WO2016141783A1 - Method for access control, policy acquisition, attribute acquisition and related apparatus - Google Patents

Method for access control, policy acquisition, attribute acquisition and related apparatus Download PDF

Info

Publication number
WO2016141783A1
WO2016141783A1 PCT/CN2016/072206 CN2016072206W WO2016141783A1 WO 2016141783 A1 WO2016141783 A1 WO 2016141783A1 CN 2016072206 W CN2016072206 W CN 2016072206W WO 2016141783 A1 WO2016141783 A1 WO 2016141783A1
Authority
WO
WIPO (PCT)
Prior art keywords
resource
access control
policy
cse
point
Prior art date
Application number
PCT/CN2016/072206
Other languages
French (fr)
Chinese (zh)
Inventor
周巍
Original Assignee
电信科学技术研究院
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 电信科学技术研究院 filed Critical 电信科学技术研究院
Publication of WO2016141783A1 publication Critical patent/WO2016141783A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present application relates to the field of communications technologies, and in particular, to an access control, a policy acquisition, an attribute acquisition method, and related devices.
  • OneM2M the Internet of Things standardization organization, is dedicated to developing technical specifications for constructing a common Machine-To-Machine (M2M) Service Layer.
  • M2M Machine-To-Machine
  • oneM2M implements service layer resource sharing and interaction by employing operations on standard resource trees.
  • CSEBase1 represents a CSE root resource ⁇ CSEBase>
  • CSE1 represents a resource ⁇ remoteCSE>
  • APP1 represents a resource ⁇ AE>
  • CONT1 and CONT2 respectively represent a resource ⁇ container>
  • ACP1 and ACP2 respectively represent a resource ⁇ accessControlPolice>.
  • the oneM2M definition has two basic entities:
  • the Application Entity is located at the application layer, and the entity can implement an M2M application service logic.
  • An application service logic can reside in multiple M2M nodes, or multiple execution instances in a single node.
  • Each execution instance of the application service logic is referred to as an application entity, and each application entity is identified by a unique AE identity (AE-ID).
  • a fleet tracking application instance For example, a fleet tracking application instance, a remote blood glucose monitoring application instance, a remote power metering instance, or a control application instance are all application entities.
  • Common Service Entity a public service entity consists of a set of common service functions in an M2M environment. Public service function through reference point Mca And the reference point Mcc is disclosed to other entities.
  • the reference point Mcn is used to access the underlying network service entity.
  • Each public service entity is identified by a unique Public Service Entity Identity (CSE-ID).
  • CSE-ID Public Service Entity Identity
  • the resource tree exists in the CSE defined by the oneM2M system.
  • OneM2M defines three resource types:
  • a virtual resource does not have a specific resource structure and resource attributes, and is mainly used to trigger a specific process
  • Announced Resource has a specific resource structure and resource attributes. This resource is a copy of some content in common resources on other entities. The main purpose is to facilitate resource discovery.
  • the oneM2M TS-0001 defines only the resource structure of the ⁇ accessControlPolicy> resource and the structure of the access control policy.
  • the evaluation of the authorization architecture and access control policy is provided in oneM2M TS-0003.
  • each authorization component is:
  • PEP Policy Enforcement Point
  • PDP Policy Decision Point
  • a Policy Decision Point is responsible for evaluating whether to approve the access control decision request sent by the PEP according to the access control policy, and returning the evaluation result to the PEP through the access control decision response.
  • the Policy Retrieval Point obtains the applicable access control policy according to the policy request provided by the PDP, and returns the obtained access control policy to the PDP.
  • PDP Policy Information Point
  • the PEP generates an access control decision request (Access Control Decision Request) according to the user's access request and sends it to the PDP.
  • Access Control Decision Request Access Control Decision Request
  • the PDP sends an Access Control Policy Request to the PRP according to the access control decision request of the PEP;
  • the PDP analyzes the content provided by the access control policy returned by the PRP and the access control decision request of the PEP. If other attributes are required, the Access Control Attribute Request is sent to the PIP, Then go to step 5.
  • the PIP requests to obtain the corresponding access control related attribute according to the access control attribute of the PDP, and returns it to the PDP.
  • the PDP returns to the PEP according to the determined access control policy and through the Access Control Attribute Response.
  • the PEP determines whether to perform the user's access request according to the access control policy in the access control decision response.
  • OneM2M TS-0003 only gives a high-level description and basic authorization process for the authorization architecture, and does not give a specific access control mechanism, implementation principle or method.
  • the embodiment of the present application provides an access control, a policy acquisition, an attribute acquisition method, and related devices, to provide a specific access control mechanism for oneM2M.
  • an access control method including:
  • the access control resource is a common resource under the CSE root resource, and the policy decision point resource and the policy acquisition point resource are respectively virtual resources under the corresponding access control resource.
  • the access control resource has a common attribute of a common resource and a public attribute that specifies an access control policy.
  • the method further includes:
  • the policy information point resource is a virtual resource under the corresponding access control resource.
  • the method further includes:
  • the method further includes:
  • determining, by the initiator, an access control decision on the target resource including:
  • the policy decision point resource, the policy acquisition point resource, and the policy information point resource are respectively located under access control resources under different CSE root nodes;
  • At least two of the policy decision point resource, the policy acquisition point resource, and the policy information point resource are located under different access control resources under the same CSE root node;
  • the policy decision point resource, the policy acquisition point resource, and the policy information point resource belong to the same access control resource under the same CSE root node.
  • a method for obtaining an access control policy including:
  • the access control resource is a common resource under the CSE root resource, and the policy acquisition point resource is a virtual resource under the corresponding access control resource.
  • a method for obtaining an access control attribute including:
  • the access control resource is a common resource under the CSE root resource, and the policy information point resource is a virtual resource under the corresponding access control resource.
  • the access control resource has a common attribute of a common resource and a public attribute that specifies an access control policy.
  • the method further includes: after acquiring the resource reading request of the policy information point resource of the access control resource by the public service entity CSE, and obtaining the attribute information corresponding to the access control policy, the method further includes:
  • a public service entity CSE including:
  • a processing module configured to determine, according to the obtained access control policy, an access control decision of the initiator to the target resource, and return the access control decision to the CSE;
  • the access control resource is a common resource under the CSE root resource, and the policy decision point resource and the policy acquisition point resource are respectively virtual resources under the corresponding access control resource.
  • the access control resource has a common attribute of a common resource and a public attribute that specifies an access control policy.
  • the policy information point resource is a virtual resource under the corresponding access control resource.
  • the second obtaining module After the first obtaining module acquires the first resource reading request of the public service entity CSE to the policy decision point resource under the access control resource, the second obtaining module sends the binding to the second resource according to the first resource reading request. Before the policy acquires the second resource read request for the point resource,
  • the second obtaining module is further configured to:
  • the third obtaining module is further configured to:
  • processing module is specifically configured to:
  • the policy decision point resource, the policy acquisition point resource, and the policy information point resource are respectively located under access control resources under different CSE root nodes;
  • At least two of the policy decision point resource, the policy acquisition point resource, and the policy information point resource are located under different access control resources under the same CSE root node;
  • the policy decision point resource, the policy acquisition point resource, and the policy information point resource belong to the same access control resource under the same CSE root node.
  • a public service entity CSE including:
  • An obtaining module configured to obtain a resource reading request of a policy acquisition point resource of the public service entity CSE to the access control resource, where the resource reading request carries request information of an access control policy of the target resource that the initiator requests to access;
  • a processing module configured to acquire an access control policy corresponding to the target resource, and return the policy to the CSE;
  • the access control resource is a common resource under the CSE root resource, and the policy acquisition point resource is a virtual resource under the corresponding access control resource.
  • the access control resource has a common attribute of a common resource and a public attribute that specifies an access control policy.
  • processing module is further configured to:
  • the obtaining module acquires the resource reading request of the policy acquisition point resource of the access control resource by the public service entity CSE, before acquiring the access control policy corresponding to the target resource,
  • a public service entity CSE including:
  • An obtaining module configured to obtain a resource reading request of a policy information point resource of the access control resource by the public service entity CSE, where the resource reading request carries request information of an access control attribute of the access control policy;
  • a processing module configured to acquire attribute information corresponding to the access control policy, and return the information to the CSE;
  • the access control resource is a common resource under the CSE root resource, and the policy information point resource is a virtual resource under the corresponding access control resource.
  • the access control resource has a common attribute of a common resource and a public attribute that specifies an access control policy.
  • processing module is further configured to:
  • the acquiring module acquires the resource reading request of the policy information point resource of the access control resource by the public service entity CSE, before acquiring the attribute information corresponding to the access control policy,
  • the virtual resource of the PDP processing process defines the policy acquisition point resource as the virtual resource that triggers the PRP processing process, thereby triggering the resource reading request of the policy decision point resource under the access control resource to trigger the PDP function.
  • the CSE obtains the access control policy of the target resource by reading the bound policy, and performs an access control decision on the access request of the target resource according to the obtained access control policy.
  • 1 is a schematic diagram of a structure of a oneM2M resource tree
  • FIG. 2 is a schematic diagram of a oneM2M authorization architecture
  • FIG. 3 is a schematic structural diagram of access control resources in an embodiment of the present application.
  • FIG. 4a is a schematic diagram of interaction between a CSE having a PEP function and a CSE1 having a PDP function according to an embodiment of the present application;
  • 4b is a schematic diagram of a process for performing access control by a CSE1 having a PDP function according to an embodiment of the present application;
  • FIG. 5a is a schematic diagram of interaction between a CSE1 having a PDP function and a CSE2 having a PRP function according to an embodiment of the present application;
  • FIG. 5b is a schematic diagram of a process for acquiring an access control policy by a function CSE2 having a PRP according to an embodiment of the present application;
  • 6a is a schematic diagram of interaction between a CSE1 having a PDP function and a CSE3 having a PIP function according to an embodiment of the present application;
  • FIG. 6b is a schematic diagram of a process for acquiring access control attributes of a CSE 3 having a PIP function according to an embodiment of the present disclosure
  • FIG. 7 is a schematic structural diagram of a CSE in an embodiment of the present application.
  • FIG. 8 is a schematic structural diagram of another CSE in the embodiment of the present application.
  • FIG. 9 is a schematic structural diagram of another CSE in the embodiment of the present application.
  • FIG. 10 is a schematic structural diagram of another CSE in the embodiment of the present application.
  • FIG. 11 is a schematic structural diagram of another CSE in the embodiment of the present application.
  • FIG. 12 is a schematic structural diagram of another CSE in the embodiment of the present application.
  • oneM2M resources are defined to implement a specific access control mechanism.
  • the four oneM2M resources defined are: access control resource ⁇ accessControl>, policy decision point resource ⁇ policyDecisionPoint>, policy acquisition point resource ⁇ policyRetrievalPoint>, and policy information point resource ⁇ policyInformationPoint>.
  • the access control resource ⁇ accessControl> is defined as a common resource located under the CSE root resource ⁇ CSEBase>. At least one generic attribute of oneM2M common resource.
  • the policy decision point resource ⁇ policyDecisionPoint>, the policy acquisition point resource ⁇ policyRetrievalPoint>, and the policy information point resource ⁇ policyInformationPoint> are defined as virtual resources located under the access control resource ⁇ accessControl>.
  • the read operation of the policy decision point resource ⁇ policyDecisionPoint> triggers a PDP process
  • a read operation of the policy acquisition point resource ⁇ policyRetrievalPoint> will trigger a PRP process
  • a read operation on the policy information point resource ⁇ policyInformationPoint> will trigger a PIP process.
  • a CSE root node may have one or more access control resources ⁇ accessControl>, and a CSE root node may also not contain access control resources.
  • an access control resource ⁇ accessControl> may have a policy decision point resource ⁇ policyDecisionPoint>, a policy acquisition point resource ⁇ policyRetrievalPoint>, and A combination of any one or more of the policy information point resources ⁇ policyInformationPoint> may or may not contain any defined virtual resources.
  • the access control resource ⁇ accessControl> further has a public attribute specifying an access control policy, and the public attribute is used to specify an access control policy applicable to the access control resource ⁇ accessControl>, under the access control resource ⁇ accessControl>
  • the access control of the virtual resource is determined by the public attribute, that is, the access control policy specified by the public attribute defines a CSE that allows access to the access control resource ⁇ accessControl> and the virtual resource under it.
  • a virtual resource does not have a resource attribute and no sub-resource.
  • the access control for the virtual resource is responsible for the specified access control policy of the parent resource to which the virtual resource belongs.
  • the process of the CSE intercepting initiator's access request to its own target resource and the CSE1 having the PDP function are as follows:
  • the CSE sends a first resource read request for the policy decision point resource under the access control resource under the CSE1 root resource, where the first resource read request carries the request information of the initiator's access control decision on the target resource in the CSE;
  • the CSE1 triggers the PDP process corresponding to the policy decision point resource according to the first resource read request of the policy decision point resource under the access control resource: acquiring the access control policy corresponding to the target resource, and optionally obtaining the access control policy corresponding to the access control policy
  • the attribute information is subjected to an access control decision according to the access control policy or according to the access control policy and its corresponding attribute information, and the access control decision is returned to the CSE through the access control decision response.
  • the content parameter in the first resource read request carries: request information of the initiator's access control decision on the target resource in the CSE, and the resource read request is a request conforming to the oneM2M standard.
  • the Content parameter in the access control decision response carries an access control decision
  • the access control decision The response is a response that meets the oneM2M standard.
  • the CSE and the CSE1 can be the same CSE.
  • the CSE integrates the functions of the PEP and the PDP, and can also be two independent CSEs.
  • the root resource of the CSE1 includes an access control resource, and the access control resource has at least one policy decision point resource, as shown in FIG. 4b, the detailed method for implementing the access control by the CSE1.
  • the process is as follows:
  • Step 401 Acquire a first resource read request of the CSE to the policy decision point resource in the access control resource, where the first resource read request carries the request information of the initiator's access control decision on the target resource in the CSE.
  • the initiator is AE or CSE.
  • the CSE that issues the first resource read request for the policy decision point resource has the function of the PEP; the root resource of the CSE1 with the access control function includes the access control resource, and the access control resource has the policy decision point resource, that is, The CSE1 of the access control function has the function of a PDP.
  • the CSE with the PEP function and the CSE1 with the PDP function may be the same CSE or two independent CSEs.
  • the access control resource to which the policy decision point resource belongs also has a public attribute that specifies the access control policy.
  • the CSE1 after acquiring the first resource read request of the CSE for the policy decision point resource under the access control resource, the CSE1 sends the second resource read request for the bound policy acquisition point resource according to the first resource read request. And determining, according to the access control policy specified by the access control resource to which the policy decision point resource belongs, to allow the CSE to access the policy decision point resource.
  • Step 402 Send a second resource read request for the bound policy acquisition point resource according to the first resource read request, to obtain an access control policy corresponding to the target resource, where the second resource read request carries the target resource Request information for the access control policy.
  • the access control resource to which the policy acquisition point resource belongs has a public attribute of the specified access control policy.
  • the CSE1 obtains the second resource read request for the bound policy acquisition point resource according to the first resource read request, and obtains the target resource.
  • the access control policy specified by the access control resource to which the point resource belongs is obtained according to the policy, and the CSE is allowed to access the policy to acquire the point resource.
  • Step 403 Determine an initiator access control decision on the target resource according to the obtained access control policy, and return an access control decision to the CSE.
  • the CSE1 determines the initiator's access control decision on the target resource according to the obtained access control policy.
  • the attribute information corresponding to the access control policy is also obtained, and the third resource read request is sent to the bound policy information point resource, and the attribute information corresponding to the access control policy is obtained, where the third resource read request is Request information carrying the access control attribute of the access control policy.
  • the CSE1 After obtaining the attribute information corresponding to the access control policy, the CSE1 determines the access control decision of the initiator to the target resource according to the access control policy and the attribute information corresponding to the access control policy.
  • the access control resource to which the policy information point resource belongs has a public attribute that specifies the access control policy.
  • the CSE1 sends the third resource read request to the bound policy information point resource, and obtains the attribute information corresponding to the access control policy according to the The access control policy specified by the access control resource to which the policy information point resource belongs determines that the CSE is allowed to access the policy information point resource.
  • the policy decision point resource, the policy acquisition point resource, and the policy information point resource are respectively located under access control resources under different CSE root nodes;
  • At least two of the policy decision point resource, the policy acquisition point resource, and the policy information point resource are located under different access control resources under the same CSE root node;
  • the policy decision point resource, the policy acquisition point resource, and the policy information point resource belong to the same access control resource under the same CSE root node.
  • the interaction process between the CSE1 with PDP function and the CSE2 with PRP function is as follows:
  • the CSE1 sends a second resource read request to the policy acquisition point resource of the access control resource of the CSE2, where the second resource read request carries the request information of the access control policy for the target resource;
  • the CSE2 triggers the PRP process according to the second resource read request for obtaining the point resource from the policy under the access control resource: the access control policy of the target resource is obtained, and the access control policy is returned to the CSE1 by the access control policy response.
  • the content parameter in the second resource read request carries: request information of an access control policy for the target resource, and the resource read request is a request conforming to the oneM2M standard.
  • the Content parameter in the access control policy response carries an access control policy
  • the access control policy response is a response that conforms to the oneM2M standard.
  • CSE1 and CSE2 can be the same CSE, and the CSE integrates the functions of PDP and PRP, and can also be two. Independent CSE.
  • the CSE1 combines the access control policy acquired from the CSE2 with the access control policy obtained from the access control token according to a preset policy, and evaluates the initiator's access control to the target resource based on the merged access control policy.
  • the root resource of the CSE2 includes an access control resource, and the access control resource has at least a policy acquisition point resource, that is, the CSE2 has a PRP function, as shown in FIG. 5b.
  • the process for CSE2 to obtain an access control policy is as follows:
  • Step 501 Acquire a second resource read request of the CSE1 for the policy acquisition point resource under the access control resource, where the second resource read request carries the request information of the access control policy of the target resource that the initiator requests to access.
  • Step 502 Acquire an access control policy corresponding to the target resource, and return it to the CSE1.
  • the access control resource to which the policy acquisition point resource belongs also has a public attribute that specifies an access control policy.
  • the CSE1 after acquiring the second resource read request of the policy acquisition point resource of the access control resource by the CSE1, the CSE1 obtains the access control policy corresponding to the access control resource to which the point resource belongs according to the policy before acquiring the access control policy corresponding to the target resource.
  • the policy determines that CSE1 is allowed to access the policy to obtain point resources.
  • the CSE2 with the PRP function and the CSE1 that issues the resource read request may be the same CSE or two independent CSEs.
  • the CSE1 having the PDP function determines the attribute information corresponding to the access control policy in the process of determining the access control decision of the initiator to the target resource according to the obtained access control policy
  • the CSE1 with PDP function needs to interact with the CSE3 with PIP function to obtain the attribute information.
  • the interaction process is as follows:
  • the CSE1 sends a third resource read request to the policy information point resource of the CSE3 access control resource, where the third resource read request carries the request information of the access control attribute of the access control policy;
  • the CSE3 triggers the PIP process according to the third resource read request of the policy information point resource under the access control resource: the attribute information corresponding to the access control policy is obtained, and the attribute information is returned to the CSE1 by the access control attribute response.
  • the content parameter in the third resource read request carries: request information of an access control attribute of the access control policy, and the resource read request is a request conforming to the oneM2M standard.
  • the Content parameter in the access control attribute response carries the attribute information
  • the access control attribute response is a response that conforms to the oneM2M standard.
  • the CSE1 and the CSE3 may be the same CSE.
  • the CSE integrates the functions of the PDP and the PIP, and may also be two independent CSEs.
  • the attribute information of the access control policy may be a creation time of the access control policy, a creator, a visitor of the access control policy, a subscription information of the visitor, a role of the visitor in the access control policy, and the like.
  • the root resource of the CSE3 includes an access control resource, and the access control resource has at least a policy information point resource, as shown in FIG. 6b, that is, the CSE3 has a PIP function, and the CSE3
  • the process of obtaining access control attributes is as follows:
  • Step 601 Acquire a third resource read request of the CSE1 for the policy information point resource under the access control resource, where the third resource read request carries the request information of the access control attribute of the access control policy.
  • the access control resource to which the policy information point resource belongs also has a public attribute that specifies an access control policy.
  • the CSE1 after acquiring the third resource read request of the policy information point resource of the access control resource by the CSE1, the CSE1 obtains the access control corresponding to the access control resource to which the policy information point belongs according to the attribute information corresponding to the access control policy. The policy determines that the CSE1 is allowed to access the policy information point resource.
  • the CSE3 with the PIP function and the CSE1 that issues the resource read request may be the same CSE or two independent CSEs.
  • the access control process provided in the embodiment of the present application is exemplified by a specific embodiment.
  • PEP The functions of PEP, PDP, PRP, and PIP are respectively integrated in different CSEs, where PEP is located in CSE-0, PDP is located in CSE-1, PRP is located in CSE-2, and PIP is located in CSE-3;
  • the initiator of the resource access is: AE-1, and the target resource for access is CSE-1: CSE-1 ⁇ Group-1 ⁇ memberIDs;
  • An access control policy for the CSE-1 ⁇ Group-1 ⁇ memberIDs resource is stored on the CSE-3: RBAC-Policy;
  • the virtual resource that triggers the PDP function on CSE-2 is: CSE-2 ⁇ AccessControl-2 ⁇ policyDecisionPoint;
  • the virtual resource that triggers the PRP function on CSE-3 is: CSE-3 ⁇ AccessControl-3 ⁇ policyRetrievalPoint;
  • the virtual resource that triggers the PIP function on the CSE-4 is: CSE-4 ⁇ AccessControl-4 ⁇ policyInformationPoint;
  • the AE-1 sends a read request to the target resource in the CSE-1, specifically: the initiator is AE-1, the target resource is CSE-1 ⁇ Group-1 ⁇ memberIDs, and the action is read (Retrieve). .
  • the PEP in CSE-1 intercepts the request and sends an access control decision request to the pre-configured PDP, specifically:
  • the initiator is CSE-1
  • the target resource is CSE-2 ⁇ AccessControl-2 ⁇ policyDecisionPoint
  • the action is read
  • the content of the parameter Content is the content of the access control decision request:
  • ⁇ Initiator AE-1
  • target resource CSE-1 ⁇ Group-1 ⁇ memberIDs
  • action read ⁇ .
  • CSE-2 receives the access control decision request of CSE-1.
  • the initiator is CSE-2
  • the target resource is CSE-3 ⁇ AccessControl-3 ⁇ policyRetrievalPoint
  • the action is read
  • the content of the parameter Content is the content of the access control decision request:
  • CSE-3 receives the access control policy request of CSE-2.
  • the CSE-3 returns the obtained access control policy to the CSE-2 through the oneM2M response, and the oneM2M response is the access control policy response, specifically: the response code (Response Code) is successfully obtained, and the content of the parameter Content is Obtained access control policy:
  • the CSE-2 receives the access control policy response of the CSE-3, and analyzes the obtained role-based access control policy: RBAC-Policy, and knows that the role of the AE-1 (Role) needs to be acquired to perform the policy evaluation.
  • the CSE-2 sends an access control attribute request to the pre-configured PIP, specifically:
  • the initiator is CSE-2
  • the target resource is CSE-4 ⁇ AccessControl-4 ⁇ policyInformationPoint
  • the action is read.
  • CSE-4 receives the access control attribute request of CSE-2.
  • the CSE-4 returns the obtained attribute information to the CSE-2 through the oneM2M response, and the oneM2M response is the access control attribute response, specifically: the response code is successfully obtained, and the content of the parameter Content is the obtained attribute information:
  • the CSE-2 receives the access control attribute response of the CSE-4, acquires the role of the AE-1, and then evaluates the resource access request of the user AE-1 by using the obtained role-based access control policy and the role of the AE-1. Determine the evaluation result, that is, the access control decision is: Allow AE-1 resource access request.
  • the CSE-2 returns the access control decision to the CSE-1 through the oneM2M response, and the oneM2M response is the access control decision response, specifically:
  • the response code is successfully obtained, and the content of the parameter Content is the access control decision:
  • the embodiment of the present application further provides a CSE.
  • the CSE mainly includes :
  • the first obtaining module 701 is configured to obtain a first resource reading request of the public service entity CSE for the policy decision point resource under the access control resource, where the first resource reading request carries the initiator to the CSE Request information for access control decisions of the target resource;
  • the second obtaining module 702 is configured to send a second resource read request for the bound policy acquisition point resource according to the first resource read request, to obtain an access control policy corresponding to the target resource, where the second resource is read.
  • the request request carries the request information of the access control policy for the target resource;
  • the processing module 703 is configured to determine, according to the obtained access control policy, an access control decision of the initiator to the target resource, and return the access control decision to the CSE;
  • the access control resource is a common resource under the CSE root resource, and the policy decision point resource and the policy acquisition point resource are respectively virtual resources under the corresponding access control resource.
  • the access control resource has a common attribute of a common resource and a public attribute that specifies an access control policy.
  • the third obtaining module 704 is further configured to: after the second obtaining module 702 acquires an access control policy corresponding to the target resource, the processing module 703 determines the initiator to access the target resource. Before the control decision, the third resource read request is sent to the bound policy information point resource, and the attribute information corresponding to the access control policy is obtained, where the third resource read request carries the access control to the access control policy. Request information for the attribute;
  • the policy information point resource is a virtual resource under the corresponding access control resource.
  • processing module 703 is further configured to:
  • the second obtaining module After the first obtaining module acquires the first resource reading request of the public service entity CSE to the policy decision point resource under the access control resource, the second obtaining module sends the binding to the second resource according to the first resource reading request. Before the policy acquires the second resource read request for the point resource,
  • the second obtaining module is further configured to:
  • the third obtaining module is further configured to:
  • the processing module is specifically configured to:
  • the policy decision point resource, the policy acquisition point resource, and the policy information point resource are respectively located under access control resources under different CSE root nodes;
  • At least two of the policy decision point resource, the policy acquisition point resource, and the policy information point resource are located under different access control resources under the same CSE root node;
  • the policy decision point resource, the policy acquisition point resource, and the policy information point resource belong to the same access control resource under the same CSE root node.
  • the embodiment of the present application further provides a CSE.
  • the CSE mainly includes The processor 801 and the memory 802, wherein the memory 802 stores a preset program, and the processor 801 is configured to read a preset program in the memory 802, and execute the following process according to the program:
  • the access control resource is a common resource under the CSE root resource, and the policy decision point resource and the policy acquisition point resource are respectively virtual resources under the corresponding access control resource.
  • the processor 801 after acquiring the access control policy corresponding to the target resource, the processor 801, before determining that the initiator performs an access control decision on the target resource, sends a third resource read request to the bound policy information point resource. Obtaining the attribute information corresponding to the access control policy, where the third resource read request carries the request information of the access control attribute of the access control policy;
  • the policy information point resource is a virtual resource under the corresponding access control resource.
  • the access control resource has a common attribute of a common resource and also has a common attribute that specifies an access control policy.
  • the processor 801 After acquiring the first resource read request of the public service entity CSE to the policy decision point resource under the access control resource, the processor 801 sends the second resource to the bound policy acquisition point resource according to the first resource read request. Before the resource reads the request,
  • the processor 801 sends the second resource read request for the bound policy acquisition point resource according to the first resource read request, and before acquiring the access control policy corresponding to the target resource,
  • the processor 801 sends the third resource read request to the bound policy information point resource, and obtains the attribute information corresponding to the access control policy
  • the processor 801 obtains the attribute information corresponding to the access control policy, according to the access control policy. And the attribute information corresponding to the access control policy, and determining, by the initiator, an access control decision on the target resource.
  • the policy decision point resource, the policy acquisition point resource, and the policy information point resource are respectively located under access control resources under different CSE root nodes;
  • At least two of the policy decision point resource, the policy acquisition point resource, and the policy information point resource are located under different access control resources under the same CSE root node;
  • the policy decision point resource, the policy acquisition point resource, and the policy information point resource belong to the same access control resource under the same CSE root node.
  • the embodiment of the present application further provides a CSE.
  • the CSE2 mainly includes :
  • the obtaining module 901 is configured to obtain a resource read request of the public service entity CSE for the policy acquisition point resource under the access control resource, where the resource read request carries the request information of the access control policy of the target resource that the initiator requests to access. ;
  • the processing module 902 is configured to obtain an access control policy corresponding to the target resource, and return the policy to the CSE.
  • the access control resource is a common resource under the CSE root resource, and the policy acquisition point resource is a virtual resource under the corresponding access control resource.
  • the access control resource has a common attribute of a common resource and a public attribute that specifies an access control policy.
  • processing module 902 is further configured to:
  • the obtaining module acquires the resource reading request of the policy acquisition point resource of the access control resource by the public service entity CSE, before acquiring the access control policy corresponding to the target resource,
  • the embodiment of the present application further provides a CSE.
  • the CSE mainly includes The processor 1001 and the memory 1002, wherein the memory 1002 stores a preset program, and the processor 1001 is configured to read a preset program in the memory 1002, and execute the following process according to the program:
  • the access control resource is a common resource under the CSE root resource, and the policy acquisition point resource is a virtual resource under the corresponding access control resource.
  • the access control resource has a common attribute of a common resource and a public attribute that specifies an access control policy.
  • the processor 1001 After acquiring the resource read request of the policy acquisition point resource of the access control resource by the public service entity CSE, the processor 1001 obtains the access control policy corresponding to the target resource,
  • the embodiment of the present application further provides a CSE.
  • the CSE3 mainly includes :
  • the obtaining module 1101 is configured to obtain a resource reading request of the public information entity CSE for the policy information point resource under the access control resource, where the resource reading request carries the request information of the access control attribute of the access control policy;
  • the processing module 1102 is configured to obtain attribute information corresponding to the access control policy, and return the information to the CSE;
  • the access control resource is a common resource under the CSE root resource, and the policy information point resource is a virtual resource under the corresponding access control resource.
  • the access control resource has a common attribute of a common resource and a public attribute that specifies an access control policy.
  • processing module is further configured to:
  • the acquiring module acquires the resource reading request of the policy information point resource of the access control resource by the public service entity CSE, before acquiring the attribute information corresponding to the access control policy,
  • the embodiment of the present application further provides a CSE.
  • the CSE mainly includes The processor 1201 and the memory 1202, wherein the memory 1202 stores a preset program, and the processor 1201 is configured to read a preset program in the memory 1202, and execute the following process according to the program:
  • the access control resource is a common resource under the CSE root resource, and the policy information point resource is The virtual resource under the corresponding access control resource.
  • the access control resource has a common attribute of a common resource and a public attribute that specifies an access control policy.
  • the processor 1201 After acquiring the resource reading request of the policy information point resource of the access control resource by the public service entity CSE, the processor 1201 obtains the attribute information corresponding to the access control policy,
  • the policy acquisition point resource is a virtual resource that triggers the PRP process
  • the CSE with the PDP function is triggered to read the binding by using the resource read request of the policy decision point resource under the access control resource.
  • the policy acquisition point resource obtains the access control policy of the target resource, and performs access control decision on the access request of the target resource according to the obtained access control policy.
  • the policy information point resource is defined under the access control resource, and the policy information point resource is defined as a virtual resource that triggers the PIP processing process, and the CSE with the PDP function triggers the access by reading the bound policy information point resource.
  • the process of acquiring the attribute information of the control policy enables the access control decision to be made in combination with the access control policy and its attribute information.

