token 842 (token 842 indicating that the user is authenticated) and a command. Here, the command is a combination of an action and a resource that specifies a system operation.

  Next, the processing request unit 3002 transmits a confirmation request to the confirmation unit 2004 based on the received system operation request, and receives a confirmation result corresponding to the confirmation request.

  Next, based on the received confirmation result, the processing request unit 3002 uses the token 842 included in the received system operation request as the token 842 corresponding to the user having administrator authority for the system operation (the command). To generate a processing request. Note that the processing request unit 3002 may acquire in advance a token 842 corresponding to the user having the administrator authority from a user authentication unit (not shown).

  Next, the processing request unit 3002 outputs the generated processing request. For example, the processing request unit 3002 outputs the processing request to a “processing execution unit of an information processing apparatus (not shown)” including the processing request unit 3002 itself.

  Each component of the information processing system 400 illustrated in FIG. 13 may be realized by a computer illustrated in FIG.

  In this case, the CPU 701 executes various processes as the management information storage unit 2001, the confirmation unit 2004, and the processing request unit 3002 shown in FIG. 13 according to the read program and based on the read data.

  The storage unit 702 may be included in a part of the management information storage unit 2001 illustrated in FIG. The storage device 703 may be included in a part of the management information storage unit 2001 illustrated in FIG.

  A communication unit 706 is included as part of the confirmation unit 2004 and the processing request unit 3002.

  The effect in the present embodiment described above is the same as the effect in the first embodiment, and realizes access control that centrally manages the relationship between the user and the role and the relationship between the role and the authority in the access control. It is a point that makes possible.

  The reason is that the confirmation unit 2004 confirms the authority based on the management information 840 and, based on the authority confirmed by the processing request unit 3002, the token 842 included in the system operation request is changed to the administrator authority for the system operation. This is because the processing request replaced with the token 842 corresponding to the user having the password is output.

  Each component described in each of the above embodiments does not necessarily have to be individually independent. For example, each component may be realized as a module with a plurality of components. In addition, each component may be realized by a plurality of modules. Each component may be configured such that a certain component is a part of another component. Each component may be configured such that a part of a certain component overlaps a part of another component.

  Each component in each of the embodiments described above and a module that realizes each component may be realized as hardware as necessary. Each component and a module that realizes each component may be realized by a computer and a program. Each component and a module that realizes each component may be realized by mixing hardware modules, computers, and programs.

  The program is provided by being recorded in a non-volatile computer-readable recording medium such as a magnetic disk or a semiconductor memory, and is read by the computer when the computer is started up. The read program causes the computer to function as a component in each of the above-described embodiments by controlling the operation of the computer.

  In each of the embodiments described above, a plurality of operations are described in order in the form of a sequence diagram. However, the description order does not limit the order in which the plurality of operations are executed. For this reason, when each embodiment is implemented, the order of the plurality of operations can be changed within a range that does not hinder the contents.

  Furthermore, in each embodiment described above, a plurality of operations are not limited to being executed at different timings. For example, another operation may occur during the execution of a certain operation, or the execution timing of a certain operation and another operation may partially or entirely overlap.

  Furthermore, in each of the embodiments described above, a certain operation is described as a trigger for another operation, but the description does not limit all relationships between the certain operation and the other operations. For this reason, when each embodiment is implemented, the relationship between the plurality of operations can be changed within a range that does not hinder the contents. The specific description of each operation of each component does not limit each operation of each component. For this reason, each specific operation | movement of each component may be changed in the range which does not cause trouble with respect to a functional, performance, and other characteristic in implementing each embodiment.

  A part or all of the above-described embodiment can be described as in the following supplementary notes, but is not limited thereto.

(Appendix 1)
Management information storage means for storing information indicating a relationship between authority for system operation of an arbitrary granularity and a token indicating that the user is authenticated;
When a confirmation request including the information specifying the system operation and the token is received, based on the information stored in the management information storage unit, a user corresponding to the token included in the confirmation request A confirmation means for transmitting a confirmation result indicating that the user has authority to operate the system included in the confirmation request;
When a system operation request including information specifying the system operation and a token indicating that the user is authenticated is received, the confirmation request is transmitted to the confirmation unit based on the received system operation request. , A processing request for receiving the confirmation result corresponding to the confirmation request and replacing the token included in the system operation request with a token corresponding to a user having administrator authority for the system operation based on the confirmation result And a processing requesting means for outputting the generated processing request.

