WO2017181863A1

WO2017181863A1 - Resource access control method and apparatus

Info

Publication number: WO2017181863A1
Application number: PCT/CN2017/079937
Authority: WO
Inventors: 周巍
Original assignee: 电信科学技术研究院
Priority date: 2016-04-18
Filing date: 2017-04-10
Publication date: 2017-10-26
Also published as: CN107306247A; CN107306247B

Abstract

Disclosed in the present application are a resource access control method and apparatus. In the present application, an authorization entity generates a request message in a resource access control process according to a newly-defined resource such as an authorization decision resource, an authorization policy resource or an authorization information resource, so as to obtain needed information from another authorization entity and provide a resource access control solution on a resource structure layer.

Description

Resource access control method and device

The present application claims the priority of the Chinese Patent Application, the entire disclosure of which is hereby incorporated by reference.

Technical field

The present application relates to the field of communications technologies, and in particular, to a resource access control method and apparatus.

Background technique

OneM2M, the Internet of Things standardization organization, is committed to developing a series of technical specifications for constructing a common M2M (Machine-To-Machine) service layer. The core of oneM2M is data sharing, which is realized by the sharing of data items on the resource tree defined in oneM2M CSE (Common Services Entity).

OneM2M implements sharing and interaction of service layer resources by operating on a standardized resource tree. The oneM2M resource tree exists in the CSE defined by the oneM2M system. The form of the oneM2M resource tree is shown in Figure 1 according to the definition in the oneM2M functional architecture specification (oneM2M TS-0001: "Functional Architecture"). Operations such as Create, Retrieve, Update, and Delete can be performed on oneM2M resources.

The authorization-related resource in the resource defined by oneM2M is the access control policy resource <accessControlPolicy>, which defines an Access Control Policy (ACP). The <accessControlPolicy> resource is uniquely identified by the resource ID, and other resources specify the applicable access control policy through the accessControlPolicyIDs attribute.

At present, the security specification (oneM2M TS-0003: "Security Solutions") in the oneM2M series specification gives a high-level description of the oneM2M authorization architecture. The main components and basic processes of the authorization architecture are given, but not at the resource structure level. Give a specific implementation.

Summary of the invention

The embodiment of the present application provides a resource access control method and apparatus, and a resource access control scheme is provided at a resource structure level.

The resource access control method provided by the embodiment of the present application includes:

Receiving, by the PDP, an access control decision request sent by the PEP, where the access control decision request is generated by the PEP according to the authorization decision resource;

The PDP performs an access control decision according to the access control decision request, and obtains access control decision information;

The PDP carries the access control decision information to the access control decision response and sends the response to the PEP.

Optionally, the access control decision request includes:

Returning result indication information, configured to indicate a parameter returned by the access control decision request, where the return result indication information is generated according to attributes and/or sub-resources of the authorization decision resource; and/or,

The resource access filter condition is used to indicate a filter condition of the resource operation, and the resource access filter condition is generated according to the attribute and/or the sub-resource of the authorization decision resource.

The attribute used in the authorization decision resource for generating the return result indication information includes one or any combination of the following:

Decision attribute for carrying access control decision information;

An attribute that is allowed to be accessed, and is used to carry an attribute name of a target resource that is allowed to access, and the target resource is a target resource that the resource access initiator requests to access;

a resource type that is allowed to be accessed, and is used to carry a sub-resource type identifier of a target resource that is allowed to be accessed, where the target resource is a target resource that the resource access initiator requests to access;

A status attribute that is used to carry errors that describe the access control decision process.

The attribute used to generate the resource access filtering condition in the authorization decision resource includes one or any combination of the following:

a target attribute, configured to carry a resource address of a target resource that the resource access initiator requests to access;

Initiator attribute, used to carry the identifier of the resource access initiator;

An operation attribute, configured to carry an operation identifier of the target resource to which the resource access initiator accesses the request;

a content attribute, which is used to carry a specific content of a target resource that the resource accessing the initiator requests to access;

The filter attribute usage attribute is used to carry the parameter indicating the use of the filter condition in the resource access filter condition provided by the resource access initiator;

A role identification attribute, which is used to carry a set of identifiers issued to the role of the resource access initiator;

a token identifier attribute, configured to carry a set of identifiers of tokens carrying authorization information issued to the resource access initiator;

a token attribute, configured to carry a set of tokens that are issued to the resource access initiator and carry the authorization information;

a request time attribute, configured to carry a time when the PEP receives the resource access request sent by the resource access initiator;

Location attribute, used to carry the location of the resource access initiator;

The IP address of the requesting party is used to carry the IP address carried in the resource access request sent by the resource access initiator.

Optionally, before the PDP performs the access control decision according to the access control decision request, the method further includes:

And the PDP sends an access control policy request to the policy acquisition point PRP according to the access control decision request, where the access control policy request is generated by the PDP according to the authorization policy resource;

Receiving, by the PDP, an access control policy response returned by the PRP, where the access control policy response includes an access control policy that is obtained by the PRP according to the access control decision request;

The making access control decisions include:

The access control decision is made according to the obtained access control policy.

The access control policy request includes:

Returning result indication information, configured to indicate a parameter that is requested to be returned by the access control policy request, where the returned result indication information is generated according to an attribute and/or a sub-resource of the authorization policy resource; and/or,

The resource access filter condition is used to indicate a filter condition of the resource operation, and the resource access filter condition is generated according to the attribute and/or the sub-resource of the authorization policy resource.

The attribute for generating the return result indication information in the authorization policy resource includes one or any combination of the following:

a policy attribute, configured to carry an access control policy applicable to a target resource that the resource access initiator requests to access;

The merge algorithm attribute is used to carry the identifier of the policy merge algorithm used by multiple access control policies in the merge policy attribute.

The attribute used to generate the resource access filter condition in the authorization policy resource includes one or any combination of the following:

Initiator attribute, used to carry the identifier of the resource access initiator.

Sending, by the PDP, an access control information request to the policy information point PIP according to the access control decision request, where the access control information request is generated by the PDP according to the authorization information resource;

Receiving, by the PDP, an access control information response returned by the PIP, where the access control information response includes access control information that is acquired by the PIP according to the access control information request;

The making access control decisions include:

The access control decision is made according to the obtained access control information.

The access control information request includes:

Returning result indication information, configured to indicate a parameter that is requested to be returned by the access control information request, where the return result indication information is generated according to an attribute and/or a sub-resource of the authorization information resource; and/or,

The resource access filtering condition is used to indicate a filtering condition of the resource operation, and the resource access filtering condition is generated according to the attribute and/or the sub resource of the authorization information resource.

The attribute used to generate the resource access filtering condition in the authorization information resource includes one or any combination of the following:

Initiator attribute: an identifier used to carry the resource access initiator;

Role identification attribute: used to carry a set of identifiers issued to the role of the resource access initiator;

Token identification attribute: used to carry a set of identifiers of tokens carrying authorization information issued to the resource access initiator.

The sub-resource for generating the return result indication information in the authorization information resource includes one or any combination of the following:

Role resource: used to host a set of role resources issued to the resource access initiator;

Token resource: Used to host a set of token resources issued to the resource access initiator.

A resource access control method provided by another embodiment of the present application includes:

The PDP receives an access control decision request sent by the PEP;

And the PDP sends an access control policy request to the PRP according to the access control decision request, where the access control policy request is generated by the PDP according to the authorization policy resource;

The PDP performs an access control decision according to the obtained access control policy, and obtains access control decision information;

Optionally, the access control policy request includes:

a merge algorithm attribute for carrying a policy merge algorithm used by multiple access control policies in a merge policy attribute Logo.

The PDP receives an access control decision request sent by the PEP;

The PDP performs an access control decision according to the obtained access control information, and obtains access control decision information;

Optionally, the access control information request includes:

Initiator attribute: an identifier used to carry the resource access initiator;

The PDP device provided by the embodiment of the present application includes:

a receiving module, configured to receive an access control decision request sent by the PEP, where the access control decision request is generated by the PEP according to an authorization decision resource;

a decision module, configured to perform an access control decision according to the access control decision request, and obtain access control decision information;

And a sending module, configured to send the access control decision information to the access control decision response and send the response to the PEP.

Optionally, the access control decision request includes:

Decision attribute for carrying access control decision information;

State attribute, used to carry errors describing the access control decision process;

The attributes used in the authorization decision resource to generate the resource access filter condition include one or any combination of the following:

Further, the method further includes: a first obtaining module, configured to send, according to the access control decision request, an access control policy request to the policy acquisition point PRP, where the access control policy request is generated by the PDP according to an authorization policy resource; An access control policy response returned by the PRP, where the access control policy response includes an access control policy obtained by the PRP according to the access control decision request;

The decision module is specifically configured to: perform an access control decision according to the access control policy acquired by the first obtaining module.

The access control policy request includes:

The merge algorithm attribute is used to carry the identifier of the policy merge algorithm used by the multiple access control policies in the merge policy attribute;

The attributes used in the authorization policy resource to generate the resource access filter condition include one or any combination of the following:

Further, the method further includes: a second obtaining module, configured to send, according to the access control decision request, an access control information request to the policy information point PIP, where the access control information request is generated by the PDP according to the authorization information resource; The access control information response returned by the PIP, where the access control information response includes the access control information that the PIP requests according to the access control information request;

The decision module is specifically configured to: perform an access control decision according to the access control information acquired by the second obtaining module.

The access control information request includes:

The attribute used to generate the resource access filtering condition in the authorization information resource includes one or any of the following groups Combined:

Initiator attribute: an identifier used to carry the resource access initiator;

Token identification attribute: used to carry a set of identifiers of tokens carrying authorization information issued to the resource access initiator;

A PDP device provided by another embodiment of the present application includes:

a receiving module, configured to receive an access control decision request sent by the PEP;

An obtaining module, configured to send an access control policy request to the PRP according to the access control decision request, where the access control policy request is generated by the PDP according to an authorization policy resource; and the access control policy response returned by the PRP is received, The access control policy response includes an access control policy obtained by the PRP according to the access control decision request;

a decision module, configured to perform an access control decision according to the obtained access control policy, and obtain access control decision information;

Optionally, the access control policy request includes:

And an obtaining module, configured to send, according to the access control decision request, an access control information request to the PIP, where the access control information request is generated by the PDP according to the authorization information resource; and the access control information response returned by the PIP is received, The access control information response includes the access control information that the PIP requests according to the access control information request;

a decision module, configured to perform an access control decision according to the obtained access control information, and obtain access control decision information;

Optionally, the access control information request includes:

Initiator attribute: an identifier used to carry the resource access initiator;

A PDP device provided by another embodiment of the present disclosure includes:

A processor for transmitting and receiving data through the transceiver and reading the program in the memory, performing the following process:

Receiving an access control decision request sent by the policy enforcement point PEP, where the access control decision request is generated by the PEP according to the authorization decision resource; performing an access control decision according to the access control decision request, and obtaining access control decision information; Control decision information is carried in the access control decision response and sent to the PEP;

A transceiver for receiving and transmitting data under the control of a processor.