Abstract

Disclosed are a method for access control, policy acquisition, attribute acquisition and a related apparatus. The method is used to provide a particular access control mechanism for the oneM2M.The access control method includes: acquiring a first resource read request of a CSE for a policy decision point resource under access control resources, wherein the first resource read request carries information about a request of a sponsor for an access control decision for a target resource in the CSE; according to the first resource read request, sending a second resource read request for the bound policy acquisition point resource, and acquiring an access control policy corresponding to the target resource, wherein the second resource read request carries information about a request for the access control policy of the target resource; and according to the acquired access control policy, determining the access control decision of the sponsor for the target resource and returning the access control decision to the CSE.

Description

访问控制、策略获取、属性获取方法及相关装置Access control, policy acquisition, attribute acquisition method, and related device
本申请要求在2015年03月12日提交中国专利局、申请号为201510109267.9、申请名称为“访问控制、策略获取、属性获取方法及相关装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority from the Chinese Patent Application filed on March 12, 2015, the application number is 201510109267.9, and the application name is "access control, policy acquisition, attribute acquisition method and related devices", the entire contents of which are incorporated by reference. Combined in this application.
技术领域Technical field
本申请涉及通信技术领域,尤其涉及一种访问控制、策略获取、属性获取方法及相关装置。The present application relates to the field of communications technologies, and in particular, to an access control, a policy acquisition, an attribute acquisition method, and related devices.
背景技术Background technique
物联网标准化组织oneM2M致力于开发用于构造一个公共的机器对机器通信(Machine-To-Machine,M2M)服务层(Service Layer)的技术规范。OneM2M, the Internet of Things standardization organization, is dedicated to developing technical specifications for constructing a common Machine-To-Machine (M2M) Service Layer.
oneM2M通过采用对标准的资源树的操作实现服务层资源共享和交互。oneM2M implements service layer resource sharing and interaction by employing operations on standard resource trees.
根据oneM2M TS-0001中关于功能架构的定义,oneM2M资源树的形式如图1所示。其中,CSEBase1表示一个CSE根资源<CSEBase>,CSE1表示一个资源<remoteCSE>,APP1表示一个资源<AE>,CONT1和CONT2分别代表一个资源<container>,ACP1和ACP2分别代表一个资源<accessControlPolice>。According to the definition of the functional architecture in oneM2M TS-0001, the form of oneM2M resource tree is shown in Figure 1. Among them, CSEBase1 represents a CSE root resource <CSEBase>, CSE1 represents a resource <remoteCSE>, APP1 represents a resource <AE>, CONT1 and CONT2 respectively represent a resource <container>, and ACP1 and ACP2 respectively represent a resource <accessControlPolice>.
对于oneM2M资源可进行创建、查询、修改和删除等操作。Create, query, modify, and delete operations for oneM2M resources.
oneM2M定义的资源中与授权相关的资源为访问控制策略资源<accessControlPolicy>,其中定义有访问控制策略(Access Control Policy),<accessControlPolicy>资源由资源身份标识(ID)唯一标识。The resource related to the authorization defined by oneM2M is the access control policy resource <accessControlPolicy>, which defines an Access Control Policy, and the <accessControlPolicy> resource is uniquely identified by the resource identity (ID).
其他资源通过资源中的accessControlPolicyIDs属性指定适用的访问控制策略。Other resources specify the applicable access control policy through the accessControlPolicyIDs attribute in the resource.
oneM2M定义有两种基本实体:The oneM2M definition has two basic entities:
一,应用实体(Application Entity,AE),位于应用层,该实体可实现一个M2M应用服务逻辑。一个应用服务逻辑既可以驻留在多个M2M节点中,也可以在单个节点中存在多个执行实例。应用服务逻辑的每个执行实例被称为一个应用实体,每个应用实体由唯一的AE身份标识(AE-ID)标识。First, the Application Entity (AE) is located at the application layer, and the entity can implement an M2M application service logic. An application service logic can reside in multiple M2M nodes, or multiple execution instances in a single node. Each execution instance of the application service logic is referred to as an application entity, and each application entity is identified by a unique AE identity (AE-ID).
例如,车队跟踪应用实例、远程血糖监测应用实例、远程电力计量实例或控制应用实例等都属于应用实体。For example, a fleet tracking application instance, a remote blood glucose monitoring application instance, a remote power metering instance, or a control application instance are all application entities.
二,公共服务实体(Common Services Entity,CSE),一个公共服务实体由一组M2M环境中的公共服务功能(common service functions)构成。公共服务功能通过参考点Mca 和参考点Mcc公开给其他实体。Second, Common Service Entity (CSE), a public service entity consists of a set of common service functions in an M2M environment. Public service function through reference point Mca And the reference point Mcc is disclosed to other entities.
参考点Mcn用于访问底层网络服务实体。The reference point Mcn is used to access the underlying network service entity.
每个公共服务实体由唯一的公共服务实体身份标识(CSE-ID)标识。Each public service entity is identified by a unique Public Service Entity Identity (CSE-ID).
资源树存在于oneM2M系统定义的CSE中。The resource tree exists in the CSE defined by the oneM2M system.
oneM2M定义有三种资源类型:OneM2M defines three resource types:
普通资源(Normal Resource),具有具体的资源结构以及资源属性;Normal Resource, with specific resource structure and resource attributes;
虚拟资源(Virtual Resource),不具有具体的资源结构以及资源属性,主要用于触发特定的处理过程;A virtual resource (Virtual Resource) does not have a specific resource structure and resource attributes, and is mainly used to trigger a specific process;
公布资源(Announced Resource),具有具体的资源结构及资源属性,该资源为其他实体上普通资源中某些内容的复制,主要目的是为资源发现提供便利。Announced Resource has a specific resource structure and resource attributes. This resource is a copy of some content in common resources on other entities. The main purpose is to facilitate resource discovery.
oneM2M TS-0001中仅定义了<accessControlPolicy>资源的资源结构及访问控制策略的结构,授权架构和访问控制策略的评估在oneM2M TS-0003中提供。The oneM2M TS-0001 defines only the resource structure of the <accessControlPolicy> resource and the structure of the access control policy. The evaluation of the authorization architecture and access control policy is provided in oneM2M TS-0003.
如图2所示的授权架构中,各授权组件的功能为:In the authorization architecture shown in Figure 2, the functions of each authorization component are:
策略执行点(Policy Enforcement Point,PEP),与需要访问控制的应用系统共存,并由应用系统调用。PEP根据用户的访问请求生成相应的访问控制决策请求,发送给策略决策点(Policy Decision Point,PDP),并根据PDP的访问控制决策应答确定是否执行用户的访问请求。Policy Enforcement Point (PEP) coexists with an application system that requires access control and is called by the application system. The PEP generates a corresponding access control decision request according to the user's access request, sends it to a Policy Decision Point (PDP), and determines whether to perform the user's access request according to the access control decision response of the PDP.
策略决策点(Policy Decision Point,PDP),负责根据访问控制策略评估是否同意由PEP发送来的访问控制决策请求,并将评估结果通过访问控制决策应答返回给PEP。A Policy Decision Point (PDP) is responsible for evaluating whether to approve the access control decision request sent by the PEP according to the access control policy, and returning the evaluation result to the PEP through the access control decision response.
策略获取点(Policy Retrieval Point,PRP),根据PDP提供的策略请求获取适用的访问控制策略,并将获取的访问控制策略返回给PDP。The Policy Retrieval Point (PRP) obtains the applicable access control policy according to the policy request provided by the PDP, and returns the obtained access control policy to the PDP.
策略信息点(Policy Information Point,PIP),根据PDP的请求获取与用户、资源或环境相关的属性,例如访问用户的互联网协议(IP)地址、资源的创建者、当前的时间等,然后将获得的各种属性返回给PDP。Policy Information Point (PIP), which acquires attributes related to users, resources, or environments according to PDP requests, such as accessing the user's Internet Protocol (IP) address, resource creator, current time, etc., and then obtaining Various properties are returned to the PDP.
oneM2M的基本授权流程如下:The basic authorization process for oneM2M is as follows:
1、PEP根据用户的访问请求生成访问控制决策请求(Access Control Decision Request)发送给PDP;1. The PEP generates an access control decision request (Access Control Decision Request) according to the user's access request and sends it to the PDP.
2、PDP根据PEP的访问控制决策请求向PRP发送访问控制策略请求(Access Control Policy Request);2. The PDP sends an Access Control Policy Request to the PRP according to the access control decision request of the PEP;
3、PDP分析由PRP返回的访问控制策略和PEP的访问控制决策请求中提供的内容,若需要其他属性,则向PIP发送访问控制属性请求(Access Control Attribute Request),否 则执行步骤5。3. The PDP analyzes the content provided by the access control policy returned by the PRP and the access control decision request of the PEP. If other attributes are required, the Access Control Attribute Request is sent to the PIP, Then go to step 5.
4、PIP根据PDP的访问控制属性请求获取相应的与访问控制相关的属性,并返回给PDP。4. The PIP requests to obtain the corresponding access control related attribute according to the access control attribute of the PDP, and returns it to the PDP.
5、PDP根据确定适用的访问控制策略,并通过该访问控制决策应答(Access Control Attribute Response)返回给PEP。5. The PDP returns to the PEP according to the determined access control policy and through the Access Control Attribute Response.
6、PEP根据访问控制决策应答中的访问控制策略决定是否执行用户的访问请求。6. The PEP determines whether to perform the user's access request according to the access control policy in the access control decision response.
oneM2M TS-0003中仅给出了授权架构的高层描述和基本授权流程,没有给出具体的访问控制机制、实现原理或方法。OneM2M TS-0003 only gives a high-level description and basic authorization process for the authorization architecture, and does not give a specific access control mechanism, implementation principle or method.
发明内容Summary of the invention
本申请实施例提供一种访问控制、策略获取、属性获取方法及相关装置,用以为oneM2M提供具体的访问控制机制。The embodiment of the present application provides an access control, a policy acquisition, an attribute acquisition method, and related devices, to provide a specific access control mechanism for oneM2M.
本申请实施例提供的具体技术方案如下:The specific technical solutions provided by the embodiments of the present application are as follows:
第一方面,提供了一种访问控制方法,包括:In a first aspect, an access control method is provided, including:
获取公共服务实体CSE对访问控制资源下的策略决策点资源的第一资源读取请求,所述第一资源读取请求中携带有发起者对所述CSE中的目标资源的访问控制决策的请求信息;Acquiring a first resource read request of the public service entity CSE to the policy decision point resource under the access control resource, where the first resource read request carries the request of the initiator to the access control decision of the target resource in the CSE information;
根据所述第一资源读取请求发送对绑定的策略获取点资源的第二资源读取请求,以获取所述目标资源对应的访问控制策略,所述第二资源读取请求中携带对所述目标资源的访问控制策略的请求信息;Sending, by the first resource read request, a second resource read request for the bound policy acquisition point resource, to obtain an access control policy corresponding to the target resource, where the second resource read request carries the right Request information of an access control policy of the target resource;
根据获取的所述访问控制策略确定所述发起者对所述目标资源的访问控制决策,并向所述CSE返回所述访问控制决策;Determining, by the acquired access control policy, an access control decision of the initiator to the target resource, and returning the access control decision to the CSE;
其中,所述访问控制资源为所属的CSE根资源下的普通资源,所述策略决策点资源以及所述策略获取点资源分别为对应的访问控制资源下的虚拟资源。The access control resource is a common resource under the CSE root resource, and the policy decision point resource and the policy acquisition point resource are respectively virtual resources under the corresponding access control resource.
可选地,所述访问控制资源具有普通资源的通用属性,还具有指定访问控制策略的公共属性。Optionally, the access control resource has a common attribute of a common resource and a public attribute that specifies an access control policy.
可选地,获取所述目标资源对应的访问控制策略后,确定所述发起者对所述目标资源的访问控制决策之前,所述方法还包括:Optionally, after the obtaining the access control policy corresponding to the target resource, determining the access control decision of the initiator to the target resource, the method further includes:
对绑定的策略信息点资源发送第三资源读取请求,获取所述访问控制策略对应的属性信息,所述第三资源读取请求中携带对所述访问控制策略的访问控制属性的请求信息;And sending the third resource read request to the bound policy information point resource, and acquiring the attribute information corresponding to the access control policy, where the third resource read request carries the request information of the access control attribute of the access control policy ;
其中,所述策略信息点资源为对应的访问控制资源下的虚拟资源。 The policy information point resource is a virtual resource under the corresponding access control resource.
可选地,获取公共服务实体CSE对访问控制资源下的策略决策点资源的第一资源读取请求之后,根据第一资源读取请求发送对绑定的策略获取点资源的第二资源读取请求之前,所述方法还包括:Optionally, after acquiring the first resource read request of the public service entity CSE for the policy decision point resource under the access control resource, sending the second resource read of the bound policy acquisition point resource according to the first resource read request Before the request, the method further includes:
根据所述策略决策点资源所属的访问控制资源指定的访问控制策略,确定允许所述CSE访问所述策略决策点资源。And determining, according to the access control policy specified by the access control resource to which the policy decision point resource belongs, to allow the CSE to access the policy decision point resource.
可选地,根据第一资源读取请求发送对绑定的策略获取点资源的第二资源读取请求之后,获取所述目标资源对应的访问控制策略之前,所述方法还包括:Optionally, after the second resource read request for the bound policy acquisition point resource is sent according to the first resource read request, and the access control policy corresponding to the target resource is obtained, the method further includes:
根据所述策略获取点资源所属的访问控制资源指定的访问控制策略,确定允许所述CSE访问所述策略获取点资源。Obtaining an access control policy specified by the access control resource to which the point resource belongs according to the policy, and determining that the CSE is allowed to access the policy to acquire a point resource.
可选地,对绑定的策略信息点资源发送第三资源读取请求之后,获取所述访问控制策略对应的属性信息之前,所述方法还包括:Optionally, after the third resource read request is sent to the bound policy information point resource, and the attribute information corresponding to the access control policy is obtained, the method further includes:
根据所述策略信息点资源所属的访问控制资源指定的访问控制策略,确定允许所述CSE访问所述策略信息点资源。And determining, according to the access control policy specified by the access control resource to which the policy information point resource belongs, to allow the CSE to access the policy information point resource.
具体地,确定所述发起者对所述目标资源的访问控制决策,包括:Specifically, determining, by the initiator, an access control decision on the target resource, including:
根据所述访问控制策略以及所述访问控制策略对应的属性信息,确定所述发起者对所述目标资源的访问控制决策。And determining, according to the access control policy and attribute information corresponding to the access control policy, an access control decision of the initiator to the target resource.
其中,所述策略决策点资源、所述策略获取点资源以及所述策略信息点资源分别位于不同CSE根节点下的访问控制资源下;The policy decision point resource, the policy acquisition point resource, and the policy information point resource are respectively located under access control resources under different CSE root nodes;
或者,or,
所述策略决策点资源、所述策略获取点资源以及所述策略信息点资源中的至少两个位于同一CSE根节点下的不同访问控制资源下;At least two of the policy decision point resource, the policy acquisition point resource, and the policy information point resource are located under different access control resources under the same CSE root node;
或者,or,
所述策略决策点资源、所述策略获取点资源以及所述策略信息点资源属于同一CSE根节点下的同一访问控制资源下。The policy decision point resource, the policy acquisition point resource, and the policy information point resource belong to the same access control resource under the same CSE root node.
第二方面,提供了一种获取访问控制策略的方法,包括:In a second aspect, a method for obtaining an access control policy is provided, including:
获取公共服务实体CSE对访问控制资源下的策略获取点资源的资源读取请求,所述资源读取请求中携带对发起者请求访问的目标资源的访问控制策略的请求信息;Obtaining, by the public service entity CSE, a resource read request for a policy acquisition point resource under the access control resource, where the resource read request carries request information of an access control policy of the target resource that the initiator requests to access;
获取所述目标资源对应的访问控制策略,并返回给所述CSE;Obtaining an access control policy corresponding to the target resource, and returning to the CSE;
其中,所述访问控制资源为所属的CSE根资源下的普通资源,所述策略获取点资源为对应的访问控制资源下的虚拟资源。The access control resource is a common resource under the CSE root resource, and the policy acquisition point resource is a virtual resource under the corresponding access control resource.
可选地,所述访问控制资源具有普通资源的通用属性,还具有指定访问控制策略的公 共属性。Optionally, the access control resource has a common attribute of a common resource, and also has a public that specifies an access control policy. Common attribute.
可选地,获取公共服务实体CSE对访问控制资源下的策略获取点资源的资源读取请求之后,获取所述目标资源对应的访问控制策略之前,所述方法还包括:Optionally, the method further includes: after acquiring the resource read request of the policy acquisition point resource of the access control resource by the public service entity CSE, and obtaining the access control policy corresponding to the target resource, the method further includes:
根据所述策略获取点资源所属的访问控制资源指定的访问控制策略,确定允许所述CSE访问所述策略获取点资源。Obtaining an access control policy specified by the access control resource to which the point resource belongs according to the policy, and determining that the CSE is allowed to access the policy to acquire a point resource.
第三方面,提供了一种获取访问控制属性的方法,包括:In a third aspect, a method for obtaining an access control attribute is provided, including:
获取公共服务实体CSE对访问控制资源下的策略信息点资源的资源读取请求,所述资源读取请求中携带对访问控制策略的访问控制属性的请求信息;Acquiring a resource read request of the public service entity CSE to the policy information point resource under the access control resource, where the resource read request carries the request information of the access control attribute of the access control policy;
获取所述访问控制策略对应的属性信息,并返回给所述CSE;Obtaining attribute information corresponding to the access control policy, and returning the information to the CSE;
其中,所述访问控制资源为所属的CSE根资源下的普通资源,所述策略信息点资源为对应的访问控制资源下的虚拟资源。The access control resource is a common resource under the CSE root resource, and the policy information point resource is a virtual resource under the corresponding access control resource.
可选地,所述访问控制资源具有普通资源的通用属性,还具有指定访问控制策略的公共属性。Optionally, the access control resource has a common attribute of a common resource and a public attribute that specifies an access control policy.
可选地,获取公共服务实体CSE对访问控制资源下的策略信息点资源的资源读取请求之后,获取所述访问控制策略对应的属性信息之前,所述方法还包括:Optionally, the method further includes: after acquiring the resource reading request of the policy information point resource of the access control resource by the public service entity CSE, and obtaining the attribute information corresponding to the access control policy, the method further includes:
根据所述策略信息点资源所属的访问控制资源指定的访问控制策略,确定允许所述CSE访问所述策略信息点资源。And determining, according to the access control policy specified by the access control resource to which the policy information point resource belongs, to allow the CSE to access the policy information point resource.
第四方面,提供了一种公共服务实体CSE,包括:In a fourth aspect, a public service entity CSE is provided, including:
第一获取模块,用于获取公共服务实体CSE对访问控制资源下的策略决策点资源的第一资源读取请求,所述第一资源读取请求中携带有发起者对所述CSE中的目标资源的访问控制决策的请求信息;a first acquiring module, configured to acquire a first resource reading request of a public service entity CSE for a policy decision point resource under an access control resource, where the first resource reading request carries an initiator to a target in the CSE Resource access control decision request information;
第二获取模块,用于根据第一资源读取请求发送对绑定的策略获取点资源的第二资源读取请求,以获取所述目标资源对应的访问控制策略,所述第二资源读取请求中携带对所述目标资源的访问控制策略的请求信息;a second acquiring module, configured to send a second resource read request for the bound policy acquisition point resource according to the first resource read request, to obtain an access control policy corresponding to the target resource, where the second resource is read The request carries request information of an access control policy for the target resource;
处理模块,用于根据获取的所述访问控制策略确定所述发起者对所述目标资源的访问控制决策,并向所述CSE返回所述访问控制决策;a processing module, configured to determine, according to the obtained access control policy, an access control decision of the initiator to the target resource, and return the access control decision to the CSE;
其中,所述访问控制资源为所属的CSE根资源下的普通资源,所述策略决策点资源以及所述策略获取点资源分别为对应的访问控制资源下的虚拟资源。The access control resource is a common resource under the CSE root resource, and the policy decision point resource and the policy acquisition point resource are respectively virtual resources under the corresponding access control resource.
可选地,所述访问控制资源具有普通资源的通用属性,还具有指定访问控制策略的公共属性。Optionally, the access control resource has a common attribute of a common resource and a public attribute that specifies an access control policy.
可选地,还包括第三获取模块,用于所述第二获取模块获取所述目标资源对应的访问 控制策略后,所述处理模块确定所述发起者对所述目标资源的访问控制决策之前,对绑定的策略信息点资源发送第三资源读取请求,获取所述访问控制策略对应的属性信息,所述第三资源读取请求中携带对所述访问控制策略的访问控制属性的请求信息;Optionally, the third obtaining module is configured to acquire, by the second acquiring module, the access corresponding to the target resource After the control module determines the access control decision of the initiator to the target resource, the third resource read request is sent to the bound policy information point resource, and the attribute information corresponding to the access control policy is obtained. The third resource read request carries request information of an access control attribute of the access control policy;
其中,所述策略信息点资源为对应的访问控制资源下的虚拟资源。The policy information point resource is a virtual resource under the corresponding access control resource.
可选地,所述处理模块还用于:Optionally, the processing module is further configured to:
在所述第一获取模块获取公共服务实体CSE对访问控制资源下的策略决策点资源的第一资源读取请求之后,在所述第二获取模块根据第一资源读取请求发送对绑定的策略获取点资源的第二资源读取请求之前,After the first obtaining module acquires the first resource reading request of the public service entity CSE to the policy decision point resource under the access control resource, the second obtaining module sends the binding to the second resource according to the first resource reading request. Before the policy acquires the second resource read request for the point resource,
根据所述策略决策点资源所属的访问控制资源指定的访问控制策略,确定允许所述CSE访问所述策略决策点资源。And determining, according to the access control policy specified by the access control resource to which the policy decision point resource belongs, to allow the CSE to access the policy decision point resource.
可选地,所述第二获取模块还用于:Optionally, the second obtaining module is further configured to:
根据第一资源读取请求发送对绑定的策略获取点资源的第二资源读取请求之后,获取所述目标资源对应的访问控制策略之前,After the second resource read request for the bound policy acquisition point resource is sent according to the first resource read request, and the access control policy corresponding to the target resource is obtained,
根据所述策略获取点资源所属的访问控制资源指定的访问控制策略,确定允许所述CSE访问所述策略获取点资源。Obtaining an access control policy specified by the access control resource to which the point resource belongs according to the policy, and determining that the CSE is allowed to access the policy to acquire a point resource.
可选地,所述第三获取模块还用于:Optionally, the third obtaining module is further configured to:
对绑定的策略信息点资源发送第三资源读取请求之后,获取所述访问控制策略对应的属性信息之前,After the third resource read request is sent to the bound policy information point resource, and the attribute information corresponding to the access control policy is obtained,
根据所述策略信息点资源所属的访问控制资源指定的访问控制策略,确定允许所述CSE访问所述策略信息点资源。And determining, according to the access control policy specified by the access control resource to which the policy information point resource belongs, to allow the CSE to access the policy information point resource.
具体地,所述处理模块具体用于:Specifically, the processing module is specifically configured to:
根据所述访问控制策略以及所述访问控制策略对应的属性信息,确定所述发起者对所述目标资源的访问控制决策。And determining, according to the access control policy and attribute information corresponding to the access control policy, an access control decision of the initiator to the target resource.
其中,所述策略决策点资源、所述策略获取点资源以及所述策略信息点资源分别位于不同CSE根节点下的访问控制资源下;The policy decision point resource, the policy acquisition point resource, and the policy information point resource are respectively located under access control resources under different CSE root nodes;
或者,or,
所述策略决策点资源、所述策略获取点资源以及所述策略信息点资源中的至少两个位于同一CSE根节点下的不同访问控制资源下;At least two of the policy decision point resource, the policy acquisition point resource, and the policy information point resource are located under different access control resources under the same CSE root node;
或者,or,
所述策略决策点资源、所述策略获取点资源以及所述策略信息点资源属于同一CSE根节点下的同一访问控制资源下。 The policy decision point resource, the policy acquisition point resource, and the policy information point resource belong to the same access control resource under the same CSE root node.
第五方面,提供了一种公共服务实体CSE,包括:In a fifth aspect, a public service entity CSE is provided, including:
获取模块,用于获取公共服务实体CSE对访问控制资源下的策略获取点资源的资源读取请求,所述资源读取请求中携带对发起者请求访问的目标资源的访问控制策略的请求信息;An obtaining module, configured to obtain a resource reading request of a policy acquisition point resource of the public service entity CSE to the access control resource, where the resource reading request carries request information of an access control policy of the target resource that the initiator requests to access;
处理模块,用于获取所述目标资源对应的访问控制策略,并返回给所述CSE;a processing module, configured to acquire an access control policy corresponding to the target resource, and return the policy to the CSE;
其中,所述访问控制资源为所属的CSE根资源下的普通资源,所述策略获取点资源为对应的访问控制资源下的虚拟资源。The access control resource is a common resource under the CSE root resource, and the policy acquisition point resource is a virtual resource under the corresponding access control resource.
可选地,所述访问控制资源具有普通资源的通用属性,还具有指定访问控制策略的公共属性。Optionally, the access control resource has a common attribute of a common resource and a public attribute that specifies an access control policy.
可选地,所述处理模块还用于:Optionally, the processing module is further configured to:
在所述获取模块获取公共服务实体CSE对访问控制资源下的策略获取点资源的资源读取请求之后,获取所述目标资源对应的访问控制策略之前,After the obtaining module acquires the resource reading request of the policy acquisition point resource of the access control resource by the public service entity CSE, before acquiring the access control policy corresponding to the target resource,
根据所述策略获取点资源所属的访问控制资源指定的访问控制策略,确定允许所述CSE访问所述策略获取点资源。Obtaining an access control policy specified by the access control resource to which the point resource belongs according to the policy, and determining that the CSE is allowed to access the policy to acquire a point resource.
第六方面,提供了一种公共服务实体CSE,包括:In a sixth aspect, a public service entity CSE is provided, including:
获取模块,用于获取公共服务实体CSE对访问控制资源下的策略信息点资源的资源读取请求,所述资源读取请求中携带对访问控制策略的访问控制属性的请求信息;An obtaining module, configured to obtain a resource reading request of a policy information point resource of the access control resource by the public service entity CSE, where the resource reading request carries request information of an access control attribute of the access control policy;
处理模块,用于获取所述访问控制策略对应的属性信息,并返回给所述CSE;a processing module, configured to acquire attribute information corresponding to the access control policy, and return the information to the CSE;
其中,所述访问控制资源为所属的CSE根资源下的普通资源,所述策略信息点资源为对应的访问控制资源下的虚拟资源。The access control resource is a common resource under the CSE root resource, and the policy information point resource is a virtual resource under the corresponding access control resource.
可选地,所述访问控制资源具有普通资源的通用属性,还具有指定访问控制策略的公共属性。Optionally, the access control resource has a common attribute of a common resource and a public attribute that specifies an access control policy.
可选地,所述处理模块还用于:Optionally, the processing module is further configured to:
在所述获取模块获取公共服务实体CSE对访问控制资源下的策略信息点资源的资源读取请求之后,获取所述访问控制策略对应的属性信息之前,After the acquiring module acquires the resource reading request of the policy information point resource of the access control resource by the public service entity CSE, before acquiring the attribute information corresponding to the access control policy,
根据所述策略信息点资源所属的访问控制资源指定的访问控制策略,确定允许所述CSE访问所述策略信息点资源。And determining, according to the access control policy specified by the access control resource to which the policy information point resource belongs, to allow the CSE to access the policy information point resource.
基于上述技术方案,本申请实施例中,通过在CSE根资源下定义普通资源访问控制资源,在访问控制资源下定义策略决策点资源和/或策略获取点资源,并且定义策略决策点资源为触发PDP处理过程的虚拟资源,定义策略获取点资源为触发PRP处理过程的虚拟资源,从而通过对访问控制资源下的策略决策点资源的资源读取请求,触发具备PDP功能的 CSE通过读取绑定的策略获取点资源获取目标资源的访问控制策略,根据获取的访问控制策略对目标资源的访问请求进行访问控制决策。Based on the foregoing technical solution, in the embodiment of the present application, by defining a common resource access control resource under the CSE root resource, defining a policy decision point resource and/or a policy acquisition point resource under the access control resource, and defining a policy decision point resource as a trigger The virtual resource of the PDP processing process defines the policy acquisition point resource as the virtual resource that triggers the PRP processing process, thereby triggering the resource reading request of the policy decision point resource under the access control resource to trigger the PDP function. The CSE obtains the access control policy of the target resource by reading the bound policy, and performs an access control decision on the access request of the target resource according to the obtained access control policy.
附图说明DRAWINGS
图1为oneM2M资源树结构示意图;1 is a schematic diagram of a structure of a oneM2M resource tree;
图2为oneM2M授权架构示意图;2 is a schematic diagram of a oneM2M authorization architecture;
图3为本申请实施例中访问控制资源结构示意图;3 is a schematic structural diagram of access control resources in an embodiment of the present application;
图4a为本申请实施例中具有PEP功能的CSE与具有PDP功能的CSE1交互示意图;4a is a schematic diagram of interaction between a CSE having a PEP function and a CSE1 having a PDP function according to an embodiment of the present application;
图4b为本申请实施例中具有PDP功能的CSE1进行访问控制的过程示意图;4b is a schematic diagram of a process for performing access control by a CSE1 having a PDP function according to an embodiment of the present application;
图5a为本申请实施例中具有PDP功能的CSE1对具有PRP功能的CSE2交互示意图;FIG. 5a is a schematic diagram of interaction between a CSE1 having a PDP function and a CSE2 having a PRP function according to an embodiment of the present application;
图5b为本申请实施例中具有PRP的功能CSE2获取访问控制策略的过程示意图;FIG. 5b is a schematic diagram of a process for acquiring an access control policy by a function CSE2 having a PRP according to an embodiment of the present application;
图6a为本申请实施例中具有PDP功能的CSE1与具有PIP功能的CSE3交互示意图;6a is a schematic diagram of interaction between a CSE1 having a PDP function and a CSE3 having a PIP function according to an embodiment of the present application;
图6b为本申请实施例中具有PIP功能的CSE3获取访问控制属性的过程示意图;FIG. 6b is a schematic diagram of a process for acquiring access control attributes of a CSE 3 having a PIP function according to an embodiment of the present disclosure;
图7为本申请实施例中CSE结构示意图;7 is a schematic structural diagram of a CSE in an embodiment of the present application;
图8为本申请实施例中另一CSE结构示意图;8 is a schematic structural diagram of another CSE in the embodiment of the present application;
图9为本申请实施例中另一CSE结构示意图;9 is a schematic structural diagram of another CSE in the embodiment of the present application;
图10为本申请实施例中另一CSE结构示意图;10 is a schematic structural diagram of another CSE in the embodiment of the present application;
图11为本申请实施例中另一CSE结构示意图;11 is a schematic structural diagram of another CSE in the embodiment of the present application;
图12为本申请实施例中另一CSE结构示意图。FIG. 12 is a schematic structural diagram of another CSE in the embodiment of the present application.
具体实施方式detailed description
为了使本申请的目的、技术方案和优点更加清楚,下面将结合附图对本申请作进一步地详细描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其它实施例,都属于本申请保护的范围。The present invention will be further described in detail with reference to the accompanying drawings, in which FIG. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present application without departing from the inventive scope are the scope of the present application.
本申请实施例中,定义了四种oneM2M资源以实现具体的访问控制机制。In the embodiment of the present application, four oneM2M resources are defined to implement a specific access control mechanism.
定义的四种oneM2M资源分别为:访问控制资源<accessControl>、策略决策点资源<policyDecisionPoint>、策略获取点资源<policyRetrievalPoint>以及策略信息点资源<policyInformationPoint>。The four oneM2M resources defined are: access control resource <accessControl>, policy decision point resource <policyDecisionPoint>, policy acquisition point resource <policyRetrievalPoint>, and policy information point resource <policyInformationPoint>.
其中,访问控制资源<accessControl>定义为位于CSE根资源<CSEBase>下的普通资源, 至少具有oneM2M普通资源的通用属性。The access control resource <accessControl> is defined as a common resource located under the CSE root resource <CSEBase>. At least one generic attribute of oneM2M common resource.
策略决策点资源<policyDecisionPoint>、策略获取点资源<policyRetrievalPoint>以及策略信息点资源<policyInformationPoint>定义为位于访问控制资源<accessControl>下的虚拟资源。The policy decision point resource <policyDecisionPoint>, the policy acquisition point resource <policyRetrievalPoint>, and the policy information point resource <policyInformationPoint> are defined as virtual resources located under the access control resource <accessControl>.
具体地,对策略决策点资源<policyDecisionPoint>的读取操作,将触发一个PDP处理过程;Specifically, the read operation of the policy decision point resource <policyDecisionPoint> triggers a PDP process;
对策略获取点资源<policyRetrievalPoint>的读取操作,将触发一个PRP处理过程;A read operation of the policy acquisition point resource <policyRetrievalPoint> will trigger a PRP process;
