WO2017181863A1 - Procédé et appareil de contrôle d'accès à des ressources - Google Patents

Procédé et appareil de contrôle d'accès à des ressources Download PDF

Info

Publication number
WO2017181863A1
WO2017181863A1 PCT/CN2017/079937 CN2017079937W WO2017181863A1 WO 2017181863 A1 WO2017181863 A1 WO 2017181863A1 CN 2017079937 W CN2017079937 W CN 2017079937W WO 2017181863 A1 WO2017181863 A1 WO 2017181863A1
Authority
WO
WIPO (PCT)
Prior art keywords
resource
access control
access
attribute
policy
Prior art date
Application number
PCT/CN2017/079937
Other languages
English (en)
Chinese (zh)
Inventor
周巍
Original Assignee
电信科学技术研究院
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 电信科学技术研究院 filed Critical 电信科学技术研究院
Publication of WO2017181863A1 publication Critical patent/WO2017181863A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/40Support for services or applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols

Definitions

  • the present application relates to the field of communications technologies, and in particular, to a resource access control method and apparatus.
  • OneM2M the Internet of Things standardization organization, is committed to developing a series of technical specifications for constructing a common M2M (Machine-To-Machine) service layer.
  • the core of oneM2M is data sharing, which is realized by the sharing of data items on the resource tree defined in oneM2M CSE (Common Services Entity).
  • OneM2M implements sharing and interaction of service layer resources by operating on a standardized resource tree.
  • the oneM2M resource tree exists in the CSE defined by the oneM2M system.
  • the form of the oneM2M resource tree is shown in Figure 1 according to the definition in the oneM2M functional architecture specification (oneM2M TS-0001: "Functional Architecture"). Operations such as Create, Retrieve, Update, and Delete can be performed on oneM2M resources.
  • the authorization-related resource in the resource defined by oneM2M is the access control policy resource ⁇ accessControlPolicy>, which defines an Access Control Policy (ACP).
  • ACP Access Control Policy
  • the ⁇ accessControlPolicy> resource is uniquely identified by the resource ID, and other resources specify the applicable access control policy through the accessControlPolicyIDs attribute.
  • the security specification (oneM2M TS-0003: "Security Solutions”) in the oneM2M series specification gives a high-level description of the oneM2M authorization architecture.
  • the main components and basic processes of the authorization architecture are given, but not at the resource structure level. Give a specific implementation.
  • the embodiment of the present application provides a resource access control method and apparatus, and a resource access control scheme is provided at a resource structure level.
  • the PDP performs an access control decision according to the access control decision request, and obtains access control decision information
  • the PDP carries the access control decision information to the access control decision response and sends the response to the PEP.
  • the access control decision request includes:
  • Returning result indication information configured to indicate a parameter returned by the access control decision request, where the return result indication information is generated according to attributes and/or sub-resources of the authorization decision resource; and/or,
  • the resource access filter condition is used to indicate a filter condition of the resource operation, and the resource access filter condition is generated according to the attribute and/or the sub-resource of the authorization decision resource.
  • the attribute used in the authorization decision resource for generating the return result indication information includes one or any combination of the following:
  • a resource type that is allowed to be accessed, and is used to carry a sub-resource type identifier of a target resource that is allowed to be accessed, where the target resource is a target resource that the resource access initiator requests to access;
  • the attribute used to generate the resource access filtering condition in the authorization decision resource includes one or any combination of the following:
  • a target attribute configured to carry a resource address of a target resource that the resource access initiator requests to access
  • Initiator attribute used to carry the identifier of the resource access initiator
  • An operation attribute configured to carry an operation identifier of the target resource to which the resource access initiator accesses the request
  • a content attribute which is used to carry a specific content of a target resource that the resource accessing the initiator requests to access
  • the filter attribute usage attribute is used to carry the parameter indicating the use of the filter condition in the resource access filter condition provided by the resource access initiator;
  • a role identification attribute which is used to carry a set of identifiers issued to the role of the resource access initiator
  • a token identifier attribute configured to carry a set of identifiers of tokens carrying authorization information issued to the resource access initiator
  • a token attribute configured to carry a set of tokens that are issued to the resource access initiator and carry the authorization information
  • a request time attribute configured to carry a time when the PEP receives the resource access request sent by the resource access initiator
  • the IP address of the requesting party is used to carry the IP address carried in the resource access request sent by the resource access initiator.