(Appendix 2)
When an authentication request including information necessary for user authentication is received, a token indicating that the user is authenticated is generated, the generated token is transmitted, and the generated token, the user, Further comprising user authentication means for outputting the relationship to the management information storage means,
The management information storage means includes
Authority storage means for storing the relationship between the user and authority for system operation of an arbitrary granularity;
Token storage means for storing a relationship between the user and the token;
The confirmation means includes
When a user confirmation request including the token is received, a user confirmation result including information for identifying a user corresponding to the token included in the user confirmation request is obtained based on information stored in the token storage unit. A user confirmation means to send;
When an authority confirmation request for the user is received, based on the information stored in the authority storage means, it is determined whether or not there is a relationship between the system operation included in the authority confirmation request and the user, and the authority confirmation result is Authority checking means for sending, and
The processing request means includes
When receiving a system operation request including information specifying the system operation and a token indicating that the user is authenticated, a user confirmation request including the token is transmitted to the user confirmation unit, and the user confirmation is performed. A user confirmation result corresponding to the request is received, the authority confirmation request is transmitted to the authority confirmation unit based on the received user confirmation result, the authority confirmation result corresponding to the authority confirmation request is received, and the received A process for generating a first processing request including the first system operation request, the token, and information for identifying a user corresponding to the token, and outputting the generated processing request based on the authority confirmation result Request accepting means;
The authentication request with the user having administrator authority for the system operation as the user is transmitted to the user authentication means, the authentication result corresponding to the authentication request is received, and based on the authority confirmation result, the first The information specifying the user included in one processing request is replaced with information specifying the user having the administrator authority, and the token included in the first processing request is replaced with a token included in the received authentication result. The information processing system according to claim 1, further comprising: a processing request proxy unit that generates the replaced second processing request and outputs the generated second processing request.

(Appendix 3)
Including a management device and a management target device,
The management device includes the management information storage means, the user authentication means, the user confirmation means, and the authority confirmation means,
The management information storage means further includes user information storage means for storing information for specifying the user,
The management target device includes the processing request accepting unit, the processing request proxy unit, and a processing execution unit,
The processing request proxy means outputs the second processing request to the processing execution means,
The information processing system according to claim 2, wherein the processing execution unit executes a system operation included in the second processing request.

(Appendix 4)
The managed device is:
Subordinate management information storage means for storing a relationship between the user and authority for system operation in the management target device;
Corresponding to the lower authority confirmation request regarding the user, it is determined whether there is a relationship between the system operation included in the lower authority confirmation request and the user based on information stored in the lower management information storage unit, and the lower authority Subordinate authority confirmation means for outputting a confirmation result to the processing execution means,
The processing request proxy means outputs either the first processing request or the second processing request to the processing execution means based on the authority confirmation result,
The processing execution means outputs the lower authority confirmation request to the lower authority confirmation means based on the first processing request, and based on the lower authority confirmation result corresponding to the lower authority confirmation request, outputs the second authority confirmation request. The information processing system according to appendix 3, wherein the processing request is executed.

(Supplementary note 5) The information processing system according to supplementary note 3 or 4, wherein the management target device further includes means for determining whether or not the management device exists.

(Supplementary note 6) The information processing system according to any one of supplementary notes 1 to 5, further comprising means for inputting authority for system operation of the arbitrary granularity.

(Appendix 7)
A processor;
A storage unit that holds instructions executed by the processor for the processor to operate as either the confirmation unit or the processing request unit;
Management information storage means for storing information indicating a relationship between a right for system operation of an arbitrary granularity and a token indicating that the user is authenticated,
When the confirmation unit receives the confirmation request including the information specifying the system operation and the token, the confirmation unit adds the token included in the confirmation request based on the information stored in the management information storage unit. Sending a confirmation result indicating that the corresponding user is authorized to operate the system included in the confirmation request;
When the processing request means receives a system operation request including information specifying the system operation and a token indicating that the user is authenticated, the processing request means sends the confirmation request based on the received system operation request. Send to the confirmation means, receive the confirmation result corresponding to the confirmation request, and based on the confirmation result, the token included in the system operation request corresponds to a user having administrator authority for the system operation An information processing system that generates a processing request replaced with a token and outputs the generated processing request.