对策略信息点资源<policyInformationPoint>的读取操作,将触发一个PIP处理过程。A read operation on the policy information point resource <policyInformationPoint> will trigger a PIP process.
一个CSE根节点下可以有1个或多个访问控制资源<accessControl>,一个CSE根节点下也可以不包含访问控制资源。A CSE root node may have one or more access control resources <accessControl>, and a CSE root node may also not contain access control resources.
其中,访问控制资源<accessControl>与定义的虚拟资源之间的关系如图3所示,即一个访问控制资源<accessControl>下可以有策略决策点资源<policyDecisionPoint>、策略获取点资源<policyRetrievalPoint>以及策略信息点资源<policyInformationPoint>中任意一个或多个的组合,也可以不包含任意一个定义的虚拟资源。The relationship between the access control resource <accessControl> and the defined virtual resource is as shown in FIG. 3, that is, an access control resource <accessControl> may have a policy decision point resource <policyDecisionPoint>, a policy acquisition point resource <policyRetrievalPoint>, and A combination of any one or more of the policy information point resources <policyInformationPoint> may or may not contain any defined virtual resources.
可选地,访问控制资源<accessControl>还具有指定访问控制策略的公共属性,该公共属性用于指定适用于该访问控制资源<accessControl>的访问控制策略,对该访问控制资源<accessControl>下的虚拟资源的访问控制由该公共属性确定,即该公共属性所指定的访问控制策略中定义了允许访问该访问控制资源<accessControl>及其下的虚拟资源的CSE。Optionally, the access control resource <accessControl> further has a public attribute specifying an access control policy, and the public attribute is used to specify an access control policy applicable to the access control resource <accessControl>, under the access control resource <accessControl> The access control of the virtual resource is determined by the public attribute, that is, the access control policy specified by the public attribute defines a CSE that allows access to the access control resource <accessControl> and the virtual resource under it.
虚拟资源不具有资源属性,也没有子资源,针对虚拟资源的访问控制由该虚拟资源所属的父资源的指定访问控制策略负责。A virtual resource does not have a resource attribute and no sub-resource. The access control for the virtual resource is responsible for the specified access control policy of the parent resource to which the virtual resource belongs.
基于以上定义的资源,如图4a所示,具有PEP功能的CSE截获发起者对自身的目标资源的访问请求,与具有PDP功能的CSE1交互的过程如下:Based on the resources defined above, as shown in FIG. 4a, the process of the CSE intercepting initiator's access request to its own target resource and the CSE1 having the PDP function are as follows:
CSE发送对CSE1根资源下的访问控制资源下的策略决策点资源的第一资源读取请求,该第一资源读取请求中携带发起者对CSE中的目标资源的访问控制决策的请求信息;The CSE sends a first resource read request for the policy decision point resource under the access control resource under the CSE1 root resource, where the first resource read request carries the request information of the initiator's access control decision on the target resource in the CSE;
CSE1根据对访问控制资源下的策略决策点资源的第一资源读取请求,触发策略决策点资源对应的PDP处理过程:获取目标资源对应的访问控制策略,可选地,获取该访问控制策略对应的属性信息,根据该访问控制策略或者根据该访问控制策略及其对应的属性信息进行访问控制决策,通过访问控制决策应答将访问控制决策返回给CSE。The CSE1 triggers the PDP process corresponding to the policy decision point resource according to the first resource read request of the policy decision point resource under the access control resource: acquiring the access control policy corresponding to the target resource, and optionally obtaining the access control policy corresponding to the access control policy The attribute information is subjected to an access control decision according to the access control policy or according to the access control policy and its corresponding attribute information, and the access control decision is returned to the CSE through the access control decision response.
具体地,在第一资源读取请求中的内容(Content)参数携带:发起者对CSE中的目标资源的访问控制决策的请求信息,该资源读取请求即为符合oneM2M标准的请求。Specifically, the content parameter in the first resource read request carries: request information of the initiator's access control decision on the target resource in the CSE, and the resource read request is a request conforming to the oneM2M standard.
具体地,在访问控制决策应答中的Content参数携带访问控制决策,该访问控制决策 应答为符合oneM2M标准的应答。Specifically, the Content parameter in the access control decision response carries an access control decision, and the access control decision The response is a response that meets the oneM2M standard.
其中,CSE与CSE1可以为同一CSE,该CSE集成PEP和PDP的功能,也可以为两个独立的CSE。The CSE and the CSE1 can be the same CSE. The CSE integrates the functions of the PEP and the PDP, and can also be two independent CSEs.
基于以上定义的资源,本申请实施例中,CSE1的根资源下包含有访问控制资源,该访问控制资源下至少有一个策略决策点资源,如图4b所示,该CSE1实现访问控制的详细方法流程如下:Based on the resources defined above, in the embodiment of the present application, the root resource of the CSE1 includes an access control resource, and the access control resource has at least one policy decision point resource, as shown in FIG. 4b, the detailed method for implementing the access control by the CSE1. The process is as follows:
步骤401:获取CSE对访问控制资源下的策略决策点资源的第一资源读取请求,该第一资源读取请求中携带有发起者对该CSE中的目标资源的访问控制决策的请求信息。Step 401: Acquire a first resource read request of the CSE to the policy decision point resource in the access control resource, where the first resource read request carries the request information of the initiator's access control decision on the target resource in the CSE.
其中,发起者为AE或CSE。Among them, the initiator is AE or CSE.
其中,发出对策略决策点资源的第一资源读取请求的CSE具有PEP的功能;具有访问控制功能的CSE1的根资源下包含访问控制资源,且该访问控制资源具有策略决策点资源,即具有访问控制功能的CSE1具有PDP的功能。The CSE that issues the first resource read request for the policy decision point resource has the function of the PEP; the root resource of the CSE1 with the access control function includes the access control resource, and the access control resource has the policy decision point resource, that is, The CSE1 of the access control function has the function of a PDP.
其中,具有PEP功能的CSE与具有PDP功能的CSE1,可以为同一CSE,也可以是两个独立的CSE。The CSE with the PEP function and the CSE1 with the PDP function may be the same CSE or two independent CSEs.
可选地,策略决策点资源所属的访问控制资源还具有指定访问控制策略的公共属性。Optionally, the access control resource to which the policy decision point resource belongs also has a public attribute that specifies the access control policy.
相应地,CSE1在获取CSE对访问控制资源下的策略决策点资源的第一资源读取请求之后,根据第一资源读取请求发送对绑定的策略获取点资源的第二资源读取请求之前,根据该策略决策点资源所属的访问控制资源指定的访问控制策略,确定允许该CSE访问该策略决策点资源。Correspondingly, after acquiring the first resource read request of the CSE for the policy decision point resource under the access control resource, the CSE1 sends the second resource read request for the bound policy acquisition point resource according to the first resource read request. And determining, according to the access control policy specified by the access control resource to which the policy decision point resource belongs, to allow the CSE to access the policy decision point resource.
步骤402:根据第一资源读取请求发送对绑定的策略获取点资源的第二资源读取请求,以获取目标资源对应的访问控制策略,该第二资源读取请求中携带对该目标资源的访问控制策略的请求信息。Step 402: Send a second resource read request for the bound policy acquisition point resource according to the first resource read request, to obtain an access control policy corresponding to the target resource, where the second resource read request carries the target resource Request information for the access control policy.
可选地,若策略获取点资源所属的访问控制资源还具有指定访问控制策略的公共属性。Optionally, if the access control resource to which the policy acquisition point resource belongs has a public attribute of the specified access control policy.
相应地,若策略获取点资源所属的访问控制资源位于CSE1的根资源下,则CSE1根据第一资源读取请求发送对绑定的策略获取点资源的第二资源读取请求之后,获取目标资源对应的访问控制策略之前,根据该策略获取点资源所属的访问控制资源指定的访问控制策略,确定允许CSE访问该策略获取点资源。Correspondingly, if the access control resource to which the policy acquisition point resource belongs is located under the root resource of the CSE1, the CSE1 obtains the second resource read request for the bound policy acquisition point resource according to the first resource read request, and obtains the target resource. Before the corresponding access control policy, the access control policy specified by the access control resource to which the point resource belongs is obtained according to the policy, and the CSE is allowed to access the policy to acquire the point resource.
步骤403:根据获取的访问控制策略确定发起者对目标资源的访问控制决策,并向该CSE返回访问控制决策。Step 403: Determine an initiator access control decision on the target resource according to the obtained access control policy, and return an access control decision to the CSE.
可选地,CSE1若根据获取的访问控制策略确定发起者对目标资源的访问控制决策的 过程中,还需要获取该访问控制策略对应的属性信息,则对绑定的策略信息点资源发送第三资源读取请求,获取该访问控制策略对应的属性信息,该第三资源读取请求中携带对该访问控制策略的访问控制属性的请求信息。Optionally, if the CSE1 determines the initiator's access control decision on the target resource according to the obtained access control policy. In the process, the attribute information corresponding to the access control policy is also obtained, and the third resource read request is sent to the bound policy information point resource, and the attribute information corresponding to the access control policy is obtained, where the third resource read request is Request information carrying the access control attribute of the access control policy.
其中,CSE1在获取访问控制策略对应的属性信息后,根据该访问控制策略以及该访问控制策略对应的属性信息,确定该发起者对目标资源的访问控制决策。After obtaining the attribute information corresponding to the access control policy, the CSE1 determines the access control decision of the initiator to the target resource according to the access control policy and the attribute information corresponding to the access control policy.
可选地,若策略信息点资源所属的访问控制资源还具有指定访问控制策略的公共属性。Optionally, if the access control resource to which the policy information point resource belongs has a public attribute that specifies the access control policy.
相应地,若策略信息点资源所属的访问控制资源位于CSE1的根资源下,则CSE1对绑定的策略信息点资源发送第三资源读取请求之后,获取访问控制策略对应的属性信息之前,根据策略信息点资源所属的访问控制资源指定的访问控制策略,确定允许CSE访问该策略信息点资源。Correspondingly, if the access control resource to which the policy information point resource belongs is located under the root resource of the CSE1, the CSE1 sends the third resource read request to the bound policy information point resource, and obtains the attribute information corresponding to the access control policy according to the The access control policy specified by the access control resource to which the policy information point resource belongs determines that the CSE is allowed to access the policy information point resource.
该实施例中,策略决策点资源、策略获取点资源以及策略信息点资源分别位于不同CSE根节点下的访问控制资源下;In this embodiment, the policy decision point resource, the policy acquisition point resource, and the policy information point resource are respectively located under access control resources under different CSE root nodes;
或者,or,
策略决策点资源、策略获取点资源以及策略信息点资源中的至少两个位于同一CSE根节点下的不同访问控制资源下;At least two of the policy decision point resource, the policy acquisition point resource, and the policy information point resource are located under different access control resources under the same CSE root node;
或者,or,
策略决策点资源、策略获取点资源以及策略信息点资源属于同一CSE根节点下的同一访问控制资源下。The policy decision point resource, the policy acquisition point resource, and the policy information point resource belong to the same access control resource under the same CSE root node.
基于以上定义,如图5a所示,具有PDP功能的CSE1对具有PRP功能的CSE2之间的交互过程如下:Based on the above definition, as shown in FIG. 5a, the interaction process between the CSE1 with PDP function and the CSE2 with PRP function is as follows:
CSE1对CSE2的访问控制资源下的策略获取点资源发送第二资源读取请求,该第二资源读取请求中携带对目标资源的访问控制策略的请求信息;The CSE1 sends a second resource read request to the policy acquisition point resource of the access control resource of the CSE2, where the second resource read request carries the request information of the access control policy for the target resource;
CSE2根据对访问控制资源下的策略获取点资源的第二资源读取请求,触发PRP的处理过程:获取目标资源的访问控制策略,通过访问控制策略应答将该访问控制策略返回给CSE1。The CSE2 triggers the PRP process according to the second resource read request for obtaining the point resource from the policy under the access control resource: the access control policy of the target resource is obtained, and the access control policy is returned to the CSE1 by the access control policy response.
具体地,在第二资源读取请求中的内容(Content)参数携带:对目标资源的访问控制策略的请求信息,该资源读取请求为符合oneM2M标准的请求。Specifically, the content parameter in the second resource read request carries: request information of an access control policy for the target resource, and the resource read request is a request conforming to the oneM2M standard.
具体地,在访问控制策略应答中的Content参数携带访问控制策略,该访问控制策略应答为符合oneM2M标准的应答。Specifically, the Content parameter in the access control policy response carries an access control policy, and the access control policy response is a response that conforms to the oneM2M standard.
其中,CSE1和CSE2可以是同一CSE,该CSE集成PDP和PRP的功能,也可以是两 个独立的CSE。Among them, CSE1 and CSE2 can be the same CSE, and the CSE integrates the functions of PDP and PRP, and can also be two. Independent CSE.
一个具体实施例中,CSE1若确定第二资源读取请求中携带的对目标资源的访问控制策略的请求信息中,携带有访问控制令牌,则CSE1还可以从该访问控制令牌中获取访问控制策略。In a specific embodiment, if the request information of the access control policy for the target resource carried in the second resource read request is carried by the CSE1, and the access control token is carried, the CSE1 may also obtain the access from the access control token. Control Strategy.
CSE1按照预设的策略将从CSE2获取的访问控制策略与从访问控制令牌中获取的访问控制策略合并,基于合并后的访问控制策略评估发起者对目标资源的访问控制。The CSE1 combines the access control policy acquired from the CSE2 with the access control policy obtained from the access control token according to a preset policy, and evaluates the initiator's access control to the target resource based on the merged access control policy.
基于以上定义的资源,本申请实施例中,CSE2的根资源下包含有访问控制资源,该访问控制资源下至少有策略获取点资源,即该CSE2具有PRP的功能,如图5b所示,该CSE2获取访问控制策略的过程如下:Based on the resources defined above, in the embodiment of the present application, the root resource of the CSE2 includes an access control resource, and the access control resource has at least a policy acquisition point resource, that is, the CSE2 has a PRP function, as shown in FIG. 5b. The process for CSE2 to obtain an access control policy is as follows:
步骤501:获取CSE1对访问控制资源下的策略获取点资源的第二资源读取请求,该第二资源读取请求中携带对发起者请求访问的目标资源的访问控制策略的请求信息。Step 501: Acquire a second resource read request of the CSE1 for the policy acquisition point resource under the access control resource, where the second resource read request carries the request information of the access control policy of the target resource that the initiator requests to access.
步骤502:获取目标资源对应的访问控制策略,并返回给该CSE1。Step 502: Acquire an access control policy corresponding to the target resource, and return it to the CSE1.
可选地,策略获取点资源所属的访问控制资源还具有指定访问控制策略的公共属性。Optionally, the access control resource to which the policy acquisition point resource belongs also has a public attribute that specifies an access control policy.
相应地,CSE2获取CSE1对访问控制资源下的策略获取点资源的第二资源读取请求之后,获取目标资源对应的访问控制策略之前,根据该策略获取点资源所属的访问控制资源指定的访问控制策略,确定允许CSE1访问该策略获取点资源。Correspondingly, after acquiring the second resource read request of the policy acquisition point resource of the access control resource by the CSE1, the CSE1 obtains the access control policy corresponding to the access control resource to which the point resource belongs according to the policy before acquiring the access control policy corresponding to the target resource. The policy determines that CSE1 is allowed to access the policy to obtain point resources.
其中,具有PRP功能的CSE2,与发出资源读取请求的CSE1,可以同一CSE,也可以是两个独立的CSE。Among them, the CSE2 with the PRP function and the CSE1 that issues the resource read request may be the same CSE or two independent CSEs.
基于以上定义,如图6a所示,若具有PDP功能的CSE1根据获取的访问控制策略,确定发起者对目标资源的访问控制决策的过程中,还需要获取该访问控制策略对应的属性信息,则需要该具有PDP功能的CSE1与具有PIP功能的CSE3交互,以获得该属性信息,交互过程如下:Based on the above definition, as shown in FIG. 6a, if the CSE1 having the PDP function determines the attribute information corresponding to the access control policy in the process of determining the access control decision of the initiator to the target resource according to the obtained access control policy, The CSE1 with PDP function needs to interact with the CSE3 with PIP function to obtain the attribute information. The interaction process is as follows:
CSE1对CSE3的访问控制资源下的策略信息点资源发送第三资源读取请求,该第三资源读取请求中携带对该访问控制策略的访问控制属性的请求信息;The CSE1 sends a third resource read request to the policy information point resource of the CSE3 access control resource, where the third resource read request carries the request information of the access control attribute of the access control policy;
CSE3根据对访问控制资源下的策略信息点资源的第三资源读取请求,触发PIP的处理过程:获取访问控制策略对应的属性信息,通过访问控制属性应答将该属性信息返回给CSE1。The CSE3 triggers the PIP process according to the third resource read request of the policy information point resource under the access control resource: the attribute information corresponding to the access control policy is obtained, and the attribute information is returned to the CSE1 by the access control attribute response.