  • the method before the PDP performs the access control decision according to the access control decision request, the method further includes:
  • the PDP sends an access control policy request to the policy acquisition point PRP according to the access control decision request, where the access control policy request is generated by the PDP according to the authorization policy resource;
  • the making access control decisions include:
  • the access control decision is made according to the obtained access control policy.
  • the access control policy request includes:
  • Returning result indication information configured to indicate a parameter that is requested to be returned by the access control policy request, where the returned result indication information is generated according to an attribute and/or a sub-resource of the authorization policy resource; and/or,
  • the resource access filter condition is used to indicate a filter condition of the resource operation, and the resource access filter condition is generated according to the attribute and/or the sub-resource of the authorization policy resource.
  • the attribute for generating the return result indication information in the authorization policy resource includes one or any combination of the following:
  • a policy attribute configured to carry an access control policy applicable to a target resource that the resource access initiator requests to access
  • the merge algorithm attribute is used to carry the identifier of the policy merge algorithm used by multiple access control policies in the merge policy attribute.
  • the attribute used to generate the resource access filter condition in the authorization policy resource includes one or any combination of the following:
  • a target attribute configured to carry a resource address of a target resource that the resource access initiator requests to access
  • Initiator attribute used to carry the identifier of the resource access initiator.
  • the method before the PDP performs the access control decision according to the access control decision request, the method further includes:
  • the making access control decisions include:
  • the access control decision is made according to the obtained access control information.
  • the access control information request includes:
  • Returning result indication information configured to indicate a parameter that is requested to be returned by the access control information request, where the return result indication information is generated according to an attribute and/or a sub-resource of the authorization information resource; and/or,
  • the resource access filtering condition is used to indicate a filtering condition of the resource operation, and the resource access filtering condition is generated according to the attribute and/or the sub resource of the authorization information resource.
  • the attribute used to generate the resource access filtering condition in the authorization information resource includes one or any combination of the following:
  • Initiator attribute an identifier used to carry the resource access initiator
  • Role identification attribute used to carry a set of identifiers issued to the role of the resource access initiator
  • Token identification attribute used to carry a set of identifiers of tokens carrying authorization information issued to the resource access initiator.
  • the sub-resource for generating the return result indication information in the authorization information resource includes one or any combination of the following:
  • Role resource used to host a set of role resources issued to the resource access initiator
  • Token resource Used to host a set of token resources issued to the resource access initiator.
  • the PDP receives an access control decision request sent by the PEP;
  • the PDP sends an access control policy request to the PRP according to the access control decision request, where the access control policy request is generated by the PDP according to the authorization policy resource;
  • the PDP performs an access control decision according to the obtained access control policy, and obtains access control decision information
  • the PDP carries the access control decision information to the access control decision response and sends the response to the PEP.
  • the access control policy request includes:
  • Returning result indication information configured to indicate a parameter that is requested to be returned by the access control policy request, where the returned result indication information is generated according to an attribute and/or a sub-resource of the authorization policy resource; and/or,
  • the resource access filter condition is used to indicate a filter condition of the resource operation, and the resource access filter condition is generated according to the attribute and/or the sub-resource of the authorization policy resource.
  • the attribute for generating the return result indication information in the authorization policy resource includes one or any combination of the following:
  • a policy attribute configured to carry an access control policy applicable to a target resource that the resource access initiator requests to access
  • a merge algorithm attribute for carrying a policy merge algorithm used by multiple access control policies in a merge policy attribute Logo.
  • the attribute used to generate the resource access filter condition in the authorization policy resource includes one or any combination of the following:
  • a target attribute configured to carry a resource address of a target resource that the resource access initiator requests to access
  • Initiator attribute used to carry the identifier of the resource access initiator.
  • the PDP receives an access control decision request sent by the PEP;
  • the PDP performs an access control decision according to the obtained access control information, and obtains access control decision information
  • the PDP carries the access control decision information to the access control decision response and sends the response to the PEP.