(Appendix 8)
Management information storage means for storing information indicating a relationship between authority for system operation of an arbitrary granularity and a token indicating that the user is authenticated;
When a confirmation request including the information specifying the system operation and the token is received, based on the information stored in the management information storage unit, a user corresponding to the token included in the confirmation request A confirmation means for transmitting a confirmation result to the management target device, indicating that the user has authority to operate the system included in the confirmation request, and
When the managed device receives a system operation request including information specifying the system operation and a token indicating that the user is authenticated, the management target device sends the confirmation request based on the received system operation request. Send to the confirmation means, receive the confirmation result corresponding to the confirmation request, and based on the confirmation result, the token included in the system operation request corresponds to a user having administrator authority for the system operation An information processing apparatus that generates a processing request replaced with a token and outputs the generated processing request.

(Appendix 9)
A processor;
A storage unit that holds instructions executed by the processor for the processor to operate as a confirmation unit;
Management information storage means for storing information indicating a relationship between a right for system operation of an arbitrary granularity and a token indicating that the user is authenticated,
When the confirmation unit receives the confirmation request including the information specifying the system operation and the token, the confirmation unit adds the token included in the confirmation request based on the information stored in the management information storage unit. Sending a confirmation result to the managed device indicating that the corresponding user has authority to operate the system included in the confirmation request;
When the managed device receives a system operation request including information specifying the system operation and a token indicating that the user is authenticated, the management target device sends the confirmation request based on the received system operation request. Send to the confirmation means, receive the confirmation result corresponding to the confirmation request, and based on the confirmation result, the token included in the system operation request corresponds to a user having administrator authority for the system operation An information processing apparatus that generates a processing request replaced with a token and outputs the generated processing request.

(Appendix 10)
Information specifying system operation of an arbitrary granularity, and information specifying the system operation based on the received system operation request when receiving a system operation request including a token indicating that the user is authenticated; Transmitting the confirmation request including the token to the management device, and indicating that the user corresponding to the token included in the confirmation request has authority to operate the system included in the confirmation request. A processing request in which a token included in the system operation request is replaced with a token corresponding to a user having administrator authority for the system operation based on the confirmation result. Processing request means for generating and outputting the generated processing request. Management information storage means for storing information indicating the relationship between the authority for the work and the token; and when the confirmation request is received, the confirmation result is transmitted based on the information stored in the management information storage means. An information processing apparatus that transmits the confirmation request to an information processing apparatus including a confirmation unit and receives the confirmation result from the information processing apparatus.

(Appendix 11)
A processor;
A storage unit that holds instructions executed by the processor for the processor to operate as a processing request unit;
The processing request means receives the system operation request including information specifying system operation of an arbitrary granularity and a token indicating that the user is authenticated, based on the received system operation request. A confirmation request including information specifying an operation and the token is transmitted to the management apparatus, and a user corresponding to the token included in the confirmation request has authority to the system operation included in the confirmation request. A confirmation result corresponding to the confirmation request is received from the management device, and a token included in the system operation request is converted into a token corresponding to a user having administrator authority for the system operation based on the confirmation result. The processing request replaced with is generated, and the generated processing request is output. The management device responds to the system operation. Management information storage means for storing information indicating the relationship between the authority to be authorized and the token, and a confirmation for transmitting the confirmation result based on the information stored in the management information storage means when the confirmation request is received And an information processing apparatus.

(Appendix 12)
A first computer comprising management information storage means for storing information indicating a relationship between authority for system operation of an arbitrary granularity and a token indicating that a user is authenticated,
When a confirmation request including the information specifying the system operation and the token is received from the second computer, the token included in the confirmation request is added to the token based on the information stored in the management information storage unit. Sending a confirmation result to the second computer indicating that the corresponding user has authority to operate the system included in the confirmation request;
The second computer comprises:
When a system operation request including information specifying the system operation and a token indicating that the user is authenticated is received, the confirmation request is sent to the first computer based on the received system operation request. Transmitting and receiving the confirmation result corresponding to the confirmation request from the first computer, and based on the confirmation result, a token included in the system operation request is transmitted to a user having administrator authority for the system operation. An access control method for generating a processing request replaced with a corresponding token and outputting the generated processing request.

(Appendix 13)
Management information storage means for storing information indicating a relationship between authority for system operation of an arbitrary granularity and a token indicating that the user is authenticated;
When a confirmation request including the information specifying the system operation and the token is received, based on the information stored in the management information storage unit, a user corresponding to the token included in the confirmation request A computer connected to the information processing apparatus including confirmation means for transmitting a confirmation result indicating that the user has authority to operate the system included in the confirmation request;
When a system operation request including information specifying the system operation and a token indicating that the user is authenticated is received, the confirmation request is transmitted to the information processing apparatus based on the received system operation request Then, the confirmation result corresponding to the confirmation request is received from the information processing apparatus, and based on the confirmation result, the token included in the system operation request corresponds to a user having administrator authority for the system operation. An access control method for generating a processing request replaced with a token and outputting the generated processing request.

(Appendix 14)
Information specifying system operation of an arbitrary granularity, and information specifying the system operation based on the received system operation request when receiving a system operation request including a token indicating that the user is authenticated; Responding to the confirmation request indicating that the user corresponding to the token included in the confirmation request has authority to operate the system included in the confirmation request. The confirmation process is received, and based on the confirmation result, a process request is generated by replacing a token included in the system operation request with a token corresponding to a user having administrator authority for the system operation, and the generated process Connected to an information processing device including processing request means for outputting a request,
A computer comprising management information storage means for storing information indicating a relationship between authority for the system operation of the arbitrary granularity and a token indicating that the user is authenticated,
When a confirmation request including information specifying the system operation and the token is received from the information processing apparatus, the token included in the confirmation request is stored in the token based on the information stored in the management information storage unit. Sending a confirmation result to the information processing apparatus indicating that the corresponding user has authority to operate the system included in the confirmation request;
Access control method.

(Appendix 15)
Management information storage means for storing information indicating a relationship between authority for system operation of an arbitrary granularity and a token indicating that the user is authenticated;
When a confirmation request including the information specifying the system operation and the token is received, based on the information stored in the management information storage unit, a user corresponding to the token included in the confirmation request A computer connected to the information processing apparatus, including a confirmation means for transmitting a confirmation result, which indicates that the user has authority to operate the system included in the confirmation request;
When a system operation request including information specifying the system operation and a token indicating that the user is authenticated is received, the confirmation request is transmitted to the information processing apparatus based on the received system operation request Then, the confirmation result corresponding to the confirmation request is received from the information processing apparatus, and based on the confirmation result, the token included in the system operation request corresponds to a user having administrator authority for the system operation. A program for generating a processing request replaced with a token and executing processing for outputting the generated processing request.

(Appendix 16)
Information specifying system operation of an arbitrary granularity, and information specifying the system operation based on the received system operation request when receiving a system operation request including a token indicating that the user is authenticated; Responding to the confirmation request indicating that the user corresponding to the token included in the confirmation request has authority to operate the system included in the confirmation request. The confirmation process is received, and based on the confirmation result, a process request is generated by replacing a token included in the system operation request with a token corresponding to a user having administrator authority for the system operation, and the generated process A processing request means for outputting a request, and connected to an information processing device,
A computer including management information storage means for storing information indicating a relationship between an authority for the system operation of the arbitrary granularity and a token indicating that the user is authenticated;
When a confirmation request including information specifying the system operation and the token is received from the information processing apparatus, the token included in the confirmation request is stored in the token based on the information stored in the management information storage unit. A program for executing a process of transmitting a confirmation result to the information processing apparatus, which indicates that a corresponding user has authority to perform a system operation included in the confirmation request.

  As mentioned above, although this invention was demonstrated with reference to each embodiment, this invention is not limited to the said embodiment. Various changes that can be understood by those skilled in the art can be made to the configuration and details of the present invention within the scope of the present invention.

DESCRIPTION OF SYMBOLS 100 User terminal 200 Management apparatus 201 User authentication part 2001 Management information storage part 202 Management information storage part 2021 Management information storage part 203 User confirmation part 204 Authority confirmation part 2004 Confirmation part 210 Management apparatus 300 Management object apparatus 301 Process request reception part 3011 Process Request reception unit 302 Processing request proxy unit 3002 Processing request unit 303 Processing execution unit 304 Lower authority checking unit 305 Lower management information storage unit 310 Management target device 401 Access control system 402 Access control system 700 Computer 701 CPU
702 Storage unit 703 Storage device 704 Input unit 705 Output unit 706 Communication unit 707 Recording medium 810 User information 811 User information record 812 User ID
813 Password 814 Subject 820 Token information 821 Token information record 822 Token 823 Expiration date 824 User ID
830 Authority information 831 Authority information record 832 Subject 833 Action 834 Resource

Claims (10)

Management information storage means for storing information indicating a relationship between authority for system operation of an arbitrary granularity and a token indicating that the user is authenticated;
When a confirmation request including the information specifying the system operation and the token is received, based on the information stored in the management information storage unit, a user corresponding to the token included in the confirmation request A confirmation means for transmitting a confirmation result indicating that the user has authority to operate the system included in the confirmation request;
When a system operation request including information specifying the system operation and a token indicating that the user is authenticated is received, the confirmation request is transmitted to the confirmation unit based on the received system operation request. , A processing request for receiving the confirmation result corresponding to the confirmation request and replacing the token included in the system operation request with a token corresponding to a user having administrator authority for the system operation based on the confirmation result And a processing requesting means for outputting the generated processing request. When an authentication request including information necessary for user authentication is received, a token indicating that the user is authenticated is generated, the generated token is transmitted, and the generated token, the user, Further comprising user authentication means for outputting the relationship to the management information storage means,
The management information storage means includes
Authority storage means for storing the relationship between the user and authority for system operation of an arbitrary granularity;
Token storage means for storing a relationship between the user and the token;
The confirmation means includes
When a user confirmation request including the token is received, a user confirmation result including information for identifying a user corresponding to the token included in the user confirmation request is obtained based on information stored in the token storage unit. A user confirmation means to send;
When an authority confirmation request for the user is received, based on the information stored in the authority storage means, it is determined whether or not there is a relationship between the system operation included in the authority confirmation request and the user, and the authority confirmation result is Authority checking means for sending, and
The processing request means includes
When receiving a system operation request including information specifying the system operation and a token indicating that the user is authenticated, a user confirmation request including the token is transmitted to the user confirmation unit, and the user confirmation is performed. A user confirmation result corresponding to the request is received, the authority confirmation request is transmitted to the authority confirmation unit based on the received user confirmation result, the authority confirmation result corresponding to the authority confirmation request is received, and the received A process for generating a first processing request including the first system operation request, the token, and information for identifying a user corresponding to the token, and outputting the generated processing request based on the authority confirmation result Request accepting means;
The authentication request with the user having administrator authority for the system operation as the user is transmitted to the user authentication means, the authentication result corresponding to the authentication request is received, and based on the authority confirmation result, the first The information specifying the user included in one processing request is replaced with information specifying the user having the administrator authority, and the token included in the first processing request is replaced with a token included in the received authentication result. The information processing system according to claim 1, further comprising: a processing request proxy unit that generates the replaced second processing request and outputs the generated second processing request. Including a management device and a management target device,
The management device includes the management information storage means, the user authentication means, the user confirmation means, and the authority confirmation means,
The management information storage means further includes user information storage means for storing information for specifying the user,
The management target device includes the processing request accepting unit, the processing request proxy unit, and a processing execution unit,
The processing request proxy means outputs the second processing request to the processing execution means,
The information processing system according to claim 2, wherein the processing execution unit executes a system operation included in the second processing request. The managed device is:
Subordinate management information storage means for storing a relationship between the user and authority for system operation in the management target device;
Corresponding to the lower authority confirmation request regarding the user, it is determined whether there is a relationship between the system operation included in the lower authority confirmation request and the user based on information stored in the lower management information storage unit, and the lower authority Subordinate authority confirmation means for outputting a confirmation result to the processing execution means,
The processing request proxy means outputs either the first processing request or the second processing request to the processing execution means based on the authority confirmation result,
The processing execution means outputs the lower authority confirmation request to the lower authority confirmation means based on the first processing request, and based on the lower authority confirmation result corresponding to the lower authority confirmation request, outputs the second authority confirmation request. The information processing system according to claim 3, wherein the processing request is executed. The information processing system according to any one of claims 1 to 4, further comprising means for inputting authority for the system operation of the arbitrary granularity. Management information storage means for storing information indicating a relationship between authority for system operation of an arbitrary granularity and a token indicating that the user is authenticated;
When a confirmation request including the information specifying the system operation and the token is received, based on the information stored in the management information storage unit, a user corresponding to the token included in the confirmation request A confirmation means for transmitting a confirmation result to the management target device, indicating that the user has authority to operate the system included in the confirmation request, and
When the managed device receives a system operation request including information specifying the system operation and a token indicating that the user is authenticated, the management target device sends the confirmation request based on the received system operation request. Send to the confirmation means, receive the confirmation result corresponding to the confirmation request, and based on the confirmation result, the token included in the system operation request corresponds to a user having administrator authority for the system operation An information processing apparatus that generates a processing request replaced with a token and outputs the generated processing request. Information specifying system operation of an arbitrary granularity, and information specifying the system operation based on the received system operation request when receiving a system operation request including a token indicating that the user is authenticated; Transmitting the confirmation request including the token to the management device, and indicating that the user corresponding to the token included in the confirmation request has authority to operate the system included in the confirmation request. A processing request in which a token included in the system operation request is replaced with a token corresponding to a user having administrator authority for the system operation based on the confirmation result. Processing request means for generating and outputting the generated processing request. Management information storage means for storing information indicating the relationship between the authority to the token and the token; and a confirmation for transmitting the confirmation result based on the information stored in the management information storage means when the confirmation request is received And an information processing apparatus. A first computer comprising management information storage means for storing information indicating a relationship between authority for system operation of an arbitrary granularity and a token indicating that a user is authenticated,
When a confirmation request including the information specifying the system operation and the token is received from the second computer, the token included in the confirmation request is added to the token based on the information stored in the management information storage unit. Sending a confirmation result to the second computer indicating that the corresponding user has authority to operate the system included in the confirmation request;
The second computer comprises:
When a system operation request including information specifying the system operation and a token indicating that the user is authenticated is received, the confirmation request is sent to the first computer based on the received system operation request. Transmitting and receiving the confirmation result corresponding to the confirmation request from the first computer, and based on the confirmation result, a token included in the system operation request is transmitted to a user having administrator authority for the system operation. An access control method for generating a processing request replaced with a corresponding token and outputting the generated processing request. Management information storage means for storing information indicating a relationship between authority for system operation of an arbitrary granularity and a token indicating that the user is authenticated;
When a confirmation request including the information specifying the system operation and the token is received, based on the information stored in the management information storage unit, a user corresponding to the token included in the confirmation request A computer connected to the information processing apparatus including confirmation means for transmitting a confirmation result indicating that the user has authority to operate the system included in the confirmation request;
When a system operation request including information specifying the system operation and a token indicating that the user is authenticated is received, the confirmation request is transmitted to the information processing apparatus based on the received system operation request Then, the confirmation result corresponding to the confirmation request is received from the information processing apparatus, and based on the confirmation result, the token included in the system operation request corresponds to a user having administrator authority for the system operation. An access control method for generating a processing request replaced with a token and outputting the generated processing request. Management information storage means for storing information indicating a relationship between authority for system operation of an arbitrary granularity and a token indicating that the user is authenticated;
When a confirmation request including the information specifying the system operation and the token is received, based on the information stored in the management information storage unit, a user corresponding to the token included in the confirmation request A computer connected to the information processing apparatus, including a confirmation means for transmitting a confirmation result, indicating that the system operation included in the confirmation request has authority.
When a system operation request including information specifying the system operation and a token indicating that the user is authenticated is received, the confirmation request is transmitted to the information processing apparatus based on the received system operation request Then, the confirmation result corresponding to the confirmation request is received from the information processing apparatus, and based on the confirmation result, the token included in the system operation request corresponds to a user having administrator authority for the system operation. A program for generating a processing request replaced with a token and executing processing for outputting the generated processing request.

Images