Optionally, the access control decision request includes:

Optionally, the attribute used in the authorization decision resource to generate the return result indication information includes one or any combination of the following:

Decision attribute for carrying access control decision information;

Optionally, the processor is further configured to:

And sending, according to the access control decision request, an access control policy request to the policy acquisition point PRP, where the access control policy request is generated by the PDP according to the authorization policy resource; and receiving an access control policy response returned by the PRP, the access control The policy response includes an access control policy obtained by the PRP according to the access control decision request;

And performing an access control decision according to the access control policy acquired by the first obtaining module.

Optionally, the access control policy request includes:

Optionally, the attribute used in the authorization policy resource to generate the return result indication information includes one or any combination of the following:

Optionally, the processor is further configured to:

And sending, according to the access control decision request, an access control information request to the policy information point PIP, where the access control information request is generated by the PDP according to the authorization information resource; receiving an access control information response returned by the PIP, the access control The information response includes the access control information that the PIP requests according to the access control information request;

And performing an access control decision according to the access control information acquired by the second obtaining module.

Optionally, the access control information request includes:

Optionally, the attribute used in the authorization information resource to generate the resource access filter condition includes one or any combination of the following:

Initiator attribute: an identifier used to carry the resource access initiator;

A PDP device provided by another embodiment of the present disclosure includes:

Receiving an access control decision request sent by the policy enforcement point PEP; sending, according to the access control decision request, an access control policy request to the policy acquisition point PRP, where the access control policy request is generated by the PDP according to the authorization policy resource; An access control policy response returned by the PRP, where the access control policy response includes an access control policy obtained by the PRP according to the access control decision request; performing an access control decision according to the obtained access control policy, and obtaining access control decision information Transmitting the access control decision information to the access control decision response to the PEP;

Optionally, the access control policy request includes:

A PDP device provided by another embodiment of the present disclosure includes:

Receiving an access control decision request sent by the policy enforcement point PEP; sending, according to the access control decision request, an access control information request to the policy information point PIP, where the access control information request is generated by the PDP according to the authorization information resource; The access control information response returned by the PIP includes the access control information that the PIP requests according to the access control information request; the access control decision is performed according to the obtained access control information, and the access control decision information is obtained. Carrying the access control decision information in an access control decision response Send to the PEP;

Optionally, the access control information request includes:

Initiator attribute: an identifier used to carry the resource access initiator;

In the foregoing embodiment of the present application, the authorization entity generates a request message in the resource access control process according to the newly defined resource, such as an authorization decision resource, an authorization policy resource, or an authorization information resource, so as to obtain the required information from other authorized entities. The resource access control scheme is given at the resource structure level.

DRAWINGS

1 is a schematic diagram of a oneM2M resource tree in the prior art;

2 is a schematic diagram of a oneM2M authorization architecture in the prior art;

FIG. 3 is a schematic diagram of a principle for implementing distributed authorization based on oneM2M resources in the embodiment of the present application;

4 is a schematic diagram of relationship between an authorized resource and a CSE root resource <CSEBase> in the embodiment of the present application;

FIG. 5 is a schematic structural diagram of an <authorizationDecision> resource type provided by an embodiment of the present application;

FIG. 6 is a schematic structural diagram of an <authorizationPolicy> resource type according to an embodiment of the present application;

FIG. 7 is a schematic structural diagram of an <authorizationInformation> resource type provided by an embodiment of the present application;

FIG. 8 is a schematic flowchart of a general process of resource access control according to an embodiment of the present application;

FIG. 9 is a schematic flowchart of interaction between a PEP and a PDP according to an embodiment of the present application;

FIG. 10 is a schematic flowchart of interaction between a PDP and a PRP according to an embodiment of the present disclosure;

FIG. 11 is a schematic flowchart of interaction between a PDP and a PIP according to an embodiment of the present application;

FIG. 12 is a schematic structural diagram of a PDP according to an embodiment of the present disclosure;

FIG. 13 is a second schematic structural diagram of a PDP according to an embodiment of the present disclosure;

FIG. 14 is a third schematic structural diagram of a PDP according to an embodiment of the present disclosure;

FIG. 15 is a fourth schematic structural diagram of a PDP according to an embodiment of the present disclosure;

FIG. 16 is a fifth schematic structural diagram of a PDP according to an embodiment of the present disclosure;

FIG. 17 is a sixth schematic structural diagram of a PDP according to an embodiment of the present application.

detailed description

The present application will be further described in detail below with reference to the accompanying drawings, and it is obvious that the described embodiments are only a part of the embodiments of the present application, but not all embodiments. . All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present application without departing from the inventive scope are the scope of the present application.

oneM2M defines two basic entities: AE (Application Entity) and CSE (Common Services Entity).

The AE is located at the application layer and implements an M2M application logic. An application logic can reside in multiple M2M nodes or multiple execution instances in a single node. Each execution instance of the application logic is referred to as an AE, and each AE is identified by a unique AE-ID.

The CSE consists of "common service functions" in a set of M2M environments. Each CSE is identified by a unique CSE-ID. The oneM2M resource tree exists in the CSE.

oneM2M defines three types of resources:

Normal Resource: Has a specific resource structure and resource attributes.

Virtual Resource: Does not have a specific resource structure and resource attributes, and is mainly used to trigger a specific process.

Announced Resource: It has a specific resource structure and attributes. This resource is a copy of some content of common resources on other entities. The main purpose is to facilitate resource discovery.

The authorization architecture given in the oneM2M Security Solution Technical Specification (oneM2M TS-0003: Security Solutions) is shown in Figure 2. The architecture can include the following components:

PEP (Policy Enforcement Point): The PEP coexists with the application system that needs access control, and is called by the application system. The PEP generates an access control decision request according to the resource access request of the resource access initiator and sends it to the PDP. Then determining whether to perform the resource access according to the access control decision response returned by the PDP request.

PDP (Policy Decision Point): The PDP is responsible for determining whether to agree to the target resource requested by the access control decision request sent by the PEP according to the access control policy, and returning the decision result to the access control decision response. PEP.

PRP (Policy Retrieval Point): The PRP requests the access control policy based on the access control policy provided by the PDP, and returns the obtained access control policy to the PDP.

PIP (Policy Information Point): The PIP requests to obtain attributes related to users, resources, or environments according to the access control information of the PDP, such as the IP address of the access user, the creator of the resource, the current time, etc., and then The obtained properties are returned to the PDP.

The oneM2M basic resource access control process can include:

The resource access initiation direction PEP sends a resource access request (Access Request), and the PEP sends an access control decision request (Decision Request) to the PDP according to the resource access request.

The PDP sends an access control policy request (Policy Request) to the PRP according to the access control decision request sent by the PEP, and the PRP returns an access control policy response (Policy Response) to the PDP, where the access control policy response includes an access control policy.

The PDP analyzes and judges the content included in the access control decision request and the access control policy. If other attributes are required for analysis and decision, the PDP sends an access control information request (Attribute Request) to the PIP, and the PIP sends an access control to the PDP. The information response includes the access control related information acquired according to the access control information request.

The PDP sends an access control decision response (Decision Response) to the PEP, where the control decision response includes an access control decision result. The PEP determines whether to perform the resource access request of the resource access initiator according to the access control decision result in the access control decision response.

The embodiment of the present application defines three new oneM2M resources for resource access control, and the three resources belong to the normal resource type, which are respectively:

The authorization decision resource is represented as an <authorizationDecision> resource in the embodiment of the present application;

The authorization policy resource is represented as an <authorizationPolicy> resource in the embodiment of the present application;

The authorization information resource is represented as an <authorizationInformation> resource in the embodiment of the present application.

Through the operation of these three resources, data exchange between authorized entities can be realized, and distributed processing of the authorization system can be realized. Access to different resource types determines the type of authorization request. For example, the access control decision requests access to the <authorizationDecision> resource, the access control policy requests access to the <authorizationPolicy> resource, and the access control information requests access to the <authorizationInformation> resource.

The above three resources can be set under the CSE root resource (<CSEBase>), that is, the three resources can be used as sub-resources under the CSEBase, and the resource type is a normal resource (Normal Resource). These three resources can be located in the same CSE (that is, sub-resources under the same <CSEBase>, or in different CSEs. For example, in a typical example, the <authorizationDecision> resource is located in the CSE that implements the PDP function. The <authorizationPolicy> resource is located in the CSE that implements the PRP function. The <authorizationInformation> resource is located in the CSE that implements the PIP function.

One or more of the above three new resources may be included in one CSE. The same resource included in a CSE (referring to one of the three new resources mentioned above) may have one or more resources. For example, one CSE may include one or more <authorizationDecision> resources.

If a CSE contains multiple resources of the same kind, for example, multiple <authorizationDecision> resources, different <authorizationDecision> resources can be set to be accessed by different resource access initiators, or accessed by different groups of resource access initiators. .

FIG. 3 exemplarily shows a resource-based distributed authorization architecture and principle.

As shown in Figure 3, the PEP (Hosting CSE in the figure) implements information exchange between the PEP and the PDP through the operation of the <authorizationDecision> resource in the CSE (CSE1 in the figure) that implements the PDP function, that is, access control. The interaction of a decision request with an access control decision response.

The PDP (CSE1 in the figure) implements the exchange of information between the PDP and the PRP through the operation of the <authorizationPolicy> resource in the CSE (CSE2) that implements the PRP function, that is, the access control policy request and the access control policy response. Interaction.

The PDP (CSE1 in the figure) implements information exchange between the PDP and the PRP through the operation of the <authorizationInformation> resource in the CSE (CSE3) that implements the PIP function, that is, the access control information request and the access control information response. Interaction.

It should be noted that in the example shown in FIG. 3, the <authorizationDecision> resource, the <authorizationPolicy> resource, and the <authorizationInformation> resource are distributed in the CSE of different authorized entities. In other examples, multiple of the above three resources are used. It can be distributed in the same CSE, and the embodiment of the present application does not limit this.

In the embodiment of the present application, the authorization function requesting initiator (such as PDP, PRP or PIP in FIG. 3) uses the oneM2M resource read operation (Retrieve) to read the corresponding resource, and uses the Content parameter description in the read request (Retrieve Request). The information related to the authorization that is expected to be obtained (ie, the Content parameter is used to indicate the parameter returned by the request), and the corresponding input information is provided by using the Filter Criteria parameter in the read request (ie, the Filter Criteria parameter is used to indicate the filtering of the resource operation). Conditions, such as filtering conditions that indicate resource read operations. Authorized function receiver The corresponding authorization process is performed according to the provided input information, and the execution result is returned to the authorized function initiator in a manner of reading a response (Retrieve Response).

The content parameter in the read request (Retrieve Request) may also be referred to as the return result indication information, which may be generated by the attributes and/or sub-resources of the resource defined in the foregoing embodiment of the present application, specifically, the attribute name of the resource or other The information that can be used to indicate the attribute is constructed; the Filter Criteria parameter in the Retrieve Request can also be referred to as a resource access filter condition, which can be generated by the attributes and/or sub-resources of the resource defined in the embodiment of the present application, specifically, The attribute name and attribute value of the resource are constructed.

The read request (Retrieve Request) may include: an access control decision request sent by the PEP to the PDP, an access control policy request sent by the PDP to the PRP, and an access control information request sent by the PDP to the PIP, based on the architecture shown in FIG. .

In oneM2M, a resource can contain one or more attributes, and the attributes of the resource are used to carry the attribute values of the resource. One or more attributes may also be included in the above three resources defined in the embodiments of the present application. The attributes in these resources can be divided into two categories according to their use:

Attribute for generating return result indication information: the result requested by the resource access initiator is placed in these resource attributes, such as access control decision, access control policy, access control information, etc.; these attributes are in the target resource of the Retrieve operation. Attributes.

Attributes used to generate resource access filter conditions: Input parameters provided by the resource access initiator are placed in these resource attributes, such as the identifier of the resource access initiator, the destination resource address, the operation on the resource, etc.; these attributes are used to construct the Retrieve operation. The resource filter condition, the resource access initiator passes the input parameters to the PDP, PRP or PIP in this way.

Further, the above three types of resources may further include sub-resources, which are used for outputting results, and are also referred to as destination resources, such as <role> resource types or <token> resource types used when querying roles or tokens. .

FIG. 4 exemplarily shows a relationship between an authorized resource and a CSE root resource <CSEBase>, wherein <CSEBase> may include oneM2M defined resource attributes (see “Other Resource Attributes” as shown in the figure). , oneM2M has defined a sub-resource (please refer to the "other sub-resources" shown in the figure), and further includes an <authorizationDecision> resource, an <authorizationPolicy> resource, and an <authorizationInformation> resource defined in the embodiment of the present application. Further, under a <CSEBase>, the number of <authorizationDecision> resources may be one or more, or may not include an <authorizationDecision> resource (the number in the figure is represented by "0..n", and n is greater than or equal to The number of <authorizationPolicy> resources may be one or more, or may not contain <authorizationPolicy> resources (the number is represented by "0..n" in the figure, and n is an integer greater than or equal to 1); <authorizationInformation> The number of resources may be one or more, or may not contain <authorizationInformation> resources (the number is represented by "0..n" in the figure, and n is an integer greater than or equal to 1).

The attributes in the above <authorizationDecision> resource, <authorizationPolicy> resource, and <authorizationInformation> resource are described in detail below.

(1) <authorizationDecision> resource type

The structure of the <authorizationDecision> resource type is shown in Figure 5. In Figure 5, the number of possible attributes or sub-resources is represented by "0..n", n is an integer greater than or equal to 1; the attribute value can be a list with "L" (List) form.

As shown in Figure 5, resource attributes and sub-resources are defined as follows:

Decision attribute: This attribute is used to carry access control decision information; the attribute name of the attribute can be represented as decision, the attribute value is an access control decision; the decision attribute is an optional attribute;

Allowed access attribute: The attribute name used to carry the target resource that is allowed to access (that is, the target resource that the resource access initiator requests to access); the attribute name of the attribute can be expressed as permittedAttributes, and the attribute value is the attribute name of the target resource that is allowed to access. List; the permittedAttributes attribute is an optional attribute; further, the attribute value of the attribute may be in a list form;

The type of the resource that is allowed to be accessed: the sub-resource type identifier used to carry the target resource that is allowed to access (that is, the target resource that the resource access initiator requests to access); the attribute name of the attribute can be represented as permittedResourceTypes, and the attribute value is the target resource that is allowed to access. a list of sub-resource type identifiers; the permittedResourceTypes attribute is an optional attribute; further, the attribute value of the attribute may be in a list form;

Status attribute: used to carry the error describing the access control decision process; the attribute name of the attribute can be expressed as status, the attribute value is an error describing the access control decision process; the status attribute is an optional attribute;

Target attribute: used to carry the resource address of the target resource requested by the resource access initiator; the attribute name of the attribute may be represented as to, the attribute value is the target resource address accessed by the resource access initiator (Originator); the to attribute is Optional attribute

Initiator attribute: used to carry the identifier of the resource access initiator; the attribute name of the attribute can be expressed as from, the attribute value is the identifier of the resource access initiator; the from attribute is an optional attribute;

Operation attribute: an operation identifier used to carry the resource access initiator to the target resource requested to access; the attribute name of the attribute may be represented as operation, the attribute value is an operation identifier of the resource access initiator to the target resource; and the operation attribute is an optional attribute ;

Content attribute: used to carry the specific content of the target resource requested by the resource access initiator; the attribute name of the attribute is content, the attribute value is the specific content of the target resource that the resource access initiator wants to access; the content attribute is optional Attributes;

Filter attribute usage attribute: used to carry the parameter indicating the purpose of the filter condition in the resource access filter condition provided by the resource access initiator; the attribute name of the attribute can be expressed as filterUsage, and the attribute value is the resource access filter condition provided by the resource access initiator. The value of the filterUsage parameter in the filterCriteria indicating the purpose of the filter; the filterUsage attribute is an optional attribute;

Role ID attribute: An identifier used to carry a set of roles issued to the resource access initiator; the attribute name of the attribute can be represented as roleIDs, and the attribute value is a set of identifiers issued to the role of the resource access initiator; the roleIDs attribute is Selecting an attribute; further, the attribute value of the attribute may be in a list form;

Token identifier attribute: used to carry a set of identifiers of tokens carrying authorization information issued to the resource access initiator; the attribute name of the attribute can be represented as tokenIDs, and the attribute value is a group of bearers issued to the resource access initiator. The identifier of the token with the authorization information; the tokenIDs attribute is an optional attribute; further, the attribute value of the attribute may be in the form of a list;

Token attribute: used to carry a set of tokens carrying authorization information issued to the resource access initiator; the attribute name of the attribute can be represented as tokens, and the attribute value is a set of entrusted information issued to the resource access initiator. Token; the token attribute is an optional attribute; further, the attribute value of the attribute may be in a list form;

The request time attribute is used to carry the time when the PEP receives the resource access request sent by the resource access initiator; the attribute name of the attribute may be represented as requestTime, and the attribute value is the host CSE (Hosting CSE) receiving the resource access initiator resource. The time of the request request; the requestTime attribute is an optional attribute;

Location attribute: used to carry the location of the resource access initiator; the attribute name of the attribute can be represented as requestLocation, the attribute value is the location information of the resource access initiator; the requestLocation attribute is an optional attribute;

Requester IP address attribute: used to carry the IP address carried in the resource access request sent by the resource access initiator; the attribute name of the attribute can be expressed as requestIP, and the attribute value is the IP carried in the resource access initiator resource access request packet. Address; the requestIP attribute is an optional attribute.

Further, the <authorizationDecision> resource may also include a sub-resource, expressed as <subscription>. The number of <subscription> resources contained in the <authorizationDecision> resource can be one or more. <subscription> can be a child resource defined by oneM2M.

In the attributes of the above <authorizationDecision> resource, the decision attribute, the permittedAttributes attribute, the permittedResourceTypes attribute, and the status attribute can be used to generate the “return result indication information” (such as the content parameter mentioned above) in the resource control decision request, and other attributes can be used to generate resource control. "Resource access filter criteria" in the decision request (such as the Filter Criteria parameter described above).

It should be noted that the actual application may not be limited to the resource attributes and sub-resources defined above, and The <authorizationDecision> resource extension can add new input parameters (such as the Filter Criteria parameter above) to the access control decision request, and add new output parameters (such as the content parameter above) in the access control decision response.

(2) <authorizationPolicy> resource type

The structure of the <authorizationPolicy> resource type is shown in Figure 6. In Figure 6, the number of attributes is 1 with "1"; the number of possible attributes is represented by "0..n", and n is an integer greater than or equal to 1; L" indicates that the attribute value can be in the form of a list.

As shown in Figure 6, the resource attributes and sub-resources are defined as follows:

Policy attribute: used to carry the access control policy applicable to the target resource requested by the resource access initiator. The attribute name of the attribute can be expressed as policies, the attribute value is the access control policy applicable to the target resource, and the policy attribute is optional. Further, the attribute value of the attribute may be in the form of a list;

Merging algorithm attribute: used to carry the identifier of the policy merge algorithm used by multiple access control policies in the merge policy attribute; the attribute name of the attribute is combiningAlgorithm, and the attribute value is the policy merge used by multiple access control policies in the merged policies attribute. The identifier of the algorithm; the combiningAlgorithm attribute is an optional attribute;

Target attribute: a resource address of a target resource used by the resource access initiator to request access; the attribute name of the attribute may be represented as to, the attribute value is a target resource address accessed by the resource access initiator, and the to attribute is an optional attribute;

Initiator attribute: The identifier used to host the resource access initiator; the attribute name of the attribute can be expressed as from, the attribute value is the identifier of the resource access initiator; and the from attribute is an optional attribute.

Further, the <authorizationPolicy> resource may also include a sub-resource, expressed as <subscription>. The number of <subscription> resources contained in the <authorizationPolicy> resource can be one or more. <subscription> can be a child resource defined by oneM2M.

In the attributes of the <authorizationPolicy> resource, the policies attribute and the combiningAlgorithm attribute can be used to generate the “return result indication information” (such as the content parameter mentioned above) in the resource control policy request, and other attributes can be used to generate the “resources” in the resource control policy request. Access filter criteria (as in the Filter Criteria parameter above).

It should be noted that the actual application may not be limited to the resource attributes and sub-resources defined herein. By extending the <authorizationPolicy> resource, new input parameters (such as the Filter Criteria parameter described above) may be added to the access control policy request. Add new output parameters (such as the content parameter above) to the access control policy response.

(3) <authorizationInformation> resource type

The structure of the <authorizationInformation> resource type is shown in Figure 7. In Figure 7, the number of attributes is 1 with "1"; the number of possible attributes is represented by "0..n", n is an integer greater than or equal to 1; L" means the attribute value can be In the form of a list.

As shown in Figure 7, the resource attributes and sub-resources are defined as follows:

Role resource: The resource can be represented as <role>, which is used to carry a set of role resources issued to the resource access initiator; the sub-resource is an optional sub-resource; if the sub-resource is included in the <authorizationInformation> resource, the quantity is Can be one or more;

Token resource: The resource can be represented as <token>, and is used to carry a set of token resources issued to the resource access initiator; the sub-resource is an optional sub-resource;

Further, the <authorizationInformation> resource may also include other sub-resources, which are represented as <subscription>. The number of <subscription> resources contained in the <authorizationInformation> resource can be one or more. <subscription> can be a child resource defined by oneM2M.

In the attributes and sub-resources of the above <authorizationInformation> resource, <role> and <token> can be used to generate "return result indication information" (such as the content parameter mentioned above) in the resource control information request, and other attributes can be used to generate resource control information request. "Resource access filter criteria" (such as the Filter Criteria parameter above).

It should be noted that the actual application may not be limited to the resource attributes and sub-resources defined herein. By extending the <authorizationPolicy> resource, new input parameters (such as the Filter Criteria parameter described above) may be added to the access control information request. Add new output parameters (such as the content parameter described above) to the access control information response.

Based on the foregoing resources defined in the embodiments of the present application, and the oneM2M authorization architecture provided in FIG. 2, the following embodiments provide a resource access control (ie, resource authorization process) process.

The resource access control flow provided by the embodiment of the present application is described in detail below with reference to FIG. 8, FIG. 9, FIG. 10 and FIG.

FIG. 8 is a schematic flowchart of a general process of resource access control according to an embodiment of the present application. The process can include:

Step 801: The PEP sends an access control decision request to the PDP according to the resource access request of the resource access initiator.

Optionally, the access control decision request sent by the PEP is generated according to the <authorizationDecision> resource.

Specifically, the access control decision request may include return result indication information (such as the foregoing Content parameter), where the return result indication information is used to indicate a parameter that is requested to be returned by the access control decision request, and may be according to an attribute of the <authorizationDecision> resource. And/or sub-resource generation, for example, the Content parameter may include an attribute name of the <authorizationDecision> resource and/or a sub-resource identifier of the resource.

Further, the access control decision request further includes a resource access filter condition (such as the foregoing FilterCriteria parameter), and the resource access filter condition is used to indicate a filter condition of the resource operation, which may be generated according to the attribute and/or the child resource of the <authorizationDecision> resource. For example, the FilterCriteria parameter may include the attribute name and attribute value of the <authorizationDecision> resource, and/or the identifier of the child resource and the specific content (such as the attribute value of the child resource attribute).

Step 802: The PDP performs an access control decision according to the access control decision request.

Optionally, the PDP can obtain an access control policy locally, or obtain an access control policy from the PRP.

The process for the PDP to obtain the access control policy from the PRP may include: the PDP may send an access control policy request to the PRP according to the access control decision request, and receive an access control policy response that the PRP returns according to the access control policy request, and the access control policy response Contains the access control policy that the PRP obtains according to the access control policy request. The access control policy request is generated by the PDP according to the <authorizationPolicy> resource.

Specifically, the access control policy request may include return result indication information (such as the foregoing Content parameter), where the return result indication information is used to indicate the parameter that the access control policy request is requested to return, according to the <authorizationPolicy> resource attribute and / or child resource generation, such as the Content parameter may include the attribute name of the <authorizationPolicy> resource and / or the child resource identifier of the resource.

Further, the access control policy request further includes a resource access filter condition (such as the foregoing FilterCriteria parameter), and the resource access filter condition is used to indicate a filter condition of the resource operation, and may be constructed according to the attribute and/or the child resource of the <authorizationPolicy> resource. For example, the FilterCriteria parameter can include the sub-resource ID of the <authorizationPolicy> resource and the specific content (such as the attribute value of the sub-resource attribute).

Correspondingly, the access control policy response returned by the PRP to the PDP may include the attribute value of the <authorizationPolicy> resource and/or the content of the sub-resource of the resource obtained according to the return result indication information and the resource access filter condition.

Further, the PDP may also obtain access control information from the locality, and may also obtain access control information from the PIP.

The process for the PDP to obtain the access control information from the PIP may include: the PDP may perform the decision request according to the access control, The PIP sends an access control information request, and receives an access control information response that the PIP returns according to the access control information request. The access control information response includes the access control information that the PIP requests according to the access control information request. The access control information request is generated by the PDP according to the <authorizationInformation> resource.

Specifically, the access control information request may include return result indication information (such as the foregoing Content parameter), and the return result indication information is used to indicate the parameter requested by the access control information request, which may be according to the attribute of the <authorizationInformation> resource. / or child resource generation, for example, the Content parameter may include the attribute name of the <authorizationInformation> resource and / or the child resource identifier of the resource.

Further, the access control information request further includes a resource access filtering condition (such as the foregoing FilterCriteria parameter), and the resource access filtering condition is used to indicate a filtering condition of the resource operation, and may be constructed according to attributes and/or sub-resources of the <authorizationInformation> resource. For example, the FilterCriteria parameter may include an attribute name and an attribute value of the <authorizationInformation> resource, and/or an identifier of the sub-resource and a specific content (such as an attribute value of the sub-resource attribute).

Correspondingly, the access control information response returned by the PIP to the PDP may include the attribute value of the <authorizationInformation> resource and/or the content of the sub-resource of the resource obtained according to the return result indication information and the resource access filter condition.

The PDP obtains the access control policy according to the obtained access control policy, and further combines the obtained access control information to obtain an access control decision information.

Step 803: The PDP returns an access control decision response to the PEP, where the access control decision response includes access control decision information.

Optionally, if the access control decision request sent by the PEP is generated by the PEP according to the <authorizationDecision> resource in the foregoing manner, in step 803, the access control decision response returned by the PDP to the PEP may be included in step 803. The attribute value of the <authorizationDecision> resource and/or the content of the sub-resource of the resource obtained according to the return result indication information and the resource access filter condition in the access control decision request.

Based on the flow shown in FIG. 8, FIG. 9 exemplarily shows an interaction flow between a PEP and a PDP. As shown in FIG. 9, the process may include the following steps:

Step 901: The PEP in the Hosting CSE generates an Access Control Decision Request according to the resource access request of the resource access initiator (originator), and sends the request to the CSE with the PDP function.

The access control decision request can be implemented by using the read operation of oneM2M, that is, using the Retrieve operation of oneM2M to read the <authorizationDecision> resource in the CSE resource tree with PDP function, and utilizing the attributes in the resource. Build the Content parameter in the Request.

As an example, when the Content parameter is constructed, the decision attribute of the <authorizationDecision> resource is a mandatory attribute, indicating that the PDP needs to return access control decision information, and the others are optional attributes.

As another example, the Content parameter can also be constructed using the permittedAttributes attribute of the <authorizationDecision> resource. In this case, the Content parameter indicates that the PDP also needs to return a list of suggested accessible resource attribute names.

As another example, the Content parameter can also be constructed using the permittedResourceTypes attribute of the <authorizationDecision> resource. In this case, the Content parameter indicates that the PDP also needs to return a list of suggested accessible sub-resource type identifiers.

As another example, the Content parameter can also be constructed using the status attribute of the <authorizationDecision> resource. In this case, the Content parameter indicates that the PDP also needs to return an error message during the decision process.

Further, the Filter Criteria parameter in the access control decision request can also be constructed by using the attributes in the <authorizationDecision> resource. As an example, when constructing the Filter Criteria parameter, the to attribute, from attribute, and operation attribute of the <authorizationDecision> resource are mandatory attributes, and other attributes are optional attributes.

Step 902: After receiving the resource access request from the PEP carrying the Access Control Decision Request, the CSE having the PDP function performs the following operations:

Checks whether the resource access initiator has access to the <authorizationDecision> resource, and if so, activates a PDP process and passes the received parameters to the process. If not, jump to step 903.

The PDP obtains an access control policy based on the data provided in the Filter Criteria parameter. If the access control policy cannot be obtained locally, refer to the interaction process between the PDP and the PRP.

The PDP obtains access control information based on the data provided in the Filter Criteria parameter. If the access control information cannot be obtained locally, refer to the interaction process between the PDP and the PIP.

The PDP obtains various attributes required for the access control decision evaluation process from the Filter Criteria parameter, for example, the resource access initiator identifier, the target resource address, the operation on the target resource, and the context information such as the time, place, and IP address of the request. Then, the resource access request is evaluated according to the obtained access control policy and the access control information, and corresponding evaluation results are generated. For the specific evaluation process, refer to the related description in the oneM2M protocol. If the request includes the resource attribute permittedAttributes and/or the permittedResourceTypes, the PDP generates a corresponding value according to the description in the access control policy, that is, allows the resource to access the resource attribute name list or the sub-resource type identifier list accessed by the initiator; The resource attribute status is included, and the corresponding value is generated to indicate whether the evaluation process has an error and what error has occurred, such as missing attributes or syntax errors required for the access control decision process.

Step 903: The PDP-CSE generates an access control decision response (Access) according to the evaluation result of step 902. Control Decision Response) The resource access response, which contains the values of attributes such as the decision attribute, the permittedAttributes attribute, the permittedResourceTypes attribute, or the status attribute. These resource attribute names and their attribute values are placed in the Content parameter of the response. The PDP-CSE then sends the generated response to the PEP.

Based on the flow shown in FIG. 8, FIG. 10 exemplarily shows an interaction flow between a PDP and a PRP. As shown in FIG. 10, the process may include the following steps:

Step 1001: The PDP located in the CSE generates an Access Control Policy Request according to the access control decision request sent by the PEP, and sends the request to the CSE with the PRP function.

The access control policy request can be implemented by using the read operation of oneM2M, that is, using the Retrieve operation of oneM2M to read the <authorizationPolicy> resource in the CSE resource tree with PRP function, and constructing the Content parameter in the request by using the attribute in the resource. . As an example, when the Content parameter is configured, the policy attribute of the <authorizationPolicy> resource is a mandatory attribute, indicating that the PRP needs to return the access control policy, and the others are optional attributes.

Further, the Filter Criteria parameter in the request can also be constructed using the attributes in the <authorizationPolicy> resource. As an example, when the Filter Criteria parameter is constructed, the to attribute in the <authorizationPolicy> resource is mandatory, and the other attributes are optional.

Step 1002: After receiving the resource access request from the PDP carrying the Access Control Policy Request, the CSE having the PRP function performs the following operations:

Checks whether the resource access initiator has the right to access the <authorizationPolicy> resource, and if so, activates a PRP process and passes the received parameters to the process. If not, the process jumps to step 1003.

CSE-PRP obtains an access control policy based on the data provided in the Filter Criteria parameter. The PRP puts the obtained access control policy into the resource attribute policy; if the request contains the resource attribute combiningAlgorithm, the PRP also needs to provide the corresponding value.

Step 1003: The PRP-CSE generates an access control policy response that carries an Access Control Policy Response according to the query result of step 1002, and includes a value of an attribute such as a policy attribute or a bindingAlgorithm attribute, and the resource attribute name and the The attribute value is placed in the Content parameter of the response. The PRP-CSE then sends the generated response to the PDP.

Based on the flow shown in FIG. 8, FIG. 11 exemplarily shows an interaction flow between a PDP and a PIP. As shown in FIG. 11, the process may include the following steps:

Step 1101: The PDP located in the CSE generates an Access Control Information Request according to the access control decision request sent by the PEP, and sends the request to the CSE with the PIP function.

The access control information request can be implemented by using oneM2M read operation, that is, using oneM2M's Retrieve operation to read Take the <authorizationInformation> resource in the CSE resource tree with PIP function, and use the attribute in the resource to construct the Content parameter in the Request, or ask the PIP to return the queried sub-resource.

As an example, when the PIP is required to return the queried <role> sub-resource and/or <token> sub-resource, the value of the Result Content parameter in the access control information request is set to: "child-resources". This setting requires the PIP to return the role resource and/or token resource belonging to the resource access initiator according to the roleIDs and/or tokenIDs provided in the Filter Criteria parameter.

Further, the Filter Criteria parameter in the request can be constructed using the attributes in the <authorizationInformation> resource.

As an example, when constructing the Filter Criteria parameter, the from attribute of the <authorizationInformation> resource is mandatory and the others are optional.

As an example, when the access control decision request received by the PDP includes roleIDs (if the Filter Criteria parameter of the request includes the roleIDs attribute name and the attribute value), when the PDP generates the access control information request sent to the PIP, The Filter Criteria parameter can be constructed using the roleIDs attribute of the <authorizationInformation> resource.

As another example, when the access control decision request received by the PDP includes the tokenIDs (if the Filter Criteria parameter of the request includes the tokenIDs attribute name and the attribute value), the PDP generates the access control information request sent to the PIP. The Filter Criteria parameter can be constructed using the tokenIDs attribute of the <authorizationInformation> resource.

Step 1102: After receiving the resource access request from the PDP and carrying the access control information request (Access Control Information Request), the CSE having the PIP function performs the following operations:

Checks whether the resource access initiator has the right to access the <authorizationInformation> resource, and if so, activates a PIP process and passes the received parameters to the process. If not, the process jumps to step 1103.

The PIP obtains access control information based on the data provided in the Filter Criteria parameter. The PRP puts the obtained access control information into corresponding resource attributes or corresponding destination sub-resources, such as <role> resources and <token> resources.

Step 1103: The PIP-CSE generates, according to the query result of step 1102, a resource access response carrying an Access Control Information Response, which includes the queried <role> resource and/or <token> resource equivalent. The PIP-CSE then sends the generated response to the PDP.

In some other embodiments of the present application, the interaction function of the above-mentioned authorized entity key may also be implemented by using a resource creation operation (Create) of oneM2M. In this case, the initiator of the request carries the information that needs to be input through the Content parameter in the Create operation; after receiving the request, the receiver will trigger a corresponding authorization process, and the authorization process performs the corresponding authorization by using the input information provided in the Content parameter. Process and store the results of the authorization process in the process In the source attribute, the value stored in the resource attribute is then returned to the initiator using the Content parameter in the Create response.

In summary, the existing oneM2M only defines the high-level architecture of the authorization system, and does not provide a specific solution. The embodiment of the present application provides a method for implementing a distributed authorization system in a oneM2M system. The new resource and resource operations defined in the embodiment of the present application conform to the common resource type specified by oneM2M, and the RESTful operation mode is well satisfied, and there is no need to make excessive changes to the existing oneM2M technology.

Based on the same technical concept, the embodiment of the present application further provides a PDP, and the provided PDP can practice the flow described in the foregoing embodiment.

FIG. 12 is a schematic structural diagram of a PDP according to an embodiment of the present disclosure. The PDP may include: a receiving module 1201, a decision module 1202, and a sending module 1203. Further, the PDP may further include a first acquiring module 1204, and further A second acquisition module 1205 can be included, wherein:

The receiving module 1201 is configured to receive an access control decision request sent by the PEP, where the access control decision request is generated by the PEP according to an authorization decision resource;

The decision module 1202 is configured to perform an access control decision according to the access control decision request, and obtain access control decision information.

The sending module 1203 is configured to send the access control decision information to the access control decision response and send the response to the PEP.

For the content and the construction method included in the access control decision request, refer to the description of the foregoing embodiment, which is not repeated here.

For the attributes and sub-resources in the authorization decision resource, refer to the description of the foregoing embodiment, which is not repeated here.

Optionally, the first obtaining module 1204 is configured to send, according to the access control decision request, an access control policy request to the PRP, where the access control policy request is generated by the PDP according to the authorization policy resource; and the receiving the PRP returns And an access control policy response, where the access control policy response includes an access control policy obtained by the PRP according to the access control decision request. Correspondingly, the decision module 1202 can perform an access control decision according to the access control policy acquired by the first obtaining module 1204.

For the attributes and sub-resources included in the authorization policy resource, refer to the description of the foregoing embodiment, which is not repeated here.

Optionally, the second obtaining module 1205 is configured to send, according to the access control decision request, an access control information request to the PIP, where the access control information request is generated by the PDP according to the authorization information resource; and the receiving the PIP returns Access control information response, wherein the access control information response includes the PIP according to the access control information Obtain the access control information obtained. Correspondingly, the decision module 1202 can perform an access control decision according to the access control information acquired by the second obtaining module 1205.

For the content and the construction method of the access control information request, refer to the description of the foregoing embodiment, which is not repeated here.

For the attributes and sub-resources included in the access control information request, refer to the description of the foregoing embodiment, which is not repeated here.

FIG. 13 is a schematic structural diagram of a PDP according to another embodiment of the present application. The PDP may include: a receiving module 1301, an obtaining module 1302, a decision module 1303, and a sending module 1304, where:

The receiving module 1301 is configured to receive an access control decision request sent by the PEP.

The obtaining module 1302 is configured to send, according to the access control decision request, an access control policy request to the PRP, where the access control policy request is generated by the PDP according to the authorization policy resource, and receive an access control policy response returned by the PRP. The access control policy response includes an access control policy obtained by the PRP according to the access control decision request;

The decision module 1303 is configured to perform an access control decision according to the obtained access control policy, and obtain access control decision information.

The sending module 1304 is configured to send the access control decision information to the access control decision response and send the response to the PEP.

For the content and the construction method included in the access control policy request, refer to the description of the foregoing embodiment, which is not repeated here.

For the attributes and sub-resources in the authorization policy resource, refer to the description of the foregoing embodiment, which is not repeated here.

FIG. 14 is a schematic structural diagram of a PDP according to another embodiment of the present application. The PDP may include: a receiving module 1401, an obtaining module 1402, a decision module 1403, and a sending module 1404, where:

The receiving module 1401 is configured to receive an access control decision request sent by the PEP.

The obtaining module 1402 is configured to send, according to the access control decision request, an access control information request to the PIP, where the access control information request is generated by the PDP according to the authorization information resource; and the access control information response returned by the PIP is received. The access control information response includes the access control information that the PIP requests according to the access control information request;

The decision module 1403 is configured to perform an access control decision according to the obtained access control information, and obtain access control decision information.

The sending module 1404 is configured to send the access control decision information to the access control decision response and send the response to the PEP.

For the attributes and sub-resources in the authorization information resource, refer to the description of the foregoing embodiment, which is not repeated here.

FIG. 15 is a schematic structural diagram of a PDP according to an embodiment of the present disclosure, where the PDP may include:

The processor 1501 is configured to send and receive data through the transceiver 1502, and read the program in the memory 1504, and perform the following process:

Receiving an access control decision request sent by the PEP, where the access control decision request is generated by the PEP according to the authorization decision resource; performing an access control decision according to the access control decision request, and obtaining access control decision information; and the access control decision information The carry-in access control decision response is sent to the PEP.

The transceiver 1502 is configured to receive and transmit data under the control of the processor 1501.

Optionally, the processor 1501 is configured to send, according to the access control decision request, an access control policy request to the PRP, where the access control policy request is generated by the PDP according to the authorization policy resource; and the access control returned by the PRP is received. The policy response includes: the access control policy response includes an access control policy obtained by the PRP according to the access control decision request. Correspondingly, the processor 1501 can make an access control decision according to the obtained access control policy.

Optionally, the processor 1501 is configured to send, according to the access control decision request, an access control information request to the PIP, where the access control information request is generated by the PDP according to the authorization information resource; and the access control returned by the PIP is received. In response to the information, the access control information response includes access control information acquired by the PIP according to the access control information request. Correspondingly, the processor 1501 can perform an access control decision according to the acquired access control information.

In Figure 15, the bus architecture (represented by bus 1500), bus 1500 can include any number of interconnected Bus and bridge, bus 1500 will link together various circuits including one or more processors represented by processor 1501 and memory represented by memory 1504. The bus 1500 can also link various other circuits, such as peripherals, voltage regulators, and power management circuits, as is known in the art and, therefore, will not be further described herein. Bus interface 1503 provides an interface between bus 1500 and transceiver 1502. Transceiver 1502 can be an element or a plurality of elements, such as multiple receivers and transmitters, providing means for communicating with various other devices on a transmission medium. Data processed by processor 1501 is transmitted by transceiver 1502. Further, transceiver 1502 also receives data and transmits the data to processor 1501.

The processor 1501 is responsible for managing the bus 1500 and the usual processing, and can also provide various functions including timing, peripheral interfaces, voltage regulation, power management, and other control functions. The memory 1504 can be used to store data used by the processor 1501 when performing operations.

Optionally, the processor 1501 may be a CPU (Central Embedded Device), an ASIC (Application Specific Integrated Circuit), an FPGA (Field-Programmable Gate Array), or a CPLD (Complex Programmable Logic Device). , complex programmable logic devices).

FIG. 16 is a schematic structural diagram of a PDP according to another embodiment of the present application. The PDP can include:

The processor 1601 is configured to send and receive data through the transceiver 1602, and read the program in the memory 1604, and perform the following process:

Receiving an access control decision request sent by the PEP; sending, according to the access control decision request, an access control policy request to the PRP, where the access control policy request is generated by the PDP according to an authorization policy resource; and receiving an access control policy returned by the PRP Responding to: the access control policy response includes an access control policy obtained by the PRP according to the access control decision request; performing an access control decision according to the obtained access control policy, and obtaining access control decision information; and performing the access control The decision information is carried in the access control decision response and sent to the PEP.

The transceiver 1602 is configured to receive and transmit data under the control of the processor 1601.

In FIG. 16, a bus architecture (represented by bus 1600), bus 1600 can include any number of interconnected buses and bridges, and bus 1600 will include one or more processors represented by processor 1601 and memory represented by memory 1604. The various circuits are linked together. Bus 1600 can also link various other circuits, such as peripherals, voltage regulators, and power management circuits, as is known in the art, and therefore, will not be further described herein. Bus interface 1603 provides an interface between bus 1600 and transceiver 1602. Transceiver 1602 It can be an element or a plurality of elements, such as multiple receivers and transmitters, providing means for communicating with various other devices on a transmission medium. Data processed by processor 1601 is transmitted by transceiver 1602. Further, transceiver 1602 also receives data and transmits the data to processor 1601.

The processor 1601 is responsible for managing the bus 1600 and the usual processing, and can also provide various functions including timing, peripheral interfaces, voltage regulation, power management, and other control functions. The memory 1604 can be used to store data used by the processor 1601 in performing operations.

Optionally, the processor 1601 may be a CPU, an ASIC, an FPGA, or a CPLD.

FIG. 17 is a schematic structural diagram of a PDP according to another embodiment of the present application. The PDP can include:

The processor 1701 is configured to send and receive data through the transceiver 1702, and read the program in the memory 1704, and perform the following process:

Receiving an access control decision request sent by the PEP; sending, according to the access control decision request, an access control information request to the PIP, where the access control information request is generated by the PDP according to the authorization information resource; and receiving the access control information returned by the PIP In response, the access control information response includes access control information acquired by the PIP according to the access control information request; performing an access control decision according to the obtained access control information to obtain access control decision information; and performing the access control The decision information is carried in the access control decision response and sent to the PEP.

The transceiver 1702 is configured to receive and transmit data under the control of the processor 1701.

In FIG. 17, a bus architecture (represented by bus 1700), which may include any number of interconnected buses and bridges, will include one or more processors represented by processor 1701 and memory represented by memory 1704. The various circuits are linked together. The bus 1700 can also link various other circuits, such as peripherals, voltage regulators, and power management circuits, as is well known in the art, and therefore, will not be further described herein. Bus interface 1703 provides an interface between bus 1700 and transceiver 1702. The transceiver 1702 can be an element or a plurality of elements, such as a plurality of receivers and transmitters, providing means for communicating with various other devices on a transmission medium. Data processed by processor 1701 is transmitted by transceiver 1702. Further, transceiver 1702 also receives data and transmits the data to processor 1701.

The processor 1701 is responsible for managing the bus 1700 and the usual processing, and can also provide various functions including timing, peripheral interfaces, voltage regulation, power management, and other control functions. The memory 1704 can be used to store data used by the processor 1701 in performing operations.

Optionally, the processor 1701 may be a CPU, an ASIC, an FPGA, or a CPLD.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (system), and computer program products according to embodiments of the present application. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG. These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine for the execution of instructions for execution by a processor of a computer or other programmable data processing device. Means for implementing the functions specified in one or more of the flow or in a block or blocks of the flow chart.

The computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device. The apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.

These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device. The instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.

While the preferred embodiment of the present application has been described, it will be apparent that those skilled in the art can make further changes and modifications to the embodiments. Therefore, the appended claims are intended to be interpreted as including the preferred embodiments and the modifications and

It will be apparent to those skilled in the art that various modifications and changes can be made in the present application without departing from the spirit and scope of the application. Thus, it is intended that the present invention cover the modifications and variations of the present invention.

Claims

A resource access control method, comprising:

The policy decision point PDP receives an access control decision request sent by the policy enforcement point PEP, and the access control decision request is generated by the PEP according to the authorization decision resource;

The PDP performs an access control decision according to the access control decision request, and obtains access control decision information;

The PDP carries the access control decision information to the access control decision response and sends the response to the PEP.
The method of claim 1 wherein said access control decision request comprises:

Returning result indication information, configured to indicate a parameter returned by the access control decision request, where the return result indication information is generated according to attributes and/or sub-resources of the authorization decision resource; and/or,

The resource access filter condition is used to indicate a filter condition of the resource operation, and the resource access filter condition is generated according to the attribute and/or the sub-resource of the authorization decision resource.
The method according to claim 2, wherein the attribute for generating the return result indication information in the authorization decision resource comprises one or any combination of the following:

Decision attribute for carrying access control decision information;

An attribute that is allowed to be accessed, and is used to carry an attribute name of a target resource that is allowed to access, and the target resource is a target resource that the resource access initiator requests to access;

a resource type that is allowed to be accessed, and is used to carry a sub-resource type identifier of a target resource that is allowed to be accessed, where the target resource is a target resource that the resource access initiator requests to access;

A status attribute that is used to carry errors that describe the access control decision process.
The method according to claim 2, wherein the attribute for generating a resource access filter condition in the authorization decision resource comprises one or any combination of the following:

a target attribute, configured to carry a resource address of a target resource that the resource access initiator requests to access;

Initiator attribute, used to carry the identifier of the resource access initiator;

An operation attribute, configured to carry an operation identifier of the target resource to which the resource access initiator accesses the request;

a content attribute, which is used to carry a specific content of a target resource that the resource accessing the initiator requests to access;

The filter attribute usage attribute is used to carry the parameter indicating the use of the filter condition in the resource access filter condition provided by the resource access initiator;

A role identification attribute, which is used to carry a set of identifiers issued to the role of the resource access initiator;

a token identifier attribute, configured to carry a set of identifiers of tokens carrying authorization information issued to the resource access initiator;

a token attribute, configured to carry a set of tokens that are issued to the resource access initiator and carry the authorization information;

a request time attribute, configured to carry a time when the PEP receives the resource access request sent by the resource access initiator;

Location attribute, used to carry the location of the resource access initiator;

The IP address of the requesting party is used to carry the IP address carried in the resource access request sent by the resource access initiator.
The method according to claim 1, wherein before the PDP performs the access control decision according to the access control decision request, the method further includes:

And the PDP sends an access control policy request to the policy acquisition point PRP according to the access control decision request, where the access control policy request is generated by the PDP according to the authorization policy resource;

Receiving, by the PDP, an access control policy response returned by the PRP, where the access control policy response includes an access control policy that is obtained by the PRP according to the access control decision request;

The making access control decisions include:

The access control decision is made according to the obtained access control policy.
The method of claim 5, wherein the access control policy request comprises:

Returning result indication information, configured to indicate a parameter that is requested to be returned by the access control policy request, where the returned result indication information is generated according to an attribute and/or a sub-resource of the authorization policy resource; and/or,

The resource access filter condition is used to indicate a filter condition of the resource operation, and the resource access filter condition is generated according to the attribute and/or the sub-resource of the authorization policy resource.
The method according to claim 6, wherein the attribute for generating the return result indication information in the authorization policy resource comprises one or any combination of the following:

a policy attribute, configured to carry an access control policy applicable to a target resource that the resource access initiator requests to access;

The merge algorithm attribute is used to carry the identifier of the policy merge algorithm used by multiple access control policies in the merge policy attribute.
The method according to claim 6, wherein the attribute for generating a resource access filter condition in the authorization policy resource comprises one or any combination of the following:

a target attribute, configured to carry a resource address of a target resource that the resource access initiator requests to access;

Initiator attribute, used to carry the identifier of the resource access initiator.
The method according to claim 1, wherein before the PDP performs the access control decision according to the access control decision request, the method further includes:

Sending, by the PDP, an access control information request to the policy information point PIP according to the access control decision request, where the access control information request is generated by the PDP according to the authorization information resource;

Receiving, by the PDP, an access control information response returned by the PIP, where the access control information response includes The PIP requests the acquired access control information according to the access control information;

The making access control decisions include:

The access control decision is made according to the obtained access control information.
The method of claim 9, wherein the access control information request comprises:

Returning result indication information, configured to indicate a parameter that is requested to be returned by the access control information request, where the return result indication information is generated according to an attribute and/or a sub-resource of the authorization information resource; and/or,

The resource access filtering condition is used to indicate a filtering condition of the resource operation, and the resource access filtering condition is generated according to the attribute and/or the sub resource of the authorization information resource.
The method according to claim 10, wherein the attribute for generating a resource access filter condition in the authorization information resource comprises one or any combination of the following:

Initiator attribute: an identifier used to carry the resource access initiator;

Role identification attribute: used to carry a set of identifiers issued to the role of the resource access initiator;

Token identification attribute: used to carry a set of identifiers of tokens carrying authorization information issued to the resource access initiator.
The method according to claim 10, wherein the sub-resource for generating the return result indication information in the authorization information resource comprises one or any combination of the following:

Role resource: used to host a set of role resources issued to the resource access initiator;

Token resource: Used to host a set of token resources issued to the resource access initiator.
A resource access control method, comprising:

The policy decision point PDP receives the access control decision request sent by the policy enforcement point PEP;

And the PDP sends an access control policy request to the policy acquisition point PRP according to the access control decision request, where the access control policy request is generated by the PDP according to the authorization policy resource;

Receiving, by the PDP, an access control policy response returned by the PRP, where the access control policy response includes an access control policy that is obtained by the PRP according to the access control decision request;

The PDP performs an access control decision according to the obtained access control policy, and obtains access control decision information;

The PDP carries the access control decision information to the access control decision response and sends the response to the PEP.
The method of claim 13 wherein said access control policy request comprises:

Returning result indication information, configured to indicate a parameter that is requested to be returned by the access control policy request, where the returned result indication information is generated according to an attribute and/or a sub-resource of the authorization policy resource; and/or,

The resource access filter condition is used to indicate a filter condition of the resource operation, and the resource access filter condition is generated according to the attribute and/or the sub-resource of the authorization policy resource.
The method according to claim 14, wherein the attribute for generating the return result indication information in the authorization policy resource comprises one or any combination of the following:

a policy attribute, configured to carry an access control policy applicable to a target resource that the resource access initiator requests to access;

The merge algorithm attribute is used to carry the identifier of the policy merge algorithm used by multiple access control policies in the merge policy attribute.
The method according to claim 14, wherein the attribute for generating a resource access filter condition in the authorization policy resource comprises one or any combination of the following:

a target attribute, configured to carry a resource address of a target resource that the resource access initiator requests to access;

Initiator attribute, used to carry the identifier of the resource access initiator.
A resource access control method, comprising:

The policy decision point PDP receives the access control decision request sent by the policy enforcement point PEP;

Sending, by the PDP, an access control information request to the policy information point PIP according to the access control decision request, where the access control information request is generated by the PDP according to the authorization information resource;

Receiving, by the PDP, an access control information response returned by the PIP, where the access control information response includes access control information that is acquired by the PIP according to the access control information request;

The PDP performs an access control decision according to the obtained access control information, and obtains access control decision information;

The PDP carries the access control decision information to the access control decision response and sends the response to the PEP.
The method of claim 17, wherein the access control information request comprises:

Returning result indication information, configured to indicate a parameter that is requested to be returned by the access control information request, where the return result indication information is generated according to an attribute and/or a sub-resource of the authorization information resource; and/or,

The resource access filtering condition is used to indicate a filtering condition of the resource operation, and the resource access filtering condition is generated according to the attribute and/or the sub resource of the authorization information resource.
The method according to claim 18, wherein the attribute for generating a resource access filter condition in the authorization information resource comprises one or any combination of the following:

Initiator attribute: an identifier used to carry the resource access initiator;

Role identification attribute: used to carry a set of identifiers issued to the role of the resource access initiator;

Token identification attribute: used to carry a set of identifiers of tokens carrying authorization information issued to the resource access initiator.
The method according to claim 18, wherein the sub-resource for generating the return result indication information in the authorization information resource comprises one or any combination of the following:

Role resource: used to host a set of role resources issued to the resource access initiator;

Token resource: Used to host a set of token resources issued to the resource access initiator.
A policy decision point PDP device, comprising:

a receiving module, configured to receive an access control decision request sent by a policy enforcement point PEP, where the access control decision request is generated by the PEP according to an authorization decision resource;

a decision module, configured to perform an access control decision according to the access control decision request, and obtain access control decision information;

And a sending module, configured to send the access control decision information to the access control decision response and send the response to the PEP.
The device according to claim 21, wherein said access control decision request comprises:

Returning result indication information, configured to indicate a parameter returned by the access control decision request, where the return result indication information is generated according to attributes and/or sub-resources of the authorization decision resource; and/or,

The resource access filter condition is used to indicate a filter condition of the resource operation, and the resource access filter condition is generated according to the attribute and/or the sub-resource of the authorization decision resource.
The device according to claim 22, wherein the attribute for generating the return result indication information in the authorization decision resource comprises one or any combination of the following:

Decision attribute for carrying access control decision information;

An attribute that is allowed to be accessed, and is used to carry an attribute name of a target resource that is allowed to access, and the target resource is a target resource that the resource access initiator requests to access;

a resource type that is allowed to be accessed, and is used to carry a sub-resource type identifier of a target resource that is allowed to be accessed, where the target resource is a target resource that the resource access initiator requests to access;

State attribute, used to carry errors describing the access control decision process;

The attributes used in the authorization decision resource to generate the resource access filter condition include one or any combination of the following:

a target attribute, configured to carry a resource address of a target resource that the resource access initiator requests to access;

Initiator attribute, used to carry the identifier of the resource access initiator;

An operation attribute, configured to carry an operation identifier of the target resource to which the resource access initiator accesses the request;

a content attribute, which is used to carry a specific content of a target resource that the resource accessing the initiator requests to access;

The filter attribute usage attribute is used to carry the parameter indicating the use of the filter condition in the resource access filter condition provided by the resource access initiator;

A role identification attribute, which is used to carry a set of identifiers issued to the role of the resource access initiator;

a token identifier attribute, configured to carry a set of identifiers of tokens carrying authorization information issued to the resource access initiator;

a token attribute, configured to carry a set of tokens that are issued to the resource access initiator and carry the authorization information;

a request time attribute, configured to carry a time when the PEP receives the resource access request sent by the resource access initiator;

Location attribute, used to carry the location of the resource access initiator;

The IP address of the requesting party is used to carry the IP address carried in the resource access request sent by the resource access initiator.
The device of claim 21, further comprising:

a first obtaining module, configured to send, according to the access control decision request, an access control policy request to a policy acquisition point PRP, where the access control policy request is generated by the PDP according to an authorization policy resource; and receiving an access control returned by the PRP a policy response, where the access control policy response includes an access control policy obtained by the PRP according to the access control decision request;

The decision module is specifically configured to: perform an access control decision according to the access control policy acquired by the first obtaining module.
The device according to claim 24, wherein the access control policy request comprises:

Returning result indication information, configured to indicate a parameter that is requested to be returned by the access control policy request, where the returned result indication information is generated according to an attribute and/or a sub-resource of the authorization policy resource; and/or,

The resource access filter condition is used to indicate a filter condition of the resource operation, and the resource access filter condition is generated according to the attribute and/or the sub-resource of the authorization policy resource.
The device according to claim 25, wherein the attribute for generating the return result indication information in the authorization policy resource comprises one or any combination of the following:

a policy attribute, configured to carry an access control policy applicable to a target resource that the resource access initiator requests to access;

The merge algorithm attribute is used to carry the identifier of the policy merge algorithm used by the multiple access control policies in the merge policy attribute;

The attributes used in the authorization policy resource to generate the resource access filter condition include one or any combination of the following:

a target attribute, configured to carry a resource address of a target resource that the resource access initiator requests to access;

Initiator attribute, used to carry the identifier of the resource access initiator.
The device of claim 21, further comprising:

a second acquiring module, configured to send, according to the access control decision request, an access control information request to the policy information point PIP, where the access control information request is generated by the PDP according to the authorization information resource; and receiving the access control returned by the PIP Information response, the access control information response includes access control information that is acquired by the PIP according to the access control information request;

The decision module is specifically configured to: perform an access control decision according to the access control information acquired by the second obtaining module.
The device according to claim 27, wherein the access control information request comprises:

Returning result indication information, configured to indicate a parameter that is requested to be returned by the access control information request, where the return result indication information is generated according to an attribute and/or a sub-resource of the authorization information resource; and/or,

The resource access filtering condition is used to indicate a filtering condition of the resource operation, and the resource access filtering condition is generated according to the attribute and/or the sub resource of the authorization information resource.
The device according to claim 28, wherein the attribute for generating a resource access filter condition in the authorization information resource comprises one or any combination of the following:

Initiator attribute: an identifier used to carry the resource access initiator;

Role identification attribute: used to carry a set of identifiers issued to the role of the resource access initiator;

Token identification attribute: used to carry a set of identifiers of tokens carrying authorization information issued to the resource access initiator;

The sub-resource for generating the return result indication information in the authorization information resource includes one or any combination of the following:

Role resource: used to host a set of role resources issued to the resource access initiator;

Token resource: Used to host a set of token resources issued to the resource access initiator.
A policy decision point PDP device, comprising:

a receiving module, configured to receive an access control decision request sent by a policy execution point PEP;

And an obtaining module, configured to send, according to the access control decision request, an access control policy request to the policy acquisition point PRP, where the access control policy request is generated by the PDP according to the authorization policy resource; and the access control policy response returned by the PRP is received. And the access control policy response includes an access control policy that is obtained by the PRP according to the access control decision request;

a decision module, configured to perform an access control decision according to the obtained access control policy, and obtain access control decision information;

And a sending module, configured to send the access control decision information to the access control decision response and send the response to the PEP.
The device of claim 30, wherein the access control policy request comprises:

Returning result indication information, configured to indicate a parameter that is requested to be returned by the access control policy request, where the returned result indication information is generated according to an attribute and/or a sub-resource of the authorization policy resource; and/or,

The resource access filter condition is used to indicate a filter condition of the resource operation, and the resource access filter condition is generated according to the attribute and/or the sub-resource of the authorization policy resource.
The device according to claim 31, wherein the attribute for generating the return result indication information in the authorization policy resource comprises one or any combination of the following:

a policy attribute, configured to carry an access control policy applicable to a target resource that the resource access initiator requests to access;

The merge algorithm attribute is used to carry the identifier of the policy merge algorithm used by the multiple access control policies in the merge policy attribute;

The attributes used in the authorization policy resource to generate the resource access filter condition include one or any combination of the following:

a target attribute, configured to carry a resource address of a target resource that the resource access initiator requests to access;

Initiator attribute, used to carry the identifier of the resource access initiator.
A policy decision point PDP device, comprising:

a receiving module, configured to receive an access control decision request sent by a policy execution point PEP;

And an obtaining module, configured to send, according to the access control decision request, an access control information request to the policy information point PIP, where the access control information request is generated by the PDP according to the authorization information resource; and the access control information response returned by the PIP is received. And the access control information response includes access control information that is acquired by the PIP according to the access control information request;

a decision module, configured to perform an access control decision according to the obtained access control information, and obtain access control decision information;

And a sending module, configured to send the access control decision information to the access control decision response and send the response to the PEP.
The device according to claim 33, wherein the access control information request comprises:

Returning result indication information, configured to indicate a parameter that is requested to be returned by the access control information request, where the return result indication information is generated according to an attribute and/or a sub-resource of the authorization information resource; and/or,

The resource access filtering condition is used to indicate a filtering condition of the resource operation, and the resource access filtering condition is generated according to the attribute and/or the sub resource of the authorization information resource.
The device according to claim 34, wherein the attribute for generating a resource access filter condition in the authorization information resource comprises one or any combination of the following:

Initiator attribute: an identifier used to carry the resource access initiator;

Role identification attribute: used to carry a set of identifiers issued to the role of the resource access initiator;

Token identification attribute: used to carry a set of identifiers of tokens carrying authorization information issued to the resource access initiator;

The sub-resource for generating the return result indication information in the authorization information resource includes one or any combination of the following:

Role resource: used to host a set of role resources issued to the resource access initiator;

Token resource: Used to host a set of token resources issued to the resource access initiator.
A policy decision point PDP device, comprising:

A processor for transmitting and receiving data through the transceiver and reading the program in the memory, performing the following process:

Receiving an access control decision request sent by a policy enforcement point PEP, the access control decision request by the PEP Generating, according to the authorization decision resource, performing an access control decision according to the access control decision request, and obtaining access control decision information; and transmitting the access control decision information to the access control decision response to the PEP;

A transceiver for receiving and transmitting data under the control of a processor.
The device according to claim 36, wherein said access control decision request comprises:

Returning result indication information, configured to indicate a parameter returned by the access control decision request, where the return result indication information is generated according to attributes and/or sub-resources of the authorization decision resource; and/or,

The resource access filter condition is used to indicate a filter condition of the resource operation, and the resource access filter condition is generated according to the attribute and/or the sub-resource of the authorization decision resource.
The device according to claim 37, wherein the attribute for generating the return result indication information in the authorization decision resource comprises one or any combination of the following:

Decision attribute for carrying access control decision information;

An attribute that is allowed to be accessed, and is used to carry an attribute name of a target resource that is allowed to access, and the target resource is a target resource that the resource access initiator requests to access;

a resource type that is allowed to be accessed, and is used to carry a sub-resource type identifier of a target resource that is allowed to be accessed, where the target resource is a target resource that the resource access initiator requests to access;

State attribute, used to carry errors describing the access control decision process;

The attributes used in the authorization decision resource to generate the resource access filter condition include one or any combination of the following:

a target attribute, configured to carry a resource address of a target resource that the resource access initiator requests to access;

Initiator attribute, used to carry the identifier of the resource access initiator;

An operation attribute, configured to carry an operation identifier of the target resource to which the resource access initiator accesses the request;

a content attribute, which is used to carry a specific content of a target resource that the resource accessing the initiator requests to access;

The filter attribute usage attribute is used to carry the parameter indicating the use of the filter condition in the resource access filter condition provided by the resource access initiator;

A role identification attribute, which is used to carry a set of identifiers issued to the role of the resource access initiator;

a token identifier attribute, configured to carry a set of identifiers of tokens carrying authorization information issued to the resource access initiator;

a token attribute, configured to carry a set of tokens that are issued to the resource access initiator and carry the authorization information;

a request time attribute, configured to carry a time when the PEP receives the resource access request sent by the resource access initiator;

Location attribute, used to carry the location of the resource access initiator;

The IP address of the requesting party is used to carry the IP address carried in the resource access request sent by the resource access initiator.
The device of claim 36, wherein the processor is further configured to:

And sending, according to the access control decision request, an access control policy request to the policy acquisition point PRP, where the access control policy request is generated by the PDP according to the authorization policy resource; and receiving an access control policy response returned by the PRP, the access control The policy response includes an access control policy obtained by the PRP according to the access control decision request;

And performing an access control decision according to the access control policy acquired by the first obtaining module.
The device of claim 39, wherein the access control policy request comprises:

Returning result indication information, configured to indicate a parameter that is requested to be returned by the access control policy request, where the returned result indication information is generated according to an attribute and/or a sub-resource of the authorization policy resource; and/or,

The resource access filter condition is used to indicate a filter condition of the resource operation, and the resource access filter condition is generated according to the attribute and/or the sub-resource of the authorization policy resource.
The device according to claim 40, wherein the attribute for generating the return result indication information in the authorization policy resource comprises one or any combination of the following:

a policy attribute, configured to carry an access control policy applicable to a target resource that the resource access initiator requests to access;

The merge algorithm attribute is used to carry the identifier of the policy merge algorithm used by the multiple access control policies in the merge policy attribute;

The attributes used in the authorization policy resource to generate the resource access filter condition include one or any combination of the following:

a target attribute, configured to carry a resource address of a target resource that the resource access initiator requests to access;

Initiator attribute, used to carry the identifier of the resource access initiator.
The device of claim 36, wherein the processor is further configured to:

And sending, according to the access control decision request, an access control information request to the policy information point PIP, where the access control information request is generated by the PDP according to the authorization information resource; receiving an access control information response returned by the PIP, the access control The information response includes the access control information that the PIP requests according to the access control information request;

And performing an access control decision according to the access control information acquired by the second obtaining module.
The device according to claim 42, wherein the access control information request includes:

Returning result indication information, configured to indicate a parameter that is requested to be returned by the access control information request, where the return result indication information is generated according to an attribute and/or a sub-resource of the authorization information resource; and/or,

The resource access filtering condition is used to indicate a filtering condition of the resource operation, and the resource access filtering condition is generated according to the attribute and/or the sub resource of the authorization information resource.
The device according to claim 43, wherein the authorization information resource is used to generate a resource visit The attributes of the filter criteria include one or any combination of the following:

Initiator attribute: an identifier used to carry the resource access initiator;

Role identification attribute: used to carry a set of identifiers issued to the role of the resource access initiator;

Token identification attribute: used to carry a set of identifiers of tokens carrying authorization information issued to the resource access initiator;

The sub-resource for generating the return result indication information in the authorization information resource includes one or any combination of the following:

Role resource: used to host a set of role resources issued to the resource access initiator;

Token resource: Used to host a set of token resources issued to the resource access initiator.
A policy decision point PDP device, comprising:

A processor for transmitting and receiving data through the transceiver and reading the program in the memory, performing the following process:

Receiving an access control decision request sent by the policy enforcement point PEP; sending, according to the access control decision request, an access control policy request to the policy acquisition point PRP, where the access control policy request is generated by the PDP according to the authorization policy resource; An access control policy response returned by the PRP, where the access control policy response includes an access control policy obtained by the PRP according to the access control decision request; performing an access control decision according to the obtained access control policy, and obtaining access control decision information Transmitting the access control decision information to the access control decision response to the PEP;

A transceiver for receiving and transmitting data under the control of a processor.
The device according to claim 45, wherein the access control policy request comprises:

Returning result indication information, configured to indicate a parameter that is requested to be returned by the access control policy request, where the returned result indication information is generated according to an attribute and/or a sub-resource of the authorization policy resource; and/or,

The resource access filter condition is used to indicate a filter condition of the resource operation, and the resource access filter condition is generated according to the attribute and/or the sub-resource of the authorization policy resource.
The device according to claim 46, wherein the attribute for generating the return result indication information in the authorization policy resource comprises one or any combination of the following:

a policy attribute, configured to carry an access control policy applicable to a target resource that the resource access initiator requests to access;

The merge algorithm attribute is used to carry the identifier of the policy merge algorithm used by the multiple access control policies in the merge policy attribute;

The attributes used in the authorization policy resource to generate the resource access filter condition include one or any combination of the following:

a target attribute, configured to carry a resource address of a target resource that the resource access initiator requests to access;

Initiator attribute, used to carry the identifier of the resource access initiator.
A policy decision point PDP device, comprising:

A processor for transmitting and receiving data through the transceiver and reading the program in the memory, performing the following process:

Receiving an access control decision request sent by the policy enforcement point PEP; sending, according to the access control decision request, an access control information request to the policy information point PIP, where the access control information request is generated by the PDP according to the authorization information resource; The access control information response returned by the PIP includes the access control information that the PIP requests according to the access control information request; the access control decision is performed according to the obtained access control information, and the access control decision information is obtained. Transmitting the access control decision information to the access control decision response to the PEP;

A transceiver for receiving and transmitting data under the control of a processor.
The device according to claim 48, wherein the access control information request comprises:

Returning result indication information, configured to indicate a parameter that is requested to be returned by the access control information request, where the return result indication information is generated according to an attribute and/or a sub-resource of the authorization information resource; and/or,

The resource access filtering condition is used to indicate a filtering condition of the resource operation, and the resource access filtering condition is generated according to the attribute and/or the sub resource of the authorization information resource.
The device according to claim 49, wherein the attribute for generating a resource access filter condition in the authorization information resource comprises one or any combination of the following:

Initiator attribute: an identifier used to carry the resource access initiator;

Role identification attribute: used to carry a set of identifiers issued to the role of the resource access initiator;

Token identification attribute: used to carry a set of identifiers of tokens carrying authorization information issued to the resource access initiator;

The sub-resource for generating the return result indication information in the authorization information resource includes one or any combination of the following:

Role resource: used to host a set of role resources issued to the resource access initiator;

Token resource: Used to host a set of token resources issued to the resource access initiator.