具体地,在第三资源读取请求中的内容(Content)参数携带:对访问控制策略的访问控制属性的请求信息,该资源读取请求为符合oneM2M标准的请求。Specifically, the content parameter in the third resource read request carries: request information of an access control attribute of the access control policy, and the resource read request is a request conforming to the oneM2M standard.
具体地,在访问控制属性应答中的Content参数携带该属性信息,该访问控制属性应答为符合oneM2M标准的应答。 Specifically, the Content parameter in the access control attribute response carries the attribute information, and the access control attribute response is a response that conforms to the oneM2M standard.
其中,CSE1和CSE3可以是同一CSE,该CSE集成PDP和PIP的功能,也可以是两个独立的CSE。The CSE1 and the CSE3 may be the same CSE. The CSE integrates the functions of the PDP and the PIP, and may also be two independent CSEs.
具体地,访问控制策略的属性信息可以是访问控制策略的创建时间、创建者、访问控制策略的访问者、访问者的签约信息、访问者在访问控制策略中的角色(Role)等。Specifically, the attribute information of the access control policy may be a creation time of the access control policy, a creator, a visitor of the access control policy, a subscription information of the visitor, a role of the visitor in the access control policy, and the like.
基于以上定义的资源,本申请实施例中,CSE3的根资源下包含有访问控制资源,该访问控制资源下至少有策略信息点资源,如图6b所示,即该CSE3具有PIP功能,该CSE3获取访问控制属性的过程如下:Based on the resources defined above, in the embodiment of the present application, the root resource of the CSE3 includes an access control resource, and the access control resource has at least a policy information point resource, as shown in FIG. 6b, that is, the CSE3 has a PIP function, and the CSE3 The process of obtaining access control attributes is as follows:
步骤601:获取CSE1对访问控制资源下的策略信息点资源的第三资源读取请求,该第三资源读取请求中携带对访问控制策略的访问控制属性的请求信息。Step 601: Acquire a third resource read request of the CSE1 for the policy information point resource under the access control resource, where the third resource read request carries the request information of the access control attribute of the access control policy.
步骤602:获取访问控制策略对应的属性信息,并返回给该CSE1。Step 602: Acquire attribute information corresponding to the access control policy, and return it to the CSE1.
可选地,策略信息点资源所属的访问控制资源还具有指定访问控制策略的公共属性。Optionally, the access control resource to which the policy information point resource belongs also has a public attribute that specifies an access control policy.
相应地,CSE3获取CSE1对访问控制资源下的策略信息点资源的第三资源读取请求之后,获取访问控制策略对应的属性信息之前,根据该策略信息点资源所属的访问控制资源指定的访问控制策略,确定允许该CSE1访问该策略信息点资源。Correspondingly, after acquiring the third resource read request of the policy information point resource of the access control resource by the CSE1, the CSE1 obtains the access control corresponding to the access control resource to which the policy information point belongs according to the attribute information corresponding to the access control policy. The policy determines that the CSE1 is allowed to access the policy information point resource.
其中,具有PIP功能的CSE3,与发出资源读取请求的CSE1,可以同一CSE,也可以是两个独立的CSE。Among them, the CSE3 with the PIP function and the CSE1 that issues the resource read request may be the same CSE or two independent CSEs.
以下通过一个具体实施例对本申请实施例中提供的访问控制过程进行举例说明。The access control process provided in the embodiment of the present application is exemplified by a specific embodiment.
该具体实施例中进行如下假设:The following assumptions are made in this particular embodiment:
PEP、PDP、PRP和PIP的功能分别集成于不同的CSE中,其中PEP位于CSE-0中,PDP位于CSE-1中,PRP位于CSE-2中,PIP位于CSE-3中;The functions of PEP, PDP, PRP, and PIP are respectively integrated in different CSEs, where PEP is located in CSE-0, PDP is located in CSE-1, PRP is located in CSE-2, and PIP is located in CSE-3;
资源访问的发起者为:AE-1,访问的目标资源为CSE-1上的:CSE-1\Group-1\memberIDs;The initiator of the resource access is: AE-1, and the target resource for access is CSE-1: CSE-1\Group-1\memberIDs;
CSE-3上存储有适用于CSE-1\Group-1\memberIDs资源的访问控制策略:RBAC-Policy;An access control policy for the CSE-1\Group-1\memberIDs resource is stored on the CSE-3: RBAC-Policy;
AE-1的角色存储在CSE-4上的CSE-4\m2mServiceSubscriptionProfile-1\serviceRoles资源中,AE-1的角色为:管理员(Administrator);The role of AE-1 is stored in the CSE-4\m2mServiceSubscriptionProfile-1\serviceRoles resource on CSE-4. The role of AE-1 is: Administrator (Administrator);
CSE-2上触发PDP功能的虚拟资源为:CSE-2\AccessControl-2\policyDecisionPoint;The virtual resource that triggers the PDP function on CSE-2 is: CSE-2\AccessControl-2\policyDecisionPoint;
CSE-3上触发PRP功能的虚拟资源为:CSE-3\AccessControl-3\policyRetrievalPoint;The virtual resource that triggers the PRP function on CSE-3 is: CSE-3\AccessControl-3\policyRetrievalPoint;
CSE-4上触发PIP功能的虚拟资源为:CSE-4\AccessControl-4\policyInformationPoint;The virtual resource that triggers the PIP function on the CSE-4 is: CSE-4\AccessControl-4\policyInformationPoint;
在CSE-2上,CSE-2\AccessControl-2的访问控制策略允许来自于CSE-1的资源读取请求; On CSE-2, the access control policy of CSE-2\AccessControl-2 allows resource read requests from CSE-1;
在CSE-3上,CSE-3\AccessControl-3的访问控制策略允许来自于CSE-2的资源读取请求;On CSE-3, the access control policy of CSE-3\AccessControl-3 allows resource read requests from CSE-2;
在CSE-4上,CSE-4\AccessControl-4的访问控制策略允许来自于CSE-2的资源读取请求。On CSE-4, the access control policy of CSE-4\AccessControl-4 allows resource read requests from CSE-2.
第一步,AE-1向CSE-1中的目标资源发送读取请求,具体为:发起者为AE-1,目标资源为CSE-1\Group-1\memberIDs,动作为读取(Retrieve)。In the first step, the AE-1 sends a read request to the target resource in the CSE-1, specifically: the initiator is AE-1, the target resource is CSE-1\Group-1\memberIDs, and the action is read (Retrieve). .
第二步,CSE-1中的PEP截取到该请求,并向预先配置的PDP发送访问控制决策请求,具体为:In the second step, the PEP in CSE-1 intercepts the request and sends an access control decision request to the pre-configured PDP, specifically:
发起者为CSE-1,目标资源为CSE-2\AccessControl-2\policyDecisionPoint,动作为读取,参数Content的内容为访问控制决策请求的内容:The initiator is CSE-1, the target resource is CSE-2\AccessControl-2\policyDecisionPoint, the action is read, and the content of the parameter Content is the content of the access control decision request:
{发起者=AE-1,目标资源=CSE-1\Group-1\memberIDs,动作=读取}。{Initiator = AE-1, target resource = CSE-1\Group-1\memberIDs, action = read}.
第三步,CSE-2接收到CSE-1的访问控制决策请求。In the third step, CSE-2 receives the access control decision request of CSE-1.
首先检查CSE-2\AccessControl-2指定的访问控制策略,确定该指定的访问控制策略允许来自CSE-1的访问,然后向预先配置的PRP发送访问控制策略请求,具体为:First, check the access control policy specified by CSE-2\AccessControl-2, determine that the specified access control policy allows access from CSE-1, and then send an access control policy request to the pre-configured PRP, specifically:
发起者为CSE-2,目标资源为CSE-3\AccessControl-3\policyRetrievalPoint,动作为读取,参数Content的内容为访问控制决策请求的内容:The initiator is CSE-2, the target resource is CSE-3\AccessControl-3\policyRetrievalPoint, the action is read, and the content of the parameter Content is the content of the access control decision request:
{To=CSE-1\Group-1\memberIDs}。{To=CSE-1\Group-1\memberIDs}.
第四步,CSE-3接收到CSE-2的访问控制策略请求。In the fourth step, CSE-3 receives the access control policy request of CSE-2.
首先检查CSE-3\AccessControl-3指定的访问控制策略,确定该指定的访问控制策略允许来自CSE-2的访问请求,然后根据AE-1访问的目标资源获取适用的访问控制策略。First, check the access control policy specified by CSE-3\AccessControl-3, determine that the specified access control policy allows access requests from CSE-2, and then obtain the applicable access control policy based on the target resources accessed by AE-1.
第五步,CSE-3将获取的访问控制策略通过oneM2M响应返回给CSE-2,该oneM2M响应即为访问控制策略响应,具体为:响应代码(Response Code)为成功获取,参数Content的内容为获取的访问控制策略:In the fifth step, the CSE-3 returns the obtained access control policy to the CSE-2 through the oneM2M response, and the oneM2M response is the access control policy response, specifically: the response code (Response Code) is successfully obtained, and the content of the parameter Content is Obtained access control policy:
{访问控制策略=RBAC-Policy}。{Access Control Policy=RBAC-Policy}.
第六步,CSE-2接收到CSE-3的访问控制策略响应,分析获得的基于角色的访问控制策略:RBAC-Policy,得知需要获取AE-1的角色(Role)才能进行策略评估,则CSE-2向预先配置的PIP发送访问控制属性请求,具体为:In the sixth step, the CSE-2 receives the access control policy response of the CSE-3, and analyzes the obtained role-based access control policy: RBAC-Policy, and knows that the role of the AE-1 (Role) needs to be acquired to perform the policy evaluation. The CSE-2 sends an access control attribute request to the pre-configured PIP, specifically:
发起者为CSE-2,目标资源为CSE-4\AccessControl-4\policyInformationPoint,动作为读取,参数Content的内容为:{用户=AE-1,请求的属性信息=Role}。The initiator is CSE-2, the target resource is CSE-4\AccessControl-4\policyInformationPoint, and the action is read. The content of the parameter Content is: {user=AE-1, requested attribute information=Role}.
第七步,CSE-4接收到CSE-2的访问控制属性请求。首先检查CSE-4\AccessControl-4指定的访问控制策略,确定该指定的访问控制策略允许来自CSE-2的访问请求,然后根据 用户信息从该用户的签约信息中获取该用户的角色为:管理员(Administrator)。In the seventh step, CSE-4 receives the access control attribute request of CSE-2. First check the access control policy specified by CSE-4\AccessControl-4, determine that the specified access control policy allows access requests from CSE-2, and then The user information obtains the role of the user from the subscription information of the user as: Administrator.
第八步,CSE-4将获取的属性信息通过oneM2M响应返回给CSE-2,该oneM2M响应即为访问控制属性响应,具体为:响应代码为成功获取,参数Content的内容为获取的属性信息:In the eighth step, the CSE-4 returns the obtained attribute information to the CSE-2 through the oneM2M response, and the oneM2M response is the access control attribute response, specifically: the response code is successfully obtained, and the content of the parameter Content is the obtained attribute information:
{角色=Administrator}。{role=Administrator}.
第九步,CSE-2接收到CSE-4的访问控制属性响应,获取AE-1的角色,然后利用获得的基于角色的访问控制策略和AE-1的角色评估用户AE-1的资源访问请求,确定评估结果,即访问控制决策为:允许AE-1的资源访问请求。In the ninth step, the CSE-2 receives the access control attribute response of the CSE-4, acquires the role of the AE-1, and then evaluates the resource access request of the user AE-1 by using the obtained role-based access control policy and the role of the AE-1. Determine the evaluation result, that is, the access control decision is: Allow AE-1 resource access request.
第十步,CSE-2将访问控制决策通过oneM2M响应返回给CSE-1,该oneM2M响应即为访问控制决策响应,具体为:In the tenth step, the CSE-2 returns the access control decision to the CSE-1 through the oneM2M response, and the oneM2M response is the access control decision response, specifically:
响应代码为成功获取,参数Content的内容为访问控制决策:The response code is successfully obtained, and the content of the parameter Content is the access control decision:
{访问控制决策=允许}。{Access Control Decision = Allow}.
基于同一发明构思,本申请实施例还提供了一种CSE,该CSE的具体实施可参见上述关于具有PDP功能的CSE1的描述,重复之处不再赘述,如图7所示,该CSE主要包括:Based on the same inventive concept, the embodiment of the present application further provides a CSE. For the specific implementation of the CSE, refer to the description of the CSE1 with the PDP function. The repeated description is not repeated. As shown in FIG. 7, the CSE mainly includes :
第一获取模块701,用于获取公共服务实体CSE对访问控制资源下的策略决策点资源的第一资源读取请求,所述第一资源读取请求中携带有发起者对所述CSE中的目标资源的访问控制决策的请求信息;The first obtaining module 701 is configured to obtain a first resource reading request of the public service entity CSE for the policy decision point resource under the access control resource, where the first resource reading request carries the initiator to the CSE Request information for access control decisions of the target resource;
第二获取模块702,用于根据第一资源读取请求发送对绑定的策略获取点资源的第二资源读取请求,以获取所述目标资源对应的访问控制策略,所述第二资源读取请求中携带对所述目标资源的访问控制策略的请求信息;The second obtaining module 702 is configured to send a second resource read request for the bound policy acquisition point resource according to the first resource read request, to obtain an access control policy corresponding to the target resource, where the second resource is read. The request request carries the request information of the access control policy for the target resource;
处理模块703,用于根据获取的所述访问控制策略确定所述发起者对所述目标资源的访问控制决策,并向所述CSE返回所述访问控制决策;The processing module 703 is configured to determine, according to the obtained access control policy, an access control decision of the initiator to the target resource, and return the access control decision to the CSE;
其中,所述访问控制资源为所属的CSE根资源下的普通资源,所述策略决策点资源以及所述策略获取点资源分别为对应的访问控制资源下的虚拟资源。The access control resource is a common resource under the CSE root resource, and the policy decision point resource and the policy acquisition point resource are respectively virtual resources under the corresponding access control resource.
可选地,所述访问控制资源具有普通资源的通用属性,还具有指定访问控制策略的公共属性。Optionally, the access control resource has a common attribute of a common resource and a public attribute that specifies an access control policy.
可选地,还包括第三获取模块704,用于所述第二获取模块702获取所述目标资源对应的访问控制策略后,所述处理模块703确定所述发起者对所述目标资源的访问控制决策之前,对绑定的策略信息点资源发送第三资源读取请求,获取所述访问控制策略对应的属性信息,所述第三资源读取请求中携带对所述访问控制策略的访问控制属性的请求信息;Optionally, the third obtaining module 704 is further configured to: after the second obtaining module 702 acquires an access control policy corresponding to the target resource, the processing module 703 determines the initiator to access the target resource. Before the control decision, the third resource read request is sent to the bound policy information point resource, and the attribute information corresponding to the access control policy is obtained, where the third resource read request carries the access control to the access control policy. Request information for the attribute;
其中,所述策略信息点资源为对应的访问控制资源下的虚拟资源。 The policy information point resource is a virtual resource under the corresponding access control resource.
具体地,所述处理模块703还用于:Specifically, the processing module 703 is further configured to:
在所述第一获取模块获取公共服务实体CSE对访问控制资源下的策略决策点资源的第一资源读取请求之后,在所述第二获取模块根据第一资源读取请求发送对绑定的策略获取点资源的第二资源读取请求之前,After the first obtaining module acquires the first resource reading request of the public service entity CSE to the policy decision point resource under the access control resource, the second obtaining module sends the binding to the second resource according to the first resource reading request. Before the policy acquires the second resource read request for the point resource,
根据所述策略决策点资源所属的访问控制资源指定的访问控制策略,确定允许所述CSE访问所述策略决策点资源。And determining, according to the access control policy specified by the access control resource to which the policy decision point resource belongs, to allow the CSE to access the policy decision point resource.
具体地,所述第二获取模块还用于:Specifically, the second obtaining module is further configured to:
根据第一资源读取请求发送对绑定的策略获取点资源的第二资源读取请求之后,获取所述目标资源对应的访问控制策略之前,After the second resource read request for the bound policy acquisition point resource is sent according to the first resource read request, and the access control policy corresponding to the target resource is obtained,
根据所述策略获取点资源所属的访问控制资源指定的访问控制策略,确定允许所述CSE访问所述策略获取点资源。Obtaining an access control policy specified by the access control resource to which the point resource belongs according to the policy, and determining that the CSE is allowed to access the policy to acquire a point resource.
具体地,所述第三获取模块还用于:Specifically, the third obtaining module is further configured to:
对绑定的策略信息点资源发送第三资源读取请求之后,获取所述访问控制策略对应的属性信息之前,After the third resource read request is sent to the bound policy information point resource, and the attribute information corresponding to the access control policy is obtained,
根据所述策略信息点资源所属的访问控制资源指定的访问控制策略,确定允许所述CSE访问所述策略信息点资源。And determining, according to the access control policy specified by the access control resource to which the policy information point resource belongs, to allow the CSE to access the policy information point resource.
具体地,若获取到访问控制策略对应的属性信息,则所述处理模块具体用于:Specifically, if the attribute information corresponding to the access control policy is obtained, the processing module is specifically configured to:
根据所述访问控制策略以及所述访问控制策略对应的属性信息,确定所述发起者对所述目标资源的访问控制决策。And determining, according to the access control policy and attribute information corresponding to the access control policy, an access control decision of the initiator to the target resource.
具体地,所述策略决策点资源、所述策略获取点资源以及所述策略信息点资源分别位于不同CSE根节点下的访问控制资源下;Specifically, the policy decision point resource, the policy acquisition point resource, and the policy information point resource are respectively located under access control resources under different CSE root nodes;
或者,or,
所述策略决策点资源、所述策略获取点资源以及所述策略信息点资源中的至少两个位于同一CSE根节点下的不同访问控制资源下;At least two of the policy decision point resource, the policy acquisition point resource, and the policy information point resource are located under different access control resources under the same CSE root node;
或者,or,
所述策略决策点资源、所述策略获取点资源以及所述策略信息点资源属于同一CSE根节点下的同一访问控制资源下。The policy decision point resource, the policy acquisition point resource, and the policy information point resource belong to the same access control resource under the same CSE root node.
基于同一发明构思,本申请实施例还提供了一种CSE,该CSE的具体实施可参见上述关于具有PDP功能的CSE1的描述,重复之处不再赘述,如图8所示,该CSE主要包括处理器801和存储器802,其中,存储器802中保存有预设程序,处理器801用于读取存储器802中的预设程序,按照该程序执行以下过程: Based on the same inventive concept, the embodiment of the present application further provides a CSE. For the specific implementation of the CSE, refer to the description of the CSE1 with the PDP function. The repeated description is not repeated. As shown in FIG. 8, the CSE mainly includes The processor 801 and the memory 802, wherein the memory 802 stores a preset program, and the processor 801 is configured to read a preset program in the memory 802, and execute the following process according to the program:
获取公共服务实体CSE对访问控制资源下的策略决策点资源的第一资源读取请求,所述第一资源读取请求中携带有发起者对所述CSE中的目标资源的访问控制决策的请求信息;Acquiring a first resource read request of the public service entity CSE to the policy decision point resource under the access control resource, where the first resource read request carries the request of the initiator to the access control decision of the target resource in the CSE information;
根据第一资源读取请求发送对绑定的策略获取点资源的第二资源读取请求,以获取所述目标资源对应的访问控制策略,所述第二资源读取请求中携带对所述目标资源的访问控制策略的请求信息;Transmitting, by the first resource read request, a second resource read request for the bound policy acquisition point resource, to obtain an access control policy corresponding to the target resource, where the second resource read request carries the target Request information for the access control policy of the resource;
根据获取的所述访问控制策略确定所述发起者对所述目标资源的访问控制决策,并向所述CSE返回所述访问控制决策;Determining, by the acquired access control policy, an access control decision of the initiator to the target resource, and returning the access control decision to the CSE;
其中,所述访问控制资源为所属的CSE根资源下的普通资源,所述策略决策点资源以及所述策略获取点资源分别为对应的访问控制资源下的虚拟资源。The access control resource is a common resource under the CSE root resource, and the policy decision point resource and the policy acquisition point resource are respectively virtual resources under the corresponding access control resource.
可选地,处理器801获取所述目标资源对应的访问控制策略后,确定所述发起者对所述目标资源的访问控制决策之前,对绑定的策略信息点资源发送第三资源读取请求,获取所述访问控制策略对应的属性信息,所述第三资源读取请求中携带对所述访问控制策略的访问控制属性的请求信息;Optionally, after acquiring the access control policy corresponding to the target resource, the processor 801, before determining that the initiator performs an access control decision on the target resource, sends a third resource read request to the bound policy information point resource. Obtaining the attribute information corresponding to the access control policy, where the third resource read request carries the request information of the access control attribute of the access control policy;
其中,所述策略信息点资源为对应的访问控制资源下的虚拟资源。The policy information point resource is a virtual resource under the corresponding access control resource.
可选地,访问控制资源具有普通资源的通用属性,还具有指定访问控制策略的公共属性。Optionally, the access control resource has a common attribute of a common resource and also has a common attribute that specifies an access control policy.
具体地,处理器801在获取公共服务实体CSE对访问控制资源下的策略决策点资源的第一资源读取请求之后,根据第一资源读取请求发送对绑定的策略获取点资源的第二资源读取请求之前,Specifically, after acquiring the first resource read request of the public service entity CSE to the policy decision point resource under the access control resource, the processor 801 sends the second resource to the bound policy acquisition point resource according to the first resource read request. Before the resource reads the request,
根据所述策略决策点资源所属的访问控制资源指定的访问控制策略,确定允许所述CSE访问所述策略决策点资源。And determining, according to the access control policy specified by the access control resource to which the policy decision point resource belongs, to allow the CSE to access the policy decision point resource.
具体地,处理器801根据第一资源读取请求发送对绑定的策略获取点资源的第二资源读取请求之后,获取所述目标资源对应的访问控制策略之前,Specifically, after the processor 801 sends the second resource read request for the bound policy acquisition point resource according to the first resource read request, and before acquiring the access control policy corresponding to the target resource,
根据所述策略获取点资源所属的访问控制资源指定的访问控制策略,确定允许所述CSE访问所述策略获取点资源。Obtaining an access control policy specified by the access control resource to which the point resource belongs according to the policy, and determining that the CSE is allowed to access the policy to acquire a point resource.
具体地,处理器801对绑定的策略信息点资源发送第三资源读取请求之后,获取所述访问控制策略对应的属性信息之前,Specifically, after the processor 801 sends the third resource read request to the bound policy information point resource, and obtains the attribute information corresponding to the access control policy,
根据所述策略信息点资源所属的访问控制资源指定的访问控制策略,确定允许所述CSE访问所述策略信息点资源。And determining, according to the access control policy specified by the access control resource to which the policy information point resource belongs, to allow the CSE to access the policy information point resource.
具体地,处理器801若获取访问控制策略对应的属性信息,则根据所述访问控制策略 以及所述访问控制策略对应的属性信息,确定所述发起者对所述目标资源的访问控制决策。Specifically, the processor 801 obtains the attribute information corresponding to the access control policy, according to the access control policy. And the attribute information corresponding to the access control policy, and determining, by the initiator, an access control decision on the target resource.
其中,所述策略决策点资源、所述策略获取点资源以及所述策略信息点资源分别位于不同CSE根节点下的访问控制资源下;The policy decision point resource, the policy acquisition point resource, and the policy information point resource are respectively located under access control resources under different CSE root nodes;
或者,or,
所述策略决策点资源、所述策略获取点资源以及所述策略信息点资源中的至少两个位于同一CSE根节点下的不同访问控制资源下;At least two of the policy decision point resource, the policy acquisition point resource, and the policy information point resource are located under different access control resources under the same CSE root node;
或者,or,
所述策略决策点资源、所述策略获取点资源以及所述策略信息点资源属于同一CSE根节点下的同一访问控制资源下。The policy decision point resource, the policy acquisition point resource, and the policy information point resource belong to the same access control resource under the same CSE root node.
基于同一发明构思,本申请实施例还提供了一种CSE,该CSE的具体实施可参见上述关于具有PRP功能的CSE2的描述,重复之处不再赘述,如图9所示,该CSE2主要包括:Based on the same inventive concept, the embodiment of the present application further provides a CSE. For the specific implementation of the CSE, refer to the description of the CSE2 with the PRP function. The repeated description is not repeated. As shown in FIG. 9, the CSE2 mainly includes :
获取模块901,用于获取公共服务实体CSE对访问控制资源下的策略获取点资源的资源读取请求,所述资源读取请求中携带对发起者请求访问的目标资源的访问控制策略的请求信息;The obtaining module 901 is configured to obtain a resource read request of the public service entity CSE for the policy acquisition point resource under the access control resource, where the resource read request carries the request information of the access control policy of the target resource that the initiator requests to access. ;
处理模块902,用于获取所述目标资源对应的访问控制策略,并返回给所述CSE;The processing module 902 is configured to obtain an access control policy corresponding to the target resource, and return the policy to the CSE.
其中,所述访问控制资源为所属的CSE根资源下的普通资源,所述策略获取点资源为对应的访问控制资源下的虚拟资源。The access control resource is a common resource under the CSE root resource, and the policy acquisition point resource is a virtual resource under the corresponding access control resource.
其中,所述访问控制资源具有普通资源的通用属性,还具有指定访问控制策略的公共属性。The access control resource has a common attribute of a common resource and a public attribute that specifies an access control policy.
可选地,所述处理模块902还用于:Optionally, the processing module 902 is further configured to:
在所述获取模块获取公共服务实体CSE对访问控制资源下的策略获取点资源的资源读取请求之后,获取所述目标资源对应的访问控制策略之前,After the obtaining module acquires the resource reading request of the policy acquisition point resource of the access control resource by the public service entity CSE, before acquiring the access control policy corresponding to the target resource,
根据所述策略获取点资源所属的访问控制资源指定的访问控制策略,确定允许所述CSE访问所述策略获取点资源。Obtaining an access control policy specified by the access control resource to which the point resource belongs according to the policy, and determining that the CSE is allowed to access the policy to acquire a point resource.
基于同一发明构思,本申请实施例还提供了一种CSE,该CSE的具体实施可参见上述关于具有PRP功能的CSE2的描述,重复之处不再赘述,如图10所示,该CSE主要包括处理器1001和存储器1002,其中,存储器1002中保存有预设程序,处理器1001用于读取存储器1002中的预设程序,按照该程序执行以下过程:Based on the same inventive concept, the embodiment of the present application further provides a CSE. For the specific implementation of the CSE, refer to the description of the CSE2 with the PRP function. The repeated description is not repeated. As shown in FIG. 10, the CSE mainly includes The processor 1001 and the memory 1002, wherein the memory 1002 stores a preset program, and the processor 1001 is configured to read a preset program in the memory 1002, and execute the following process according to the program:
获取公共服务实体CSE对访问控制资源下的策略获取点资源的资源读取请求,所述资源读取请求中携带对发起者请求访问的目标资源的访问控制策略的请求信息; Obtaining, by the public service entity CSE, a resource read request for a policy acquisition point resource under the access control resource, where the resource read request carries request information of an access control policy of the target resource that the initiator requests to access;
获取所述目标资源对应的访问控制策略,并返回给所述CSE;Obtaining an access control policy corresponding to the target resource, and returning to the CSE;
其中,所述访问控制资源为所属的CSE根资源下的普通资源,所述策略获取点资源为对应的访问控制资源下的虚拟资源。The access control resource is a common resource under the CSE root resource, and the policy acquisition point resource is a virtual resource under the corresponding access control resource.
可选地,所述访问控制资源具有普通资源的通用属性,还具有指定访问控制策略的公共属性。Optionally, the access control resource has a common attribute of a common resource and a public attribute that specifies an access control policy.
具体地,处理器1001在获取公共服务实体CSE对访问控制资源下的策略获取点资源的资源读取请求之后,获取所述目标资源对应的访问控制策略之前,Specifically, after acquiring the resource read request of the policy acquisition point resource of the access control resource by the public service entity CSE, the processor 1001 obtains the access control policy corresponding to the target resource,
根据所述策略获取点资源所属的访问控制资源指定的访问控制策略,确定允许所述CSE访问所述策略获取点资源。Obtaining an access control policy specified by the access control resource to which the point resource belongs according to the policy, and determining that the CSE is allowed to access the policy to acquire a point resource.
基于同一发明构思,本申请实施例还提供了一种CSE,该CSE的具体实施可参见上述关于具有PIP功能的CSE3的描述,重复之处不再赘述,如图11所示,该CSE3主要包括:Based on the same inventive concept, the embodiment of the present application further provides a CSE. For the specific implementation of the CSE, refer to the description of the CSE3 with the PIP function. The repeated description is not repeated. As shown in FIG. 11, the CSE3 mainly includes :
获取模块1101,用于获取公共服务实体CSE对访问控制资源下的策略信息点资源的资源读取请求,所述资源读取请求中携带对访问控制策略的访问控制属性的请求信息;The obtaining module 1101 is configured to obtain a resource reading request of the public information entity CSE for the policy information point resource under the access control resource, where the resource reading request carries the request information of the access control attribute of the access control policy;
处理模块1102,用于获取所述访问控制策略对应的属性信息,并返回给所述CSE;The processing module 1102 is configured to obtain attribute information corresponding to the access control policy, and return the information to the CSE;
其中,所述访问控制资源为所属的CSE根资源下的普通资源,所述策略信息点资源为对应的访问控制资源下的虚拟资源。The access control resource is a common resource under the CSE root resource, and the policy information point resource is a virtual resource under the corresponding access control resource.
可选地,所述访问控制资源具有普通资源的通用属性,还具有指定访问控制策略的公共属性。Optionally, the access control resource has a common attribute of a common resource and a public attribute that specifies an access control policy.
具体地,所述处理模块还用于:Specifically, the processing module is further configured to:
在所述获取模块获取公共服务实体CSE对访问控制资源下的策略信息点资源的资源读取请求之后,获取所述访问控制策略对应的属性信息之前,After the acquiring module acquires the resource reading request of the policy information point resource of the access control resource by the public service entity CSE, before acquiring the attribute information corresponding to the access control policy,
根据所述策略信息点资源所属的访问控制资源指定的访问控制策略,确定允许所述CSE访问所述策略信息点资源。And determining, according to the access control policy specified by the access control resource to which the policy information point resource belongs, to allow the CSE to access the policy information point resource.
基于同一发明构思,本申请实施例还提供了一种CSE,该CSE的具体实施可参见上述关于具有PIP功能的CSE3的描述,重复之处不再赘述,如图12所示,该CSE主要包括处理器1201和存储器1202,其中,存储器1202中保存有预设程序,处理器1201用于读取存储器1202中的预设程序,按照该程序执行以下过程:Based on the same inventive concept, the embodiment of the present application further provides a CSE. For the specific implementation of the CSE, refer to the description of the CSE3 with the PIP function. The repeated description is not repeated. As shown in FIG. 12, the CSE mainly includes The processor 1201 and the memory 1202, wherein the memory 1202 stores a preset program, and the processor 1201 is configured to read a preset program in the memory 1202, and execute the following process according to the program:
获取公共服务实体CSE对访问控制资源下的策略信息点资源的资源读取请求,所述资源读取请求中携带对访问控制策略的访问控制属性的请求信息;Acquiring a resource read request of the public service entity CSE to the policy information point resource under the access control resource, where the resource read request carries the request information of the access control attribute of the access control policy;
获取所述访问控制策略对应的属性信息,并返回给所述CSE;Obtaining attribute information corresponding to the access control policy, and returning the information to the CSE;
其中,所述访问控制资源为所属的CSE根资源下的普通资源,所述策略信息点资源为 对应的访问控制资源下的虚拟资源。The access control resource is a common resource under the CSE root resource, and the policy information point resource is The virtual resource under the corresponding access control resource.
可选地,所述访问控制资源具有普通资源的通用属性,还具有指定访问控制策略的公共属性。Optionally, the access control resource has a common attribute of a common resource and a public attribute that specifies an access control policy.
具体地,处理器1201在获取公共服务实体CSE对访问控制资源下的策略信息点资源的资源读取请求之后,获取所述访问控制策略对应的属性信息之前,Specifically, after acquiring the resource reading request of the policy information point resource of the access control resource by the public service entity CSE, the processor 1201 obtains the attribute information corresponding to the access control policy,
根据所述策略信息点资源所属的访问控制资源指定的访问控制策略,确定允许所述CSE访问所述策略信息点资源。And determining, according to the access control policy specified by the access control resource to which the policy information point resource belongs, to allow the CSE to access the policy information point resource.
基于上述技术方案,本申请实施例中,通过在CSE根资源下定义普通资源访问控制资源,在访问控制资源下定义策略决策点资源和/或策略获取点资源,并且定义策略决策点资源为触发PDP处理过程的虚拟资源,定义策略获取点资源为触发PRP处理过程的虚拟资源,从而通过对访问控制资源下的策略决策点资源的资源读取请求,触发具备PDP功能的CSE通过读取绑定的策略获取点资源获取目标资源的访问控制策略,根据获取的访问控制策略对目标资源的访问请求进行访问控制决策。Based on the foregoing technical solution, in the embodiment of the present application, by defining a common resource access control resource under the CSE root resource, defining a policy decision point resource and/or a policy acquisition point resource under the access control resource, and defining a policy decision point resource as a trigger The virtual resource of the PDP process, the policy acquisition point resource is a virtual resource that triggers the PRP process, and the CSE with the PDP function is triggered to read the binding by using the resource read request of the policy decision point resource under the access control resource. The policy acquisition point resource obtains the access control policy of the target resource, and performs access control decision on the access request of the target resource according to the obtained access control policy.
进一步地,在访问控制资源下定义策略信息点资源,并定义策略信息点资源为触发PIP处理过程的虚拟资源,具备PDP功能的CSE通过对绑定的策略信息点资源的读取请求,触发访问控制策略的属性信息的获取过程,使得能够结合访问控制策略及其属性信息进行访问控制决策。Further, the policy information point resource is defined under the access control resource, and the policy information point resource is defined as a virtual resource that triggers the PIP processing process, and the CSE with the PDP function triggers the access by reading the bound policy information point resource. The process of acquiring the attribute information of the control policy enables the access control decision to be made in combination with the access control policy and its attribute information.
显然,本领域的技术人员可以对本申请进行各种改动和变型而不脱离本申请的精神和范围。这样,倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包含这些改动和变型在内。 It will be apparent to those skilled in the art that various modifications and changes can be made in the present application without departing from the spirit and scope of the application. Thus, it is intended that the present invention cover the modifications and variations of the present invention.

Claims (28)

  1. 一种访问控制方法,其特征在于,包括:An access control method, comprising:
    获取公共服务实体CSE对访问控制资源下的策略决策点资源的第一资源读取请求,所述第一资源读取请求中携带有发起者对所述CSE中的目标资源的访问控制决策的请求信息;Acquiring a first resource read request of the public service entity CSE to the policy decision point resource under the access control resource, where the first resource read request carries the request of the initiator to the access control decision of the target resource in the CSE information;
    根据所述第一资源读取请求发送对绑定的策略获取点资源的第二资源读取请求,以获取所述目标资源对应的访问控制策略,所述第二资源读取请求中携带对所述目标资源的访问控制策略的请求信息;Sending, by the first resource read request, a second resource read request for the bound policy acquisition point resource, to obtain an access control policy corresponding to the target resource, where the second resource read request carries the right Request information of an access control policy of the target resource;
    根据获取的所述访问控制策略,确定所述发起者对所述目标资源的访问控制决策,并向所述CSE返回所述访问控制决策;Determining, according to the obtained access control policy, an access control decision of the initiator to the target resource, and returning the access control decision to the CSE;
    其中,所述访问控制资源为所属的CSE根资源下的普通资源,所述策略决策点资源以及所述策略获取点资源分别为对应的访问控制资源下的虚拟资源。The access control resource is a common resource under the CSE root resource, and the policy decision point resource and the policy acquisition point resource are respectively virtual resources under the corresponding access control resource.
  2. 如权利要求1所述的方法,其特征在于,所述访问控制资源具有普通资源的通用属性,还具有指定访问控制策略的公共属性。The method of claim 1 wherein said access control resource has a common attribute of a common resource and also has a common attribute that specifies an access control policy.
  3. 如权利要求2所述的访问控制方法,其特征在于,所述获取所述目标资源对应的访问控制策略后,确定所述发起者对所述目标资源的访问控制决策之前,所述方法还包括:The access control method according to claim 2, wherein after the obtaining the access control policy corresponding to the target resource, determining the access control decision of the initiator to the target resource, the method further includes :
    对绑定的策略信息点资源发送第三资源读取请求,获取所述访问控制策略对应的属性信息,所述第三资源读取请求中携带对所述访问控制策略的访问控制属性的请求信息;And sending the third resource read request to the bound policy information point resource, and acquiring the attribute information corresponding to the access control policy, where the third resource read request carries the request information of the access control attribute of the access control policy ;
    其中,所述策略信息点资源为对应的访问控制资源下的虚拟资源。The policy information point resource is a virtual resource under the corresponding access control resource.
  4. 如权利要求2所述的方法,其特征在于,所述获取公共服务实体CSE对访问控制资源下的策略决策点资源的第一资源读取请求之后,根据第一资源读取请求发送对绑定的策略获取点资源的第二资源读取请求之前,所述方法还包括:The method according to claim 2, wherein after obtaining the first resource read request of the public service entity CSE for the policy decision point resource under the access control resource, the binding is sent according to the first resource read request. Before the policy acquires the second resource read request of the point resource, the method further includes:
    根据所述策略决策点资源所属的访问控制资源指定的访问控制策略,确定允许所述CSE访问所述策略决策点资源。And determining, according to the access control policy specified by the access control resource to which the policy decision point resource belongs, to allow the CSE to access the policy decision point resource.
  5. 如权利要求2所述的方法,其特征在于,所述根据第一资源读取请求发送对绑定的策略获取点资源的第二资源读取请求之后,获取所述目标资源对应的访问控制策略之前,所述方法还包括:The method according to claim 2, wherein after the second resource read request for the bound policy acquisition point resource is sent according to the first resource read request, the access control policy corresponding to the target resource is acquired Previously, the method further includes:
    根据所述策略获取点资源所属的访问控制资源指定的访问控制策略,确定允许所述CSE访问所述策略获取点资源。Obtaining an access control policy specified by the access control resource to which the point resource belongs according to the policy, and determining that the CSE is allowed to access the policy to acquire a point resource.
  6. 如权利要求3所述的方法,其特征在于,所述对绑定的策略信息点资源发送第三资源读取请求之后,获取所述访问控制策略对应的属性信息之前,所述方法还包括: The method according to claim 3, wherein the method further includes: after the third-resource read request is sent to the bound policy information point resource, and the attribute information corresponding to the access control policy is acquired, the method further includes:
    根据所述策略信息点资源所属的访问控制资源指定的访问控制策略,确定允许所述CSE访问所述策略信息点资源。And determining, according to the access control policy specified by the access control resource to which the policy information point resource belongs, to allow the CSE to access the policy information point resource.
  7. 如权利要求3所述的方法,其特征在于,所述确定所述发起者对所述目标资源的访问控制决策,包括:The method of claim 3, wherein the determining the access control decision of the initiator to the target resource comprises:
    根据所述访问控制策略以及所述访问控制策略对应的属性信息,确定所述发起者对所述目标资源的访问控制决策。And determining, according to the access control policy and attribute information corresponding to the access control policy, an access control decision of the initiator to the target resource.
  8. 如权利要求3所述的方法,其特征在于,所述策略决策点资源、所述策略获取点资源以及所述策略信息点资源分别位于不同CSE根节点下的访问控制资源下;The method according to claim 3, wherein the policy decision point resource, the policy acquisition point resource, and the policy information point resource are respectively located under access control resources under different CSE root nodes;
    或者,or,
    所述策略决策点资源、所述策略获取点资源以及所述策略信息点资源中的至少两个位于同一CSE根节点下的不同访问控制资源下;At least two of the policy decision point resource, the policy acquisition point resource, and the policy information point resource are located under different access control resources under the same CSE root node;
    或者,or,
    所述策略决策点资源、所述策略获取点资源以及所述策略信息点资源属于同一CSE根节点下的同一访问控制资源下。The policy decision point resource, the policy acquisition point resource, and the policy information point resource belong to the same access control resource under the same CSE root node.
  9. 一种获取访问控制策略的方法,其特征在于,包括:A method for obtaining an access control policy, comprising:
    获取公共服务实体CSE对访问控制资源下的策略获取点资源的资源读取请求,所述资源读取请求中携带对发起者请求访问的目标资源的访问控制策略的请求信息;Obtaining, by the public service entity CSE, a resource read request for a policy acquisition point resource under the access control resource, where the resource read request carries request information of an access control policy of the target resource that the initiator requests to access;
    获取所述目标资源对应的访问控制策略,并返回给所述CSE;Obtaining an access control policy corresponding to the target resource, and returning to the CSE;
    其中,所述访问控制资源为所属的CSE根资源下的普通资源,所述策略获取点资源为对应的访问控制资源下的虚拟资源。The access control resource is a common resource under the CSE root resource, and the policy acquisition point resource is a virtual resource under the corresponding access control resource.
  10. 如权利要求9所述的方法,其特征在于,所述访问控制资源具有普通资源的通用属性,还具有指定访问控制策略的公共属性。The method of claim 9, wherein the access control resource has a common attribute of a common resource and also has a common attribute that specifies an access control policy.
  11. 如权利要求10所述的方法,其特征在于,所示获取公共服务实体CSE对访问控制资源下的策略获取点资源的资源读取请求之后,获取所述目标资源对应的访问控制策略之前,所述方法还包括:The method according to claim 10, wherein after obtaining the resource read request of the public service entity CSE for the policy acquisition point resource under the access control resource, before obtaining the access control policy corresponding to the target resource, The method also includes:
    根据所述策略获取点资源所属的访问控制资源指定的访问控制策略,确定允许所述CSE访问所述策略获取点资源。Obtaining an access control policy specified by the access control resource to which the point resource belongs according to the policy, and determining that the CSE is allowed to access the policy to acquire a point resource.
  12. 一种获取访问控制属性的方法,其特征在于,包括:A method for obtaining an access control attribute, comprising:
    获取公共服务实体CSE对访问控制资源下的策略信息点资源的资源读取请求,所述资源读取请求中携带对访问控制策略的访问控制属性的请求信息;Acquiring a resource read request of the public service entity CSE to the policy information point resource under the access control resource, where the resource read request carries the request information of the access control attribute of the access control policy;
    获取所述访问控制策略对应的属性信息,并返回给所述CSE; Obtaining attribute information corresponding to the access control policy, and returning the information to the CSE;
    其中,所述访问控制资源为所属的CSE根资源下的普通资源,所述策略信息点资源为对应的访问控制资源下的虚拟资源。The access control resource is a common resource under the CSE root resource, and the policy information point resource is a virtual resource under the corresponding access control resource.
  13. 如权利要求12所述的方法,其特征在于,所述访问控制资源具有普通资源的通用属性,还具有指定访问控制策略的公共属性。The method of claim 12, wherein the access control resource has a common attribute of a common resource and also has a common attribute that specifies an access control policy.
  14. 如权利要求13所述的方法,其特征在于,所述获取公共服务实体CSE对访问控制资源下的策略信息点资源的资源读取请求之后,获取所述访问控制策略对应的属性信息之前,所述方法还包括:The method according to claim 13, wherein after obtaining the resource reading request of the policy information point resource under the access control resource by the public service entity CSE, obtaining the attribute information corresponding to the access control policy, The method also includes:
    根据所述策略信息点资源所属的访问控制资源指定的访问控制策略,确定允许所述CSE访问所述策略信息点资源。And determining, according to the access control policy specified by the access control resource to which the policy information point resource belongs, to allow the CSE to access the policy information point resource.
  15. 一种公共服务实体CSE,其特征在于,包括:A public service entity CSE, comprising:
    第一获取模块,用于获取公共服务实体CSE对访问控制资源下的策略决策点资源的第一资源读取请求,所述第一资源读取请求中携带有发起者对所述CSE中的目标资源的访问控制决策的请求信息;a first acquiring module, configured to acquire a first resource reading request of a public service entity CSE for a policy decision point resource under an access control resource, where the first resource reading request carries an initiator to a target in the CSE Resource access control decision request information;
    第二获取模块,用于根据第一资源读取请求发送对绑定的策略获取点资源的第二资源读取请求,获取所述目标资源对应的访问控制策略,所述第二资源读取请求中携带对所述目标资源的访问控制策略的请求信息;a second acquiring module, configured to send a second resource read request for the bound policy acquisition point resource according to the first resource read request, to obtain an access control policy corresponding to the target resource, and the second resource read request Carrying request information of an access control policy for the target resource;
    处理模块,用于根据获取的所述访问控制策略确定所述发起者对所述目标资源的访问控制决策,并向所述CSE返回所述访问控制决策;a processing module, configured to determine, according to the obtained access control policy, an access control decision of the initiator to the target resource, and return the access control decision to the CSE;
    其中,所述访问控制资源为所属的CSE根资源下的普通资源,所述策略决策点资源以及所述策略获取点资源分别为对应的访问控制资源下的虚拟资源。The access control resource is a common resource under the CSE root resource, and the policy decision point resource and the policy acquisition point resource are respectively virtual resources under the corresponding access control resource.
  16. 如权利要求15所述的CSE,其特征在于,所述访问控制资源具有普通资源的通用属性,还具有指定访问控制策略的公共属性。The CSE of claim 15 wherein said access control resource has a common attribute of a common resource and also has a common attribute that specifies an access control policy.
  17. 如权利要求16所述的CSE,其特征在于,还包括第三获取模块,用于所述第二获取模块获取所述目标资源对应的访问控制策略后,所述处理模块确定所述发起者对所述目标资源的访问控制决策之前,对绑定的策略信息点资源发送第三资源读取请求,获取所述访问控制策略对应的属性信息,所述第三资源读取请求中携带对所述访问控制策略的访问控制属性的请求信息;The CSE according to claim 16, further comprising a third obtaining module, after the second obtaining module acquires an access control policy corresponding to the target resource, the processing module determines the initiator pair Before the access control decision of the target resource, the third resource read request is sent to the bound policy information point resource, and the attribute information corresponding to the access control policy is obtained, where the third resource read request carries the Request information for access control attributes of the access control policy;
    其中,所述策略信息点资源为对应的访问控制资源下的虚拟资源。The policy information point resource is a virtual resource under the corresponding access control resource.
  18. 如权利要求16所述的CSE,其特征在于,所述处理模块还用于:The CSE of claim 16, wherein the processing module is further configured to:
    在所述第一获取模块获取公共服务实体CSE对访问控制资源下的策略决策点资源的第一资源读取请求之后,在所述第二获取模块根据第一资源读取请求发送对绑定的策略获 取点资源的第二资源读取请求之前,After the first obtaining module acquires the first resource reading request of the public service entity CSE to the policy decision point resource under the access control resource, the second obtaining module sends the binding to the second resource according to the first resource reading request. Strategy acquisition Before taking the second resource read request for the resource,
    根据所述策略决策点资源所属的访问控制资源指定的访问控制策略,确定允许所述CSE访问所述策略决策点资源。And determining, according to the access control policy specified by the access control resource to which the policy decision point resource belongs, to allow the CSE to access the policy decision point resource.
  19. 如权利要求16所述的CSE,其特征在于,所述第二获取模块还用于:The CSE of claim 16, wherein the second obtaining module is further configured to:
    根据第一资源读取请求发送对绑定的策略获取点资源的第二资源读取请求之后,获取所述目标资源对应的访问控制策略之前,After the second resource read request for the bound policy acquisition point resource is sent according to the first resource read request, and the access control policy corresponding to the target resource is obtained,
    根据所述策略获取点资源所属的访问控制资源指定的访问控制策略,确定允许所述CSE访问所述策略获取点资源。Obtaining an access control policy specified by the access control resource to which the point resource belongs according to the policy, and determining that the CSE is allowed to access the policy to acquire a point resource.
  20. 如权利要求17所述的CSE,其特征在于,所述第三获取模块还用于:The CSE of claim 17, wherein the third obtaining module is further configured to:
    对绑定的策略信息点资源发送第三资源读取请求之后,获取所述访问控制策略对应的属性信息之前,After the third resource read request is sent to the bound policy information point resource, and the attribute information corresponding to the access control policy is obtained,
    根据所述策略信息点资源所属的访问控制资源指定的访问控制策略,确定允许所述CSE访问所述策略信息点资源。And determining, according to the access control policy specified by the access control resource to which the policy information point resource belongs, to allow the CSE to access the policy information point resource.
  21. 如权利要求17所述的CSE,其特征在于,所述处理模块具体用于:The CSE of claim 17, wherein the processing module is specifically configured to:
    根据所述访问控制策略以及所述访问控制策略对应的属性信息,确定所述发起者对所述目标资源的访问控制决策。And determining, according to the access control policy and attribute information corresponding to the access control policy, an access control decision of the initiator to the target resource.
  22. 如权利要求17所述的CSE,其特征在于,所述策略决策点资源、所述策略获取点资源以及所述策略信息点资源分别位于不同CSE根节点下的访问控制资源下;The CSE according to claim 17, wherein the policy decision point resource, the policy acquisition point resource, and the policy information point resource are respectively located under access control resources under different CSE root nodes;
    或者,or,
    所述策略决策点资源、所述策略获取点资源以及所述策略信息点资源中的至少两个位于同一CSE根节点下的不同访问控制资源下;At least two of the policy decision point resource, the policy acquisition point resource, and the policy information point resource are located under different access control resources under the same CSE root node;
    或者,or,
    所述策略决策点资源、所述策略获取点资源以及所述策略信息点资源属于同一CSE根节点下的同一访问控制资源下。The policy decision point resource, the policy acquisition point resource, and the policy information point resource belong to the same access control resource under the same CSE root node.
  23. 一种公共服务实体CSE,其特征在于,包括:A public service entity CSE, comprising:
    获取模块,用于获取公共服务实体CSE对访问控制资源下的策略获取点资源的资源读取请求,所述资源读取请求中携带对发起者请求访问的目标资源的访问控制策略的请求信息;An obtaining module, configured to obtain a resource reading request of a policy acquisition point resource of the public service entity CSE to the access control resource, where the resource reading request carries request information of an access control policy of the target resource that the initiator requests to access;
    处理模块,用于获取所述目标资源对应的访问控制策略,并返回给所述CSE;a processing module, configured to acquire an access control policy corresponding to the target resource, and return the policy to the CSE;
    其中,所述访问控制资源为所属的CSE根资源下的普通资源,所述策略获取点资源为对应的访问控制资源下的虚拟资源。 The access control resource is a common resource under the CSE root resource, and the policy acquisition point resource is a virtual resource under the corresponding access control resource.
  24. 如权利要求23所述的CSE,其特征在于,所述访问控制资源具有普通资源的通用属性,还具有指定访问控制策略的公共属性。The CSE of claim 23, wherein the access control resource has a common attribute of a common resource and also has a common attribute that specifies an access control policy.
  25. 如权利要求24所述的CSE,其特征在于,所述处理模块还用于:The CSE of claim 24, wherein the processing module is further configured to:
    在所述获取模块获取公共服务实体CSE对访问控制资源下的策略获取点资源的资源读取请求之后,获取所述目标资源对应的访问控制策略之前,After the obtaining module acquires the resource reading request of the policy acquisition point resource of the access control resource by the public service entity CSE, before acquiring the access control policy corresponding to the target resource,
    根据所述策略获取点资源所属的访问控制资源指定的访问控制策略,确定允许所述CSE访问所述策略获取点资源。Obtaining an access control policy specified by the access control resource to which the point resource belongs according to the policy, and determining that the CSE is allowed to access the policy to acquire a point resource.
  26. 一种公共服务实体CSE,其特征在于,包括:A public service entity CSE, comprising:
    获取模块,用于获取公共服务实体CSE对访问控制资源下的策略信息点资源的资源读取请求,所述资源读取请求中携带对访问控制策略的访问控制属性的请求信息;An obtaining module, configured to obtain a resource reading request of a policy information point resource of the access control resource by the public service entity CSE, where the resource reading request carries request information of an access control attribute of the access control policy;
    处理模块,用于获取所述访问控制策略对应的属性信息,并返回给所述CSE;a processing module, configured to acquire attribute information corresponding to the access control policy, and return the information to the CSE;
    其中,所述访问控制资源为所属的CSE根资源下的普通资源,所述策略信息点资源为对应的访问控制资源下的虚拟资源。The access control resource is a common resource under the CSE root resource, and the policy information point resource is a virtual resource under the corresponding access control resource.
  27. 如权利要求26所述的CSE,其特征在于,所述访问控制资源具有普通资源的通用属性,还具有指定访问控制策略的公共属性。The CSE of claim 26, wherein said access control resource has a common attribute of a common resource and also has a common attribute that specifies an access control policy.
  28. 如权利要求27所述的CSE,其特征在于,所述处理模块还用于:The CSE of claim 27, wherein the processing module is further configured to:
    在所述获取模块获取公共服务实体CSE对访问控制资源下的策略信息点资源的资源读取请求之后,获取所述访问控制策略对应的属性信息之前,根据所述策略信息点资源所属的访问控制资源指定的访问控制策略,确定允许所述CSE访问所述策略信息点资源。 After the obtaining module acquires the resource reading request of the policy information point resource of the access control resource by the public service entity CSE, before acquiring the attribute information corresponding to the access control policy, according to the access control of the resource information point resource The resource-specific access control policy determines that the CSE is allowed to access the policy information point resource.
PCT/CN2016/072206 2015-03-12 2016-01-26 Method for access control, policy acquisition, attribute acquisition and related apparatus WO2016141783A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510109267.9A CN106034112B (en) 2015-03-12 2015-03-12 Access control, strategy acquisition, attribute acquisition methods and relevant apparatus
CN201510109267.9 2015-03-12

Publications (1)

Publication Number Publication Date
WO2016141783A1 true WO2016141783A1 (en) 2016-09-15

Family

ID=56879826

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/072206 WO2016141783A1 (en) 2015-03-12 2016-01-26 Method for access control, policy acquisition, attribute acquisition and related apparatus

Country Status (2)

Country Link
CN (1) CN106034112B (en)
WO (1) WO2016141783A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114726547A (en) * 2022-05-16 2022-07-08 中国信息通信研究院 Industrial internet access control method based on data exchange middleware and readable medium

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110249642B (en) 2017-01-13 2022-02-25 京东方科技集团股份有限公司 Method and device for operating instance resource
CN108021362B (en) * 2017-12-21 2019-09-20 南京大学 Android application access control code generating method based on XACML access control mechanisms
CN109165516A (en) * 2018-08-14 2019-01-08 中国银联股份有限公司 A kind of access control method and device
CN111131176B (en) * 2019-12-04 2022-07-01 北京北信源软件股份有限公司 Resource access control method, device, equipment and storage medium
CN111563529A (en) * 2020-03-31 2020-08-21 中国科学院信息工程研究所 Data category attribute representation method and access control method
CN116112264B (en) * 2023-01-31 2024-04-02 深圳市艾莉诗科技有限公司 Method and device for controlling access to strategy hidden big data based on blockchain

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150033311A1 (en) * 2013-07-25 2015-01-29 Convida Wireless, Llc End-To-End M2M Service Layer Sessions

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8745224B2 (en) * 2005-12-28 2014-06-03 Intel Corporation Method and apparatus for dynamic provisioning of an access control policy in a controller hub
CN101257377B (en) * 2008-03-11 2010-04-14 南京邮电大学 Dynamic access control method based on community authorisation service
US8880682B2 (en) * 2009-10-06 2014-11-04 Emc Corporation Integrated forensics platform for analyzing IT resources consumed to derive operational and architectural recommendations
CN102006297B (en) * 2010-11-23 2013-04-10 中国科学院软件研究所 Two-level policy decision-based access control method and system
CN102143186B (en) * 2011-04-01 2014-05-07 华为技术有限公司 Access control method, device and system
US9654971B2 (en) * 2012-10-30 2017-05-16 Lg Electronics Inc. Method and apparatus for authenticating access authority for specific resource in wireless communication system
US9231974B2 (en) * 2013-03-15 2016-01-05 International Business Machines Corporation Dynamic policy-based entitlements from external data repositories

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150033311A1 (en) * 2013-07-25 2015-01-29 Convida Wireless, Llc End-To-End M2M Service Layer Sessions

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
ONEM2M.: "Functional Architecture", ONEM2M TECHNICAL SPECIFICATION, TS-0001-V1.6.1, 30 January 2015 (2015-01-30) *
ONEM2M.: "Security solutions", ONEM2M TECHNICAL SPECIFICATION, TS-0003-VL.0.1, 30 January 2015 (2015-01-30) *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114726547A (en) * 2022-05-16 2022-07-08 中国信息通信研究院 Industrial internet access control method based on data exchange middleware and readable medium

Also Published As

Publication number Publication date
CN106034112B (en) 2019-05-10
CN106034112A (en) 2016-10-19

Similar Documents

Publication Publication Date Title
WO2016141783A1 (en) Method for access control, policy acquisition, attribute acquisition and related apparatus
US11316819B1 (en) Techniques for directing a domain name service (DNS) resolution process
KR102145741B1 (en) Method and apparatus for controlling access in wireless communication system
CN108881228B (en) Cloud registration activation method, device, equipment and storage medium
KR102245367B1 (en) Method and apparatus for authenticating access authority for specific resource in wireless communication system
KR20180082555A (en) Cross-resource subscription to the M2M service layer
EP3843353B1 (en) Access control policy configuration method, device and storage medium
KR20140096839A (en) M2M platform for converting resources into abstracted device object on M2M network
US10693795B2 (en) Providing access to application program interfaces and Internet of Thing devices
WO2020168692A1 (en) Mass data sharing method, open sharing platform and electronic device
KR20210131436A (en) Permission based resource and service discovery
EP3861706A2 (en) Framework for dynamic brokerage and management of topics and data at the service layer
CN107135242B (en) Mongodb cluster access method, device and system
WO2014190544A1 (en) Application deployment method and device
CN112104617A (en) Authority management method, device, equipment and storage medium of microservice
WO2017181863A1 (en) Resource access control method and apparatus
CN109964507A (en) Management method, administrative unit and the system of network function
US11882154B2 (en) Template representation of security resources
KR20200047720A (en) Service layer message templates in telecommunication networks
WO2018129956A1 (en) Method and device for operating instance resources
CN106656942B (en) Role token issuing method, access control method and related equipment
CN111201804A (en) Method for enabling data continuity services
CN106656936B (en) A kind of access control method, PRP entity, PDP entity and PEP entity
US10979439B1 (en) Identity management for coordinated devices in a networked environment
US10872142B1 (en) Localized identity management in limited communication networks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16761010

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16761010

Country of ref document: EP

Kind code of ref document: A1