  • the access control information request includes:
  • Returning result indication information configured to indicate a parameter that is requested to be returned by the access control information request, where the return result indication information is generated according to an attribute and/or a sub-resource of the authorization information resource; and/or,
  • the resource access filtering condition is used to indicate a filtering condition of the resource operation, and the resource access filtering condition is generated according to the attribute and/or the sub resource of the authorization information resource.
  • the attribute used to generate the resource access filtering condition in the authorization information resource includes one or any combination of the following:
  • Initiator attribute an identifier used to carry the resource access initiator
  • Role identification attribute used to carry a set of identifiers issued to the role of the resource access initiator
  • Token identification attribute used to carry a set of identifiers of tokens carrying authorization information issued to the resource access initiator.
  • the sub-resource for generating the return result indication information in the authorization information resource includes one or any combination of the following:
  • Role resource used to host a set of role resources issued to the resource access initiator
  • Token resource Used to host a set of token resources issued to the resource access initiator.
  • a receiving module configured to receive an access control decision request sent by the PEP, where the access control decision request is generated by the PEP according to an authorization decision resource;
  • a decision module configured to perform an access control decision according to the access control decision request, and obtain access control decision information
  • a sending module configured to send the access control decision information to the access control decision response and send the response to the PEP.
  • the access control decision request includes:
  • Returning result indication information configured to indicate a parameter returned by the access control decision request, where the return result indication information is generated according to attributes and/or sub-resources of the authorization decision resource; and/or,
  • the resource access filter condition is used to indicate a filter condition of the resource operation, and the resource access filter condition is generated according to the attribute and/or the sub-resource of the authorization decision resource.
  • the attribute used in the authorization decision resource for generating the return result indication information includes one or any combination of the following:
  • a resource type that is allowed to be accessed, and is used to carry a sub-resource type identifier of a target resource that is allowed to be accessed, where the target resource is a target resource that the resource access initiator requests to access;
  • the attributes used in the authorization decision resource to generate the resource access filter condition include one or any combination of the following:
  • a target attribute configured to carry a resource address of a target resource that the resource access initiator requests to access
  • Initiator attribute used to carry the identifier of the resource access initiator
  • An operation attribute configured to carry an operation identifier of the target resource to which the resource access initiator accesses the request
  • a content attribute which is used to carry a specific content of a target resource that the resource accessing the initiator requests to access
  • the filter attribute usage attribute is used to carry the parameter indicating the use of the filter condition in the resource access filter condition provided by the resource access initiator;
  • a role identification attribute which is used to carry a set of identifiers issued to the role of the resource access initiator
  • a token identifier attribute configured to carry a set of identifiers of tokens carrying authorization information issued to the resource access initiator
  • a token attribute configured to carry a set of tokens that are issued to the resource access initiator and carry the authorization information
  • a request time attribute configured to carry a time when the PEP receives the resource access request sent by the resource access initiator
  • the IP address of the requesting party is used to carry the IP address carried in the resource access request sent by the resource access initiator.
  • the method further includes: a first obtaining module, configured to send, according to the access control decision request, an access control policy request to the policy acquisition point PRP, where the access control policy request is generated by the PDP according to an authorization policy resource; An access control policy response returned by the PRP, where the access control policy response includes an access control policy obtained by the PRP according to the access control decision request;
  • the decision module is specifically configured to: perform an access control decision according to the access control policy acquired by the first obtaining module.
  • the access control policy request includes:
  • Returning result indication information configured to indicate a parameter that is requested to be returned by the access control policy request, where the returned result indication information is generated according to an attribute and/or a sub-resource of the authorization policy resource; and/or,
  • the resource access filter condition is used to indicate a filter condition of the resource operation, and the resource access filter condition is generated according to the attribute and/or the sub-resource of the authorization policy resource.
  • the attribute for generating the return result indication information in the authorization policy resource includes one or any combination of the following:
  • a policy attribute configured to carry an access control policy applicable to a target resource that the resource access initiator requests to access
  • the merge algorithm attribute is used to carry the identifier of the policy merge algorithm used by the multiple access control policies in the merge policy attribute;
  • the attributes used in the authorization policy resource to generate the resource access filter condition include one or any combination of the following:
  • a target attribute configured to carry a resource address of a target resource that the resource access initiator requests to access
  • Initiator attribute used to carry the identifier of the resource access initiator.
  • the method further includes: a second obtaining module, configured to send, according to the access control decision request, an access control information request to the policy information point PIP, where the access control information request is generated by the PDP according to the authorization information resource; The access control information response returned by the PIP, where the access control information response includes the access control information that the PIP requests according to the access control information request;
  • the decision module is specifically configured to: perform an access control decision according to the access control information acquired by the second obtaining module.
  • the access control information request includes:
  • Returning result indication information configured to indicate a parameter that is requested to be returned by the access control information request, where the return result indication information is generated according to an attribute and/or a sub-resource of the authorization information resource; and/or,
  • the resource access filtering condition is used to indicate a filtering condition of the resource operation, and the resource access filtering condition is generated according to the attribute and/or the sub resource of the authorization information resource.
  • the attribute used to generate the resource access filtering condition in the authorization information resource includes one or any of the following groups Combined:
  • Initiator attribute an identifier used to carry the resource access initiator
  • Role identification attribute used to carry a set of identifiers issued to the role of the resource access initiator
  • Token identification attribute used to carry a set of identifiers of tokens carrying authorization information issued to the resource access initiator
  • the sub-resource for generating the return result indication information in the authorization information resource includes one or any combination of the following:
  • Role resource used to host a set of role resources issued to the resource access initiator
  • Token resource Used to host a set of token resources issued to the resource access initiator.
  • a receiving module configured to receive an access control decision request sent by the PEP
  • An obtaining module configured to send an access control policy request to the PRP according to the access control decision request, where the access control policy request is generated by the PDP according to an authorization policy resource; and the access control policy response returned by the PRP is received,
  • the access control policy response includes an access control policy obtained by the PRP according to the access control decision request;
  • a decision module configured to perform an access control decision according to the obtained access control policy, and obtain access control decision information
  • a sending module configured to send the access control decision information to the access control decision response and send the response to the PEP.
  • the access control policy request includes:
  • Returning result indication information configured to indicate a parameter that is requested to be returned by the access control policy request, where the returned result indication information is generated according to an attribute and/or a sub-resource of the authorization policy resource; and/or,
  • the resource access filter condition is used to indicate a filter condition of the resource operation, and the resource access filter condition is generated according to the attribute and/or the sub-resource of the authorization policy resource.
  • the attribute for generating the return result indication information in the authorization policy resource includes one or any combination of the following:
  • a policy attribute configured to carry an access control policy applicable to a target resource that the resource access initiator requests to access
  • the merge algorithm attribute is used to carry the identifier of the policy merge algorithm used by the multiple access control policies in the merge policy attribute;
  • the attributes used in the authorization policy resource to generate the resource access filter condition include one or any combination of the following:
  • a target attribute configured to carry a resource address of a target resource that the resource access initiator requests to access
  • Initiator attribute used to carry the identifier of the resource access initiator.
  • a receiving module configured to receive an access control decision request sent by the PEP
  • an obtaining module configured to send, according to the access control decision request, an access control information request to the PIP, where the access control information request is generated by the PDP according to the authorization information resource; and the access control information response returned by the PIP is received,
  • the access control information response includes the access control information that the PIP requests according to the access control information request;
  • a decision module configured to perform an access control decision according to the obtained access control information, and obtain access control decision information
  • a sending module configured to send the access control decision information to the access control decision response and send the response to the PEP.
  • the access control information request includes:
  • Returning result indication information configured to indicate a parameter that is requested to be returned by the access control information request, where the return result indication information is generated according to an attribute and/or a sub-resource of the authorization information resource; and/or,
  • the resource access filtering condition is used to indicate a filtering condition of the resource operation, and the resource access filtering condition is generated according to the attribute and/or the sub resource of the authorization information resource.
  • the attribute used to generate the resource access filtering condition in the authorization information resource includes one or any combination of the following:
  • Initiator attribute an identifier used to carry the resource access initiator
  • Role identification attribute used to carry a set of identifiers issued to the role of the resource access initiator
  • Token identification attribute used to carry a set of identifiers of tokens carrying authorization information issued to the resource access initiator
  • the sub-resource for generating the return result indication information in the authorization information resource includes one or any combination of the following:
  • Role resource used to host a set of role resources issued to the resource access initiator
  • Token resource Used to host a set of token resources issued to the resource access initiator.
  • a transceiver for receiving and transmitting data under the control of a processor.
  • the access control decision request includes:
  • Returning result indication information configured to indicate a parameter returned by the access control decision request, where the return result indication information is generated according to attributes and/or sub-resources of the authorization decision resource; and/or,
  • the resource access filter condition is used to indicate a filter condition of the resource operation, and the resource access filter condition is generated according to the attribute and/or the sub-resource of the authorization decision resource.
  • the attribute used in the authorization decision resource to generate the return result indication information includes one or any combination of the following:
  • a resource type that is allowed to be accessed, and is used to carry a sub-resource type identifier of a target resource that is allowed to be accessed, where the target resource is a target resource that the resource access initiator requests to access;
  • the attributes used in the authorization decision resource to generate the resource access filter condition include one or any combination of the following:
  • a target attribute configured to carry a resource address of a target resource that the resource access initiator requests to access
  • Initiator attribute used to carry the identifier of the resource access initiator
  • An operation attribute configured to carry an operation identifier of the target resource to which the resource access initiator accesses the request
  • a content attribute which is used to carry a specific content of a target resource that the resource accessing the initiator requests to access
  • the filter attribute usage attribute is used to carry the parameter indicating the use of the filter condition in the resource access filter condition provided by the resource access initiator;
  • a role identification attribute which is used to carry a set of identifiers issued to the role of the resource access initiator
  • a token identifier attribute configured to carry a set of identifiers of tokens carrying authorization information issued to the resource access initiator
  • a token attribute configured to carry a set of tokens that are issued to the resource access initiator and carry the authorization information
  • a request time attribute configured to carry a time when the PEP receives the resource access request sent by the resource access initiator
  • the IP address of the requesting party is used to carry the IP address carried in the resource access request sent by the resource access initiator.
  • the processor is further configured to:
  • the access control policy request includes:
  • Returning result indication information configured to indicate a parameter that is requested to be returned by the access control policy request, where the returned result indication information is generated according to an attribute and/or a sub-resource of the authorization policy resource; and/or,
  • the resource access filter condition is used to indicate a filter condition of the resource operation, and the resource access filter condition is generated according to the attribute and/or the sub-resource of the authorization policy resource.
  • the attribute used in the authorization policy resource to generate the return result indication information includes one or any combination of the following:
  • a policy attribute configured to carry an access control policy applicable to a target resource that the resource access initiator requests to access
  • the merge algorithm attribute is used to carry the identifier of the policy merge algorithm used by the multiple access control policies in the merge policy attribute;
  • the attributes used in the authorization policy resource to generate the resource access filter condition include one or any combination of the following:
  • a target attribute configured to carry a resource address of a target resource that the resource access initiator requests to access
  • Initiator attribute used to carry the identifier of the resource access initiator.
  • the processor is further configured to:
  • the access control information request includes:
  • Returning result indication information configured to indicate a parameter that is requested to be returned by the access control information request, where the return result indication information is generated according to an attribute and/or a sub-resource of the authorization information resource; and/or,
  • the resource access filtering condition is used to indicate a filtering condition of the resource operation, and the resource access filtering condition is generated according to the attribute and/or the sub resource of the authorization information resource.
  • the attribute used in the authorization information resource to generate the resource access filter condition includes one or any combination of the following:
  • Initiator attribute an identifier used to carry the resource access initiator
  • Role identification attribute used to carry a set of identifiers issued to the role of the resource access initiator
  • Token identification attribute used to carry a set of identifiers of tokens carrying authorization information issued to the resource access initiator
  • the sub-resource for generating the return result indication information in the authorization information resource includes one or any combination of the following:
  • Role resource used to host a set of role resources issued to the resource access initiator
  • Token resource Used to host a set of token resources issued to the resource access initiator.
  • a transceiver for receiving and transmitting data under the control of a processor.
  • the access control policy request includes:
  • Returning result indication information configured to indicate a parameter that is requested to be returned by the access control policy request, where the returned result indication information is generated according to an attribute and/or a sub-resource of the authorization policy resource; and/or,
  • the resource access filter condition is used to indicate a filter condition of the resource operation, and the resource access filter condition is generated according to the attribute and/or the sub-resource of the authorization policy resource.
  • the attribute used in the authorization policy resource to generate the return result indication information includes one or any combination of the following:
  • a policy attribute configured to carry an access control policy applicable to a target resource that the resource access initiator requests to access
  • the merge algorithm attribute is used to carry the identifier of the policy merge algorithm used by the multiple access control policies in the merge policy attribute;
  • the attributes used in the authorization policy resource to generate the resource access filter condition include one or any combination of the following:
  • a target attribute configured to carry a resource address of a target resource that the resource access initiator requests to access
  • Initiator attribute used to carry the identifier of the resource access initiator.
  • the access control information response returned by the PIP includes the access control information that the PIP requests according to the access control information request; the access control decision is performed according to the obtained access control information, and the access control decision information is obtained. Carrying the access control decision information in an access control decision response Send to the PEP;
  • a transceiver for receiving and transmitting data under the control of a processor.
  • the access control information request includes:
  • Returning result indication information configured to indicate a parameter that is requested to be returned by the access control information request, where the return result indication information is generated according to an attribute and/or a sub-resource of the authorization information resource; and/or,
  • the resource access filtering condition is used to indicate a filtering condition of the resource operation, and the resource access filtering condition is generated according to the attribute and/or the sub resource of the authorization information resource.
  • the attribute used in the authorization information resource to generate the resource access filter condition includes one or any combination of the following:
  • Initiator attribute an identifier used to carry the resource access initiator
  • Role identification attribute used to carry a set of identifiers issued to the role of the resource access initiator
  • Token identification attribute used to carry a set of identifiers of tokens carrying authorization information issued to the resource access initiator
  • the sub-resource for generating the return result indication information in the authorization information resource includes one or any combination of the following:
  • Role resource used to host a set of role resources issued to the resource access initiator
  • Token resource Used to host a set of token resources issued to the resource access initiator.
  • the authorization entity generates a request message in the resource access control process according to the newly defined resource, such as an authorization decision resource, an authorization policy resource, or an authorization information resource, so as to obtain the required information from other authorized entities.
  • the resource access control scheme is given at the resource structure level.
  • FIG. 1 is a schematic diagram of a oneM2M resource tree in the prior art
  • FIG. 2 is a schematic diagram of a oneM2M authorization architecture in the prior art
  • FIG. 3 is a schematic diagram of a principle for implementing distributed authorization based on oneM2M resources in the embodiment of the present application
  • FIG. 4 is a schematic diagram of relationship between an authorized resource and a CSE root resource ⁇ CSEBase> in the embodiment of the present application;
  • FIG. 5 is a schematic structural diagram of an ⁇ authorizationDecision> resource type provided by an embodiment of the present application.
  • FIG. 6 is a schematic structural diagram of an ⁇ authorizationPolicy> resource type according to an embodiment of the present application.
  • FIG. 7 is a schematic structural diagram of an ⁇ authorizationInformation> resource type provided by an embodiment of the present application.
  • FIG. 8 is a schematic flowchart of a general process of resource access control according to an embodiment of the present application.
  • FIG. 9 is a schematic flowchart of interaction between a PEP and a PDP according to an embodiment of the present application.
  • FIG. 10 is a schematic flowchart of interaction between a PDP and a PRP according to an embodiment of the present disclosure
  • FIG. 11 is a schematic flowchart of interaction between a PDP and a PIP according to an embodiment of the present application.
  • FIG. 12 is a schematic structural diagram of a PDP according to an embodiment of the present disclosure.
  • FIG. 13 is a second schematic structural diagram of a PDP according to an embodiment of the present disclosure.
  • FIG. 14 is a third schematic structural diagram of a PDP according to an embodiment of the present disclosure.
  • FIG. 15 is a fourth schematic structural diagram of a PDP according to an embodiment of the present disclosure.
  • FIG. 16 is a fifth schematic structural diagram of a PDP according to an embodiment of the present disclosure.
  • FIG. 17 is a sixth schematic structural diagram of a PDP according to an embodiment of the present application.
  • oneM2M defines two basic entities: AE (Application Entity) and CSE (Common Services Entity).
  • the AE is located at the application layer and implements an M2M application logic.
  • An application logic can reside in multiple M2M nodes or multiple execution instances in a single node.
  • Each execution instance of the application logic is referred to as an AE, and each AE is identified by a unique AE-ID.
  • the CSE consists of "common service functions" in a set of M2M environments. Each CSE is identified by a unique CSE-ID. The oneM2M resource tree exists in the CSE.
  • oneM2M defines three types of resources:
  • Normal Resource Has a specific resource structure and resource attributes.
  • Virtual Resource Does not have a specific resource structure and resource attributes, and is mainly used to trigger a specific process.
  • Announced Resource It has a specific resource structure and attributes. This resource is a copy of some content of common resources on other entities. The main purpose is to facilitate resource discovery.
  • the authorization architecture given in the oneM2M Security Solution Technical Specification (oneM2M TS-0003: Security Solutions) is shown in Figure 2.
  • the architecture can include the following components:
  • PEP Policy Enforcement Point
  • the PEP coexists with the application system that needs access control, and is called by the application system.
  • the PEP generates an access control decision request according to the resource access request of the resource access initiator and sends it to the PDP. Then determining whether to perform the resource access according to the access control decision response returned by the PDP request.
  • PDP Policy Decision Point
  • PRP Policy Retrieval Point
  • PIP Policy Information Point
  • the PIP requests to obtain attributes related to users, resources, or environments according to the access control information of the PDP, such as the IP address of the access user, the creator of the resource, the current time, etc., and then The obtained properties are returned to the PDP.
  • the oneM2M basic resource access control process can include:
  • the resource access initiation direction PEP sends a resource access request (Access Request), and the PEP sends an access control decision request (Decision Request) to the PDP according to the resource access request.
  • Access Request resource access request
  • Decision Request access control decision request
  • the PDP sends an access control policy request (Policy Request) to the PRP according to the access control decision request sent by the PEP, and the PRP returns an access control policy response (Policy Response) to the PDP, where the access control policy response includes an access control policy.
  • Policy Request an access control policy request
  • Policy Response an access control policy response
  • the PDP analyzes and judges the content included in the access control decision request and the access control policy. If other attributes are required for analysis and decision, the PDP sends an access control information request (Attribute Request) to the PIP, and the PIP sends an access control to the PDP.
  • the information response includes the access control related information acquired according to the access control information request.
  • the PDP sends an access control decision response (Decision Response) to the PEP, where the control decision response includes an access control decision result.
  • the PEP determines whether to perform the resource access request of the resource access initiator according to the access control decision result in the access control decision response.
  • the embodiment of the present application defines three new oneM2M resources for resource access control, and the three resources belong to the normal resource type, which are respectively:
  • the authorization decision resource is represented as an ⁇ authorizationDecision> resource in the embodiment of the present application.
  • the authorization policy resource is represented as an ⁇ authorizationPolicy> resource in the embodiment of the present application.
  • the authorization information resource is represented as an ⁇ authorizationInformation> resource in the embodiment of the present application.
  • Access to different resource types determines the type of authorization request. For example, the access control decision requests access to the ⁇ authorizationDecision> resource, the access control policy requests access to the ⁇ authorizationPolicy> resource, and the access control information requests access to the ⁇ authorizationInformation> resource.
  • the above three resources can be set under the CSE root resource ( ⁇ CSEBase>), that is, the three resources can be used as sub-resources under the CSEBase, and the resource type is a normal resource (Normal Resource).
  • CSEBase> the CSE root resource
  • the resource type is a normal resource (Normal Resource).
  • These three resources can be located in the same CSE (that is, sub-resources under the same ⁇ CSEBase>, or in different CSEs.
  • the ⁇ authorizationDecision> resource is located in the CSE that implements the PDP function.
  • the ⁇ authorizationPolicy> resource is located in the CSE that implements the PRP function.
  • the ⁇ authorizationInformation> resource is located in the CSE that implements the PIP function.
  • One or more of the above three new resources may be included in one CSE.
  • the same resource included in a CSE (referring to one of the three new resources mentioned above) may have one or more resources.
  • one CSE may include one or more ⁇ authorizationDecision> resources.
  • ⁇ authorizationDecision> resources can be set to be accessed by different resource access initiators, or accessed by different groups of resource access initiators. .
  • FIG. 3 exemplarily shows a resource-based distributed authorization architecture and principle.
  • the PEP (Hosting CSE in the figure) implements information exchange between the PEP and the PDP through the operation of the ⁇ authorizationDecision> resource in the CSE (CSE1 in the figure) that implements the PDP function, that is, access control.
  • the PDP (CSE1 in the figure) implements the exchange of information between the PDP and the PRP through the operation of the ⁇ authorizationPolicy> resource in the CSE (CSE2) that implements the PRP function, that is, the access control policy request and the access control policy response. Interaction.
  • the PDP (CSE1 in the figure) implements information exchange between the PDP and the PRP through the operation of the ⁇ authorizationInformation> resource in the CSE (CSE3) that implements the PIP function, that is, the access control information request and the access control information response. Interaction.
  • the ⁇ authorizationDecision> resource, the ⁇ authorizationPolicy> resource, and the ⁇ authorizationInformation> resource are distributed in the CSE of different authorized entities. In other examples, multiple of the above three resources are used. It can be distributed in the same CSE, and the embodiment of the present application does not limit this.
  • the authorization function requesting initiator uses the oneM2M resource read operation (Retrieve) to read the corresponding resource, and uses the Content parameter description in the read request (Retrieve Request).
  • the information related to the authorization that is expected to be obtained ie, the Content parameter is used to indicate the parameter returned by the request
  • the corresponding input information is provided by using the Filter Criteria parameter in the read request (ie, the Filter Criteria parameter is used to indicate the filtering of the resource operation).
  • Conditions such as filtering conditions that indicate resource read operations.
  • Authorized function receiver The corresponding authorization process is performed according to the provided input information, and the execution result is returned to the authorized function initiator in a manner of reading a response (Retrieve Response).
  • the content parameter in the read request may also be referred to as the return result indication information, which may be generated by the attributes and/or sub-resources of the resource defined in the foregoing embodiment of the present application, specifically, the attribute name of the resource or other
  • the information that can be used to indicate the attribute is constructed;
  • the Filter Criteria parameter in the Retrieve Request can also be referred to as a resource access filter condition, which can be generated by the attributes and/or sub-resources of the resource defined in the embodiment of the present application, specifically, The attribute name and attribute value of the resource are constructed.
  • the read request may include: an access control decision request sent by the PEP to the PDP, an access control policy request sent by the PDP to the PRP, and an access control information request sent by the PDP to the PIP, based on the architecture shown in FIG. .
  • a resource can contain one or more attributes, and the attributes of the resource are used to carry the attribute values of the resource.
  • One or more attributes may also be included in the above three resources defined in the embodiments of the present application. The attributes in these resources can be divided into two categories according to their use:
  • Attribute for generating return result indication information the result requested by the resource access initiator is placed in these resource attributes, such as access control decision, access control policy, access control information, etc.; these attributes are in the target resource of the Retrieve operation. Attributes.
  • Attributes used to generate resource access filter conditions Input parameters provided by the resource access initiator are placed in these resource attributes, such as the identifier of the resource access initiator, the destination resource address, the operation on the resource, etc.; these attributes are used to construct the Retrieve operation.
  • the resource filter condition, the resource access initiator passes the input parameters to the PDP, PRP or PIP in this way.
  • resources may further include sub-resources, which are used for outputting results, and are also referred to as destination resources, such as ⁇ role> resource types or ⁇ token> resource types used when querying roles or tokens. .
  • FIG. 4 exemplarily shows a relationship between an authorized resource and a CSE root resource ⁇ CSEBase>, wherein ⁇ CSEBase> may include oneM2M defined resource attributes (see “Other Resource Attributes” as shown in the figure). , oneM2M has defined a sub-resource (please refer to the "other sub-resources” shown in the figure), and further includes an ⁇ authorizationDecision> resource, an ⁇ authorizationPolicy> resource, and an ⁇ authorizationInformation> resource defined in the embodiment of the present application.
  • the number of ⁇ authorizationDecision> resources may be one or more, or may not include an ⁇ authorizationDecision> resource (the number in the figure is represented by "0..n", and n is greater than or equal to
  • the number of ⁇ authorizationPolicy> resources may be one or more, or may not contain ⁇ authorizationPolicