WO2014005268A1 - Procédé et dispositif d'accès aux ressources - Google Patents

Procédé et dispositif d'accès aux ressources Download PDF

Info

Publication number
WO2014005268A1
WO2014005268A1 PCT/CN2012/078071 CN2012078071W WO2014005268A1 WO 2014005268 A1 WO2014005268 A1 WO 2014005268A1 CN 2012078071 W CN2012078071 W CN 2012078071W WO 2014005268 A1 WO2014005268 A1 WO 2014005268A1
Authority
WO
WIPO (PCT)
Prior art keywords
access
resource
rule
parsing
identifier
Prior art date
Application number
PCT/CN2012/078071
Other languages
English (en)
Chinese (zh)
Inventor
许斌
张永靖
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2012/078071 priority Critical patent/WO2014005268A1/fr
Priority to CN201280001197.XA priority patent/CN104169930B/zh
Publication of WO2014005268A1 publication Critical patent/WO2014005268A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/105Arrangements for software license management or administration, e.g. for managing licenses at corporate level
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2145Inheriting rights or properties, e.g., propagation of permissions or restrictions within a hierarchy

Definitions

  • the present invention relates to the field of communications, and in particular, to a resource access method and device
  • Machine-to-Machine Communications is a networked application and service centered on intelligent machine interaction. It embeds wireless or wired communication modules and application processing logic inside the machine to realize data communication without manual intervention to meet the information needs of users for monitoring, command and dispatch, data acquisition and measurement.
  • the access control mechanism is used to prevent data from being illegally accessed by unauthorized applications in M2M terminals, gateways, and service platforms, thereby ensuring the privacy and security of various types of data.
  • the elements involved in a single visit include the requester (access subject), access operations (such as "read”, “write”, etc.) and access objects (access object).
  • the access control mechanism works by: When the accessing entity initiates an access request for accessing certain access operations of the object, the access rule is allowed or prohibited according to the access rule associated with the accessing object.
  • the access rule set is configured in the access rights resource, and the configuration is limited.
  • Method 1 If the resource to be configured has no relationship with other resources, then create a new access right that meets the requirements. Resource and reference the resource; Method 2: The resource to be configured is related to other resources in access rights. For example, a resource with a parent-child relationship has an inheritance relationship, and directly refers to an access resource of another resource. Because M2M is organized and managed in the structure of resource tree, there are hierarchical relationships among resources, and resources have many relationships. Therefore, method 2 (that is, directly accessing access resources of other resources) is used to configure access rights of resources.
  • the invention provides a resource access method and device, which realizes access authority inheritance between resources and improves management efficiency of resource access rights.
  • a resource access method including receiving a resource access request of an access device, where the resource access request includes an access device identifier, an access resource identifier, and a resource access operation indication; the rights resource identifier, according to the at least two access rights
  • the resource identifier reads an access authority resource indicated by each access authority resource identifier; determining an access rule set for the resource according to the parsing rule for the resource and the access authority resource; and according to the access rule set and the device
  • the identification and the resource access operation indication are responsive to a resource access request of the access device.
  • the method further includes: receiving a setting request for accessing the resource, where the setting request includes at least two access rights resource identifiers, and setting the access rights for the resources according to the at least two access rights resource identifiers .
  • the setting request further includes a rule parsing identifier, where determining, according to the parsing rule for the resource and the accessing authority resource, an access rule set for the resource, including: parsing according to the rule The parsing rule corresponding to the identifier parses the access authority resource, and acquires an access rule set for the resource.
  • the setting request further includes an access authority resource priority rule, and determining, according to the parsing rule for the resource and the access authority resource, an access rule set for the resource, including: according to the The access authority resource priority rule and the parsing rule corresponding to the rule resolution identifier parse the access authority resource, and obtain an access rule set for the resource.
  • the setting request further includes an access authority resource priority rule, and determining, according to the parsing rule for the resource and the access authority resource, an access rule set for the resource, including: according to the The access authority resource priority rule and the parsing rule corresponding to the rule resolution identifier parse the access authority resource, and obtain an access rule set for the resource.
  • the setting request further includes: dividing a plurality of access rights resources, so that the multiple The access authority resource includes an access authority resource parent block and a plurality of sub-blocks corresponding to the parent block, and the parent block and the plurality of sub-blocks corresponding to the parent block each include a corresponding rule resolution identifier, and the Determining the access rule set for the resource by the parsing rule and the access authority resource, including: first parsing the access authority resource according to a parsing rule corresponding to the parent block rule parsing identifier, and then according to the The rule resolution identifier corresponding to the plurality of sub-blocks parses the access authority resource corresponding to the sub-block, and acquires an access rule set for the resource.
  • the setting request further includes a priority rule of the parent block and the sub-block, and determining, according to the parsing rule for the resource and the access authority resource, an access rule set for the resource, including: And parsing the access authority resource according to the parsing rule and the priority rule corresponding to the parent block rule parsing identifier, and then accessing the rule set according to the parsing rule resource corresponding to the plurality of sub-block rule parsing identifiers.
  • the setting request includes at least two indirect access rights resource identifiers, and determining, according to the parsing rules for the resources and the access rights resources, an access rule set for the resources, including:
  • the indirect access authority resource identifier obtains the access authority resource address, and the access authority resource is read according to the access authority resource address; the access authority resource is parsed according to the parsing rule corresponding to the rule parsing identifier, and the resource is obtained for the resource Access rule set.
  • the access rule set includes an access subject set and an access operation set corresponding to the access body, and the resource that responds to the access device according to the access rule set and the device identifier and the resource access operation indication
  • the access request includes: if the access device matches the set of access subjects, and the resource access operation indicates that the indicated access operation matches the access operation set, allowing the access device to access the resource; The access device does not match the set of access subjects, or the access device matches the set of access subjects, but the access operation indicated by the resource access operation indication does not match the access operation set of the access device, And the access device is denied access to the resource; if the access device matches the set of access subjects, but the access operation set of the access device is “None”, the various access operation requests of the access device are rejected.
  • a resource access apparatus including: a receiving unit, configured to receive a resource access request of an access device, where the resource access request includes an access device identifier, an access resource identifier, and a resource Identifying at least two access rights resource identifiers of the corresponding resources, and reading the access rights resources indicated by the access rights resource identifiers according to the at least two access rights resource identifiers; and further, according to the parsing rules for the resources, Accessing a permission resource, determining an access rule set for the resource; and a response unit, configured to respond to the resource access request of the access device according to the access rule set and the device identifier and the resource access operation indication.
  • the resource accessing device further includes: a setting unit, configured to set an access right of the resource, where the setting unit includes: a receiving subunit, configured to receive a setting request for accessing the resource, The setting request includes at least two access rights resource identifiers; and a setting subunit, configured to identify an access authority resource identifier of the resource according to the setting request received by the receiving subunit.
  • a setting unit configured to set an access right of the resource
  • the setting unit includes: a receiving subunit, configured to receive a setting request for accessing the resource, The setting request includes at least two access rights resource identifiers; and a setting subunit, configured to identify an access authority resource identifier of the resource according to the setting request received by the receiving subunit.
  • the receiving subunit is specifically configured to: receive a setting request for accessing the resource, where the setting request further includes a rule parsing identifier, where the acquiring unit includes: a first acquiring unit, Obtaining at least two access rights resource identifiers in the access right identifiers of the resources, respectively reading the access rights resources according to the access rights resource identifiers; the second obtaining unit, according to the parsing rules corresponding to the rule parsing identifiers Parsing the access authority resource to obtain an access rule set for the resource.
  • the receiving subunit is further configured to: receive an access permission setting request for the resource, where the setting request further includes an access authority resource priority rule, where the acquiring unit further includes: a third acquiring unit And the step of parsing the access authority resource according to the access authority resource priority rule and the parsing rule corresponding to the rule parsing identifier, and obtaining an access rule for the resource, where the receiving subunit further Specifically, the method is: receiving a setting request for accessing the resource, where the setting request further includes: dividing a plurality of access rights resources, wherein the multiple access rights resources include an access rights resource parent block and the a plurality of sub-blocks corresponding to the parent block, the parent block and the plurality of sub-blocks corresponding to the parent block each include a corresponding rule-resolving identifier, and the acquiring unit further includes: a fourth acquiring unit, configured to first The parsing rule corresponding to the block rule parsing identifier parses the access authority resource, and then parses the identifier according to
  • the receiving sub-unit is further configured to: receive a setting request for accessing the resource, where the setting request further includes a priority rule of the parent block and the sub-block, and the acquiring unit further includes And a fifth acquiring unit, configured to parse the access permission resource according to a parsing rule and a priority rule corresponding to the parent block rule parsing identifier, and then describe an access rule set of the resource according to a rule corresponding to the multiple sub-blocks .
  • the receiving sub-unit is further configured to: receive a setting request for accessing a resource, where the setting request includes at least two indirect access rights resource identifiers, and the acquiring unit further includes a sixth acquiring unit, And the access authority resource is obtained according to the indirect access authority resource identifier, and the access authority resource is read according to the access authority resource address; and the access permission resource is parsed according to the parsing rule corresponding to the rule parsing identifier. An access rule set for the resource.
  • the response unit is specifically configured to: if the access device matches the access subject set, and the resource access operation indicates that the indicated access operation matches the access operation set of the access device, The access device accesses the resource; if the access device does not match the set of access subjects, or the access device matches the set of access subjects but the resource access operation does not match the access operation set, And the access device is denied access to the resource; if the access device matches the access subject set, but the access device has an access operation set of “None”, the access device requests of the access device are rejected.
  • the device includes: an M2M terminal, an M2M platform, and an M2M gateway.
  • the entity having the resource configuration authority sets the access authority resource identifier of the resource in the resource access device, and adds the access authority resource identifier of the other resource to the access authority resource identifier.
  • the resource access device can obtain the relevant access authority resource according to the access authority resource identifier, and parse the access permission resource according to the parsing rule set by itself, thereby implementing mutual inheritance of the access authority resources between the resources, so that the resource The access rights can be adjusted according to the modification of the access rights of the inherited resources, thereby improving the management efficiency of the resource access rights, and at the same time, improving the utilization of the access resource storage space and saving storage space.
  • Figure 1 is a typical M2M system architecture diagram
  • 2 is a flowchart of a resource access method according to an embodiment of the present invention
  • FIG. 3B is a representational state transition resource tree of resources according to an embodiment of the present invention.
  • FIG. 4 is a signaling interaction diagram of a resource access method according to an embodiment
  • FIG. 5 is a schematic diagram of a signaling interaction configuration of a resource access authority resource identifier in a resource access method according to another embodiment of the present invention.
  • FIG. 6 is a resource access method of this embodiment
  • FIG. 7 is a diagram showing an access authority resource identifier setting signal interaction diagram of a resource access method according to another embodiment of the present invention.
  • FIG. 8 is a signaling interaction diagram of a resource access method according to another embodiment; setting a signaling interaction diagram
  • FIG. 9B is a structural diagram of an access authority resource identifier having multiple access rights resource blocks according to an embodiment of the present invention.
  • FIG. 10 is a signaling interaction diagram of a resource access method according to still another embodiment of the present invention.
  • FIG. 11 is a schematic diagram of a resource access apparatus according to an embodiment of the present invention.
  • FIG. 12 is a schematic diagram of a setting unit in a resource access device according to an embodiment of the present invention.
  • FIG. 13 is a schematic diagram of an acquiring unit in a resource access device according to an embodiment of the present invention.
  • FIG. 14 is a schematic diagram of a resource access apparatus according to another embodiment of the present invention. detailed description
  • Figure 1 shows a typical M2M system architecture diagram, including:
  • the M2M network application NA 101 is used for registering to the M2M service platform 102, accessing data collected by the M2M device through the mid interface, and also for remote device management of the M2M device;
  • the M2M device D, 104 is connected to the M2M service platform 102 through the M2M gateway G103;
  • the M2M device dl05 is connected to the M2M service platform 102 through the M2M gateway G103;
  • the M2M device dl05 connects to the M2M service platform 102 through the M2M device D 106.
  • the M2M device dl05 and the M2M device dl05 are traditional devices that do not conform to the ETSI M2M specification; the M2M device D and the M2M device D are devices that conform to the ETSI M2M specification, wherein the M2M device D has the service capability layer defined by the ETSI M2M standard.
  • SCL Service Capability Layer
  • M2M device D does not have the Service Capability Layer (SCL) defined by the ETSI M2M standard.
  • M2M Gateway G103 uses Gateway Interworking Proxy (GIP, Gateway Interworking Proxy) by wireless or wired communication (eg, Zigbee, Bluetooth, DLMS/COSEM, Zwave, BACnet, ANSIC12, mBus, etc.) with M2M legacy device d and M2M device D ,interconnected.
  • GIP Gateway Interworking Proxy
  • the mid interface between the M2M gateway or the M2M device D and the M2M platform generally uses wired or wireless wide area network communication (eg, Xdsl, HFC, satellite, GERAN, UTRAN, eUTRAN, W-LAN and WiMAX, etc.).
  • FIG. 2 is a flowchart of a resource access method according to an embodiment of the present invention, including:
  • 201 Receive a resource access request of an access device, where the resource access request includes an access device identifier, an access resource identifier, and a resource access operation indication.
  • the middleware receives the resource access request from the access device, and requests related operations on the resource, such as: reading, writing, and the like.
  • the middleware is a logical entity set in the M2M terminal or the M2M gateway or the M2M platform.
  • the resource access request includes an access device identifier, an access resource identifier, and a specific access operation indication for the resource.
  • the access device may be an M2M terminal, an M2M platform, or an M2M gateway.
  • the middleware performs related setting on the access authority of the resource in advance. Specifically, the middleware sets a request according to the access authority of the requesting device to the resource, and the access authority resource identifier of the resource is entered into the source identifier, and the access authority resource identifier points to the access.
  • the access authority resource includes an access rule set, and each access rule includes at least an access subject set and an access operation set.
  • the set of access subjects includes a plurality of access subjects that allow access to the resource, the access subject may employ a URI, a global identifier, or An identifier of a specific meaning is described.
  • the access operation set includes allowable access operations corresponding to the allowed access subject, such as "read”, "write”, etc.
  • the access operation can also be described by using a URI, a global identifier, or an identifier of a specific meaning.
  • the two access rights resource identifiers are used to read the access rights resources indicated by the access rights resource identifiers according to the at least two access rights resource identifiers.
  • the middleware may view the access authority resource identifier of the resource corresponding to the resource identifier according to the resource identifier specified in the access request, and obtain the corresponding access authority resource identifier from the access authority resource identifier, according to the access
  • the rights resource ID reads the access rights resource it points to.
  • the access authority resource identifier includes a URI of the access authority resource
  • the middleware can be based on the
  • the URI gets its corresponding access rights resource.
  • the middleware may preset a rule resolution identifier of the access authority resource, where the rule resolution identifier indicates a default parsing rule of the middleware default configuration.
  • the access rule can be parsed by the parsing rule to obtain the access rule set of the resource.
  • the middleware determines whether the access device identifier matches the access subject set in the access rule set, that is, whether it is an access subject in the access subject set, and then determines whether the access operation of the access device matches the subject access operation set, that is, the subject Whether the access operation is an access operation allowed in the access operation set.
  • the middleware allows the access device to perform access operations on the specified resource. Otherwise, when the access device does not satisfy any of the above conditions, the middleware denies the access device from accessing the specified resource. .
  • the access authority of the resource having the resource configuration authority is set, and the access authority resource identifier of the other resource is added to the access authority resource identifier, so that the middleware can be Obtaining the related access authority resource according to the access authority resource identifier, thereby implementing mutual inheritance of the access authority resources between the resources, so that the access authority of the resource can be
  • the access rights of the inherited resources are modified by themselves to improve the management efficiency of the resource access rights.
  • the utilization of the access resource storage space can be improved, and the storage space is saved.
  • a signaling interaction diagram for setting an access authority identifier of a resource in a resource access method according to an embodiment of the present invention includes:
  • the resource setting requesting device sends a setting request for accessing a resource to a receiving device, such as an M2M terminal, an M2M gateway, or an M2M platform, where the setting request includes at least two resource access rights identifiers and resource identifiers to request a pair.
  • a receiving device such as an M2M terminal, an M2M gateway, or an M2M platform
  • the setting request includes at least two resource access rights identifiers and resource identifiers to request a pair.
  • Set the access rights of the resource corresponding to the identifier of the resource includes the permission to set the access resource, and may be an M2M platform.
  • the resources in the M2M describe a Representational State Transfer (RESTful) of the resource as described in FIG. 3B.
  • RESTful Representational State Transfer
  • the field container contains one or more containers ⁇ container>.
  • the container ⁇ container> is a container resource representation of the prior art, and mainly includes data information resources for describing applications or M2M terminals, platforms, and gateways.
  • the container ⁇ container> has the accessRightID attribute, and the accessRightID is the access resource identifier.
  • the accessRightID attribute can be set to AnyURI[0...1 ], which means 0 to 1 URI, which points to the access resource. accessRight. If the accessRightID property is set to "htt : //m2m. o . com/accessRights/ ⁇ ar5 >", the access rule indicating the resource is described by the access resource ⁇ & 5>.
  • Step 302 Set access rights of the resource according to the setting request.
  • the receiving device may modify the setting accessRightID attribute AnyURI[0...1] to AnyURI[0...unbounded] (that is, AnyURIList), and each URI needs to point to the access authority resource ⁇ accessRight>, that is, The resource access permission identifier is introduced. This enables a combined reference to at least two access rights resources.
  • the requesting device may be an M2M platform or an M2M2 gateway
  • the receiving device may be an M2M terminal, an M2M platform or an M2M2 gateway.
  • the M2M platform or the M2M2 gateway may request access rights to resources located in other devices such as an M2M terminal, an M2M platform, or an M2M2 gateway through a setting request for access rights of resources, or may also access the resources.
  • the limit setting requests the setting of access rights to resources located locally on the requesting device. That is to say, the requesting device and the receiving device may be the same device or different devices.
  • the embodiments of the present invention are not limited herein.
  • the signaling interaction diagram of the resource access method in this embodiment includes:
  • the access device sends a resource access request to the receiving device, where the resource access request includes an access identifier, a resource identifier, and a resource access operation indication for the resource.
  • the receiving device is configured to view the access right resource identifier of the resource according to the resource identifier, obtain at least two access rights resource identifiers, and read the corresponding access rights resource according to the at least two access rights resource identifiers, and parse the identifier according to the preset rule.
  • the specified parsing rule parses at least two access rights resources to obtain a resource access rule set for the resource.
  • the receiving device returns a resource access response to the access device according to the access rule set, the access device identifier, and the access device operation indication of the resource.
  • the rule resolution identifier is described by a string.
  • the preset rule resolution identifier is "overlay”, and the resolution rule specified by the rule resolution identifier is "sequential coverage”. Specifically, the resources are sequentially acquired from the previous ones, and at least two imported access rights resources are used to identify respective access rights resources. The access rules in each access permission resource are analyzed sequentially.
  • the set of allowed access actions is determined by the first access rule that contains the access subject. If the access device matches the set of access subjects in the access rule set, it is determined whether the access operation of the access device belongs to the access operation set, and if so, the access device is allowed to access and operate the resource. If the access device does not belong to the access subject set in the access rule set, or if the access device belongs to the access subject set in the access rule set, but the access operation does not match the allowed access operation set, or the access operation set is "none", The resource access request of the access device is rejected.
  • FIG. 5 is a schematic diagram showing the signaling interaction configuration of the resource access authority resource identifier in the resource access method according to another embodiment of the present invention. Includes:
  • the requester sends an access authority resource identifier setting request for the resource to the receiving device, where the setting request includes a resource identifier, an access authority resource identifier, and a rule resolution identifier.
  • the resource identifier points to a resource that needs to set a privilege resource identifier
  • the privilege resource identifier is an identifier of the imported access privilege resource
  • the rule parsing identifier is an identifier corresponding to the parsing rule to be set, and is described by a character or a string, for example, Set to "overlay”, “union”, etc., respectively, to use “sequential coverage", "take the collection” way to parse access rights resources.
  • the rule resolution identifier may be set to any other form that can be understood by those skilled in the art. If there is no rule resolution identifier or the value of the rule resolution identifier is not set, the default parsing rules are used, such as: parsing the permission resources one by one from the back to the front.
  • the receiving device such as the M2M terminal, the M2M gateway, or the M2M platform, adds the imported rights resource identifier and the rule resolution identifier to the access rights identifier of the resource corresponding to the resource identifier according to the setting request.
  • accessRightlD includes an imports element
  • the element includes one or more import elements and at least one resolveMode element
  • each import element is used for the bow I.
  • the resolveMode is used to describe the rule resolution identifier to indicate a certain parsing rule.
  • the rule parsing identifier can be set to "RFC4745 or "RFC3530", etc., to indicate that the access authority resource is parsed according to the RFC4745 or RFC3530 specifications. Please refer to the relevant specifications for the resolution rules specified by the RFC4745 or RFC3530 rule resolution identifier.
  • the resource access method in this embodiment includes:
  • the access device sends an access request to the receiving device, where the access request carries a resource identifier, an access device identifier, and an access operation to the resource.
  • the receiving device checks the access permission identifier and the rule resolution identifier according to the access permission identifier of the resource, and reads the access permission resource of the resource according to the access permission resource identifier, and then accesses the access according to the parsing manner corresponding to the rule resolution identifier.
  • the permission resource is parsed to obtain an access rule set for the resource.
  • the access device identifier belongs to the access subject set in the access rule set, and the access operation belongs to the allowed access operation set of the access rule set, the resource access request of the device is allowed to be accessed, otherwise the jumbo color is given.
  • the middleware when the access device reads the resource, the middleware first obtains the value of resolveMode, which is "RFC4745", and then parses the access rule set for the resource according to the RFC 4745 specification of the rule resolution identifier. According to the parsed access rule set, it is judged whether the access device can read the resource, and if so, the read is allowed, if otherwise, the reject response is given.
  • resolveMode which is "RFC4745”
  • resolveMode if some of the resolution modes indicated by resolveMode have priority requirements for the imported rights resources, the access rights resources are parsed according to the priority requirements.
  • the following access resource resource identifier points to multiple access rights resources, and the access rights resources are excellent.
  • the configuration of the resource access identifier setting signaling interaction diagram of another embodiment of the present invention is as follows:
  • the requesting device sends a setting request for an access right identifier of a specific resource to a receiving device, such as an M2M terminal, an M2M gateway, or an M2M platform, where the setting request includes a resource identifier, an imported access right resource identifier, a rule parsing identifier, and an access. Permission resource priority rules.
  • the receiving device sets an access authority resource identifier of the specified resource according to the setting request.
  • the access authority resource for each entry defines a priority value according to the access authority resource priority rule.
  • the priority attribute is set for each import element of the access resource identifier.
  • the value of the attribute can be a numeric value or a character to describe the priority relationship of the imported access rights resource.
  • the signaling interaction diagram of the resource access method in this embodiment includes:
  • the access device sends a resource access request to the receiving device, where the resource access request includes a resource identifier, an access device identifier, and an access operation to the resource.
  • the receiving device may be an M2M terminal, an M2M gateway, or an M2M platform
  • the access device may also be an M2M terminal, an M2M gateway, or an M2M platform.
  • the receiving device searches for an access right resource identifier under the resource corresponding to the resource identifier according to the resource identifier in the resource access request, and reads the access right resource according to the access right identifier under the access right resource identifier, and according to the
  • the rule resolution identifier under the access authority resource identifier is parsed by the parsing rule corresponding to the rule parsing identifier, and the access rule set for the resource is obtained.
  • the receiving device accesses the device according to the access device identifier, the access operation, and the access rule set. Returns the resource access response.
  • the access device belongs to the access subject set in the access rule set, and determines whether the access operation carried in the access request indicates that the access operation corresponding to the access operation belongs to the access operation set allowed by the access subject, if yes, the access device is allowed to perform resources on the resource. Access and operation; if the access device does not match the set of access subjects in the access rule set, or if the access operation does not match the allowed access operation set, the resource access and operation of the access device are rejected.
  • ⁇ /imports> The example shown above shows that the access rights of the resource are described by the access rights resources ⁇ ar3> and ⁇ ar4>, and the imported access rights have a priority relationship.
  • the ⁇ ar3> has higher priority.
  • the priority of ⁇ ar4> is also indicated by the resolveMode indicating that the parsing rules are based on the "sequential coverage" method.
  • the parsed rule set is:
  • the parsed rule set is the access subject "Appl” allows access operations “Write” and “Read”, the access body body “App2” allows access operation “Read”, the main body “App3” allows access operation”Write”.
  • the resolveMode can also be set to "RFC4745", “RFC3530”, etc., respectively, according to the "RFC4745” specification,
  • the "RFC3530" specification performs rule analysis. For details, please refer to the corresponding specification.
  • the resource access method will be described below by taking an access right identifier from a plurality of access rights resources, and the access rights resource is introduced in a block, including a parent block and a plurality of sub-blocks corresponding to the parent block.
  • a signaling interaction diagram for setting an access authority resource identifier of a resource in a resource access method includes:
  • the requester sends a setting request for an access right identifier of the resource to a receiving device, such as an M2M terminal, an M2M gateway, or an M2M platform, where the setting request includes a resource identifier, an access authority resource identifier, and a parent block for the access authority resource.
  • a receiving device such as an M2M terminal, an M2M gateway, or an M2M platform
  • the setting request includes a resource identifier, an access authority resource identifier, and a parent block for the access authority resource.
  • the rule of sub-block division, and the rule resolution identifier corresponding to the parent block and each sub-block respectively.
  • the parent block is specified by setting an "introduction” (ie, "imports”) element of the access authority identifier
  • the child block is specified by setting a “reference” (ie, "import”) element of the access authority identifier.
  • the receiving device sets an access right of the specified resource according to the setting request. Specifically, the receiving device obtains the resource according to the resource identifier specified in the setting request, and updates the access right identifier of the resource to the access right identifier carried in the request. That is, the access rights resource is partitioned, that is, the parent block and the plurality of sub-block access rights resources corresponding to the parent block are set. Each sub-block includes at least one access rights resource identifier. A separate rule resolution ID can be set for each sub-block and each parent block. At the same time, each sub-block and each parent block can also set a priority rule.
  • an access rights resource identifier that introduces access rights resources into chunks can be described as a data structure as shown in Figure 9B.
  • the accessRightID structure map of the access authority resource identifier having multiple imports includes an ersmissionsRef element, the element further includes one or more imports elements, and each imports element includes one or more import elements, each The import element includes one or more access rights resource identifiers.
  • the signaling interaction diagram of the resource access method in this embodiment includes:
  • the access device sends a resource access request to the receiving device, where the resource access request includes a resource identifier, an access device identifier, and an access operation to the resource.
  • the receiving device may be an M2M terminal, an M2M gateway, or an M2M platform, and the access device may also be an M2M terminal, an M2M gateway, or an M2M platform.
  • the receiving device checks, according to the resource identifier in the resource access request, an access right resource identifier under the resource corresponding to the resource identifier, and first performs a parent node according to the parsing rule and the priority rule corresponding to the parent block rule parsing identifier.
  • the corresponding access permission resource is parsed, and then the access permission resource corresponding to the sub-block is parsed according to the rule parsing identifier and the priority rule corresponding to the multiple sub-blocks, and the resource access rule set for the resource is obtained.
  • the receiving device returns a resource access response to the access device according to the access device identifier, the access operation indication, and the access rule set.
  • the access rights of the resource are jointly described by the access rights resources ⁇ arl>, ⁇ ar2>, ⁇ ar3>, ⁇ ar4>, ⁇ ar5>, ⁇ ar6> ⁇ ar7>, when the access device
  • the receiving device first obtains the value of the resolve parameter of the "permission reference" (ie, permissionsRef) element, "RFC3530" (ie, the rule resolution identifier is RFC3530).
  • the RFC 3530 specification that resolves the identity indication in accordance with the rule parses the access rule set for the resource.
  • the RFC 3530 specification parsing method has priority requirements for access rights resources.
  • the receiving device reads the priority priority attribute of the imports element, and prioritizes according to the attribute value.
  • the priority of the last imports is the value of the priority attribute. Therefore, first the access permission resource in the imports element is parsed, and then the first imports element is parsed, because the importance attribute value of the imports element is 2, and finally the intermediate imports element is parsed because the imports
  • the element's priority attribute value is 1, and the analysis of the imports element is based on the parsing method indicated by the value of the sub-element resolveMode. Finally, based on the parsed access rule set, it is determined whether the requester can read the resource and respond.
  • the middleware rejects or allows the response not always triggered after all the rules are parsed, but is triggered immediately when it is determined that the access device's resource access request does not meet the access rules.
  • the resource access method of another embodiment of the present invention is further described below by taking an access resource identifier directly or indirectly pointing to multiple access rights resources as an example.
  • the access authority resource identifier of the resource and the resource are directly or indirectly pointed to the access authority resource identifier, and the indirect meaning means that the access authority resource identifier does not point to the access authority resource itself.
  • access rights associated with a resource consist of zero or more direct or indirect pointing access resource IDs. For example, set the accessRightID property of the resource Resource to "http://m2m.o.com/containers/ ⁇ container 1 >;http://m2m.op.com/accessRights/ ⁇ ar5>" to indicate that the resource has access rights.
  • resource htt ://m2m. o . com/containers/ ⁇ container2> accessRightID indicates access rights to access device to resource Resource When the read operation is performed, the default access rights of the receiving device are received.
  • the resource-resolving rule first parses whether the access subject set of the access rule set after ⁇ 5> contains the requester, and if it exists and the allowed access operation set includes the read operation, the requester is allowed to read the resource, if The allowed access operation set does not contain a read operation, and the requestor is not allowed to read the resource.
  • the access subject set of the access rule set after parsing ⁇ 5> does not include the requester, continue to analyze the access authority resources indicated by the resource ⁇ container2> ⁇ accessRightlD until all the access rights resources are resolved. It is worth noting that after parsing " http://m2m.op om/containers/ ⁇ container2>/accessRightID''H ⁇ , the device needs to be parsed by the source identifier. In parsing htt : ⁇ m2m.op.
  • i refers to the accessRightlD resource of the resource.
  • i refers to the accessRightlD resource of the resource.
  • the resource access device includes: a setting unit 1101, configured to set an access authority resource identifier of a resource, and enable an access authority resource identifier of the resource.
  • the resource access request includes at least two resource access rights identifiers, and the resource access rights identifiers are directed to the access rights resources.
  • the 1102 receiving unit is configured to receive a resource access request of the access device, where the resource access request includes an access device identifier and a resource access operation;
  • the obtaining unit, the resource identifier identifies the access authority resource; parses the access authority resource according to a preset parsing rule, and obtains a resource access rule set for the resource;
  • 1104 a response unit, configured to use the resource access rule according to the resource access rule
  • the set and the access device identity are responsive to the access device resource access request.
  • the setting unit 1101 includes as shown in FIG. 12:
  • the acquisition unit is shown in Figure 13, and includes:
  • the first obtaining unit is configured to acquire an access right resource identifier in the access right identifier of the resource, and read the access right resource according to the access right resource identifier;
  • the second obtaining unit 11032 parses the access authority resource according to the parsing rule corresponding to the rule parsing identifier, and acquires a resource access rule set for the resource.
  • the third obtaining unit 11033 is configured to parse the access authority resource according to the access authority resource priority rule and the parsing rule corresponding to the rule resolution identifier, and acquire a resource access rule set for the resource.
  • the fourth obtaining unit 11034 is configured to parse the access permission resource according to the parsing rule corresponding to the parent block rule parsing identifier, and then corresponding to the sub-block according to the rule parsing identifier corresponding to the multiple sub-blocks
  • the access rights resource is parsed to obtain a resource access rule set for the resource.
  • the fifth obtaining unit 11035 is configured to parse the access permission resource according to the parsing rule and the priority rule corresponding to the parent block rule parsing identifier, and then, according to the resource corresponding to the resource, corresponding to the multiple sub-blocks Access rule sets.
  • the sixth obtaining unit 11036 is configured to obtain an access authority resource address according to the indirect access authority resource identifier, and read the access authority resource according to the access authority resource address.
  • the resource access device in the embodiment of the present invention may be an M2M terminal, an M2M platform, or an M2M gateway.
  • the resource access device of the embodiment of the present invention sets the access authority resource identifier of the resource in the resource access device by the entity having the resource configuration authority, and adds the access authority resource identifier of the other resource to the access authority resource identifier.
  • the resource access device can obtain the related access authority resource according to the access authority resource identifier, thereby implementing mutual inheritance of the access authority resources between the resources, so that the access authority of the resource can be modified according to the access authority of the inherited resource.
  • Self-adjustment improves the management efficiency of resource access rights. At the same time, it can improve the utilization of access resource storage space and save storage space.
  • FIG. 14 is a schematic structural diagram of another resource access apparatus according to an embodiment of the present invention, including a memory 1401, and a processor 1402.
  • the memory 1401 is used to store the units described in FIG. 11-13
  • the processor 1402 is coupled to the memory 1401, and each unit in the operational memory 1401 performs the respective functions of the units in the memory 1401.
  • the functions of the units in the memory 1401 in FIG. 14 are the same as those in the units in FIG. 11-13, and the embodiments of the present invention are not described in detail herein.
  • the M2M platform can be a computer, a device with a processor.
  • M2M gateways and M2M terminals are not strictly distinguished on the device.
  • devices that use gateways can also serve as terminals.
  • various terminal devices such as mobile phones, computers, PDAs, notebook computers, remote controllers, household appliances, and various instruments , sensors, etc. can be used as gateways or terminals for M2M networks.
  • each unit included is only divided according to functional logic, but is not limited to the above division, as long as the corresponding function can be implemented; in addition, the specific names of the functional units are only for convenience. They are distinguished from each other and are not intended to limit the scope of protection of the present invention.
  • the above-mentioned method for realizing the charging and the functions of each functional unit of the charging device can be completed by the M2M gateway or the processor running the M2M platform.
  • the storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM: Read Random Memory), or a random access memory (RAM).

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)
  • Multimedia (AREA)
  • Technology Law (AREA)

Abstract

L'invention concerne un procédé et un dispositif d'accès aux ressources. Le procédé comprend : la réception d'une demande d'accès aux ressources d'un dispositif d'accès ; selon la demande d'accès aux ressources, l'obtention d'au moins deux ressources d'autorisation d'accès à la ressource ; selon une règle d'analyse pour la ressource et les ressources d'autorisation d'accès, la détermination d'un ensemble de règles d'accès pour la ressource ; et selon l'ensemble de règles d'accès, l'identifiant de dispositif et l'indication d'opération d'accès aux ressources, la réponse à la demande d'accès aux ressources du dispositif d'accès. Le procédé et le dispositif d'accès aux ressources dans les modes de réalisation de l'invention obtiennent l'héritage mutuel des ressources d'autorisation d'accès entre les ressources pour permettre à l'autorisation d'accès des ressources de réaliser une auto-adaptation avec la modification de l'autorisation d'accès de la ressource héritée, ce qui améliore l'efficacité de la gestion des autorisations d'accès aux ressources.
PCT/CN2012/078071 2012-07-02 2012-07-02 Procédé et dispositif d'accès aux ressources WO2014005268A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2012/078071 WO2014005268A1 (fr) 2012-07-02 2012-07-02 Procédé et dispositif d'accès aux ressources
CN201280001197.XA CN104169930B (zh) 2012-07-02 2012-07-02 资源访问方法及装置

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2012/078071 WO2014005268A1 (fr) 2012-07-02 2012-07-02 Procédé et dispositif d'accès aux ressources

Publications (1)

Publication Number Publication Date
WO2014005268A1 true WO2014005268A1 (fr) 2014-01-09

Family

ID=49881221

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/078071 WO2014005268A1 (fr) 2012-07-02 2012-07-02 Procédé et dispositif d'accès aux ressources

Country Status (2)

Country Link
CN (1) CN104169930B (fr)
WO (1) WO2014005268A1 (fr)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107637043B (zh) * 2015-10-19 2020-08-07 华为技术有限公司 用于约束环境中资源管理的业务提供方法、系统和装置
CN105915621A (zh) * 2016-05-11 2016-08-31 深圳市永兴元科技有限公司 访问数据的方法及预处理服务器
CN109150815B (zh) * 2017-06-28 2021-11-23 阿里巴巴集团控股有限公司 资源处理方法、装置和机器可读介质
CN113128200B (zh) * 2019-12-31 2023-07-21 北京百度网讯科技有限公司 用于处理信息的方法和装置
CN116980182B (zh) * 2023-06-21 2024-02-27 杭州明实科技有限公司 异常请求检测方法、装置和电子设备

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1848022A (zh) * 2005-04-13 2006-10-18 华为技术有限公司 一种基于访问控制列表的权限控制方法
CN101197026A (zh) * 2007-12-20 2008-06-11 浙江大学 高性能访问控制系统中资源及其访问控制策略的设计与存储方法
CN101655892A (zh) * 2009-09-22 2010-02-24 成都市华为赛门铁克科技有限公司 一种移动终端和访问控制方法
CN102129539A (zh) * 2011-03-11 2011-07-20 清华大学 基于访问控制列表的数据资源权限管理方法

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1845104B (zh) * 2006-05-22 2012-04-25 赵开灏 信息智能检索加工的系统和方法

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1848022A (zh) * 2005-04-13 2006-10-18 华为技术有限公司 一种基于访问控制列表的权限控制方法
CN101197026A (zh) * 2007-12-20 2008-06-11 浙江大学 高性能访问控制系统中资源及其访问控制策略的设计与存储方法
CN101655892A (zh) * 2009-09-22 2010-02-24 成都市华为赛门铁克科技有限公司 一种移动终端和访问控制方法
CN102129539A (zh) * 2011-03-11 2011-07-20 清华大学 基于访问控制列表的数据资源权限管理方法

Also Published As

Publication number Publication date
CN104169930A (zh) 2014-11-26
CN104169930B (zh) 2017-02-22

Similar Documents

Publication Publication Date Title
US11159606B2 (en) Lightweight IoT information model
US11799711B2 (en) Service layer resource management for generic interworking and extensibility
US11093556B2 (en) Restful operations for semantic IoT
US9686362B2 (en) Smart access point and method for controlling internet of things apparatus using the smart access point apparatus
JP5981662B2 (ja) 無線通信システムにおいて接近権限認証のための方法及び装置
CN109936571B (zh) 一种海量数据共享方法、开放共享平台及电子设备
CN112039942A (zh) 一种订阅发布方法及服务器
US20170187831A1 (en) Universal Abstraction Layer and Management of Resource Devices
KR101417194B1 (ko) 식별자 관리 서버, 응용 서비스 플랫폼, 센서노드의 식별자를 이용한 장치 인식 방법 및 시스템
US20140164544A1 (en) Enabling a computing device to utilize another computing device
JP7433294B2 (ja) アクセスコントロールポリシーの配置方法、装置、システム及び記憶媒体
Hirmer et al. Automated Sensor Registration, Binding and Sensor Data Provisioning.
JP6888078B2 (ja) ネットワーク機能nf管理方法及びnf管理装置
WO2014005268A1 (fr) Procédé et dispositif d'accès aux ressources
CN112995166B (zh) 资源访问的鉴权方法及装置、存储介质、电子设备
CN107306247B (zh) 资源访问控制方法及装置
WO2016141783A1 (fr) Procédé de contrôle d'accès, d'acquisition de politique, d'acquisition d'attribut et appareil associé
WO2017121240A1 (fr) Procédé, dispositif et système de contrôle d'accès aux ressources
WO2019246530A1 (fr) Procédés basés sur une couche de service pour permettre une analyse efficace de données de l'ido
EP2814217B1 (fr) Procédé de contrôle d'accès à un dispositif wifi, et dispositif wifi correspondant
WO2017107473A1 (fr) Procédé de contrôle d'accès au réseau d'un instrument intelligent, station maître et unité de concentration de données
US20210075869A1 (en) Cross-domain discovery between service layer systems and web of things systems
Sahni et al. Web apis for internet of things
TWI428765B (zh) 可共享應用程式配置參數的電子系統及其方法
WO2017076129A1 (fr) Procédé d'émission de rôle, procédé de commande d'accès, et dispositif pertinent

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12880474

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12880474

Country of ref document: EP

Kind code of ref document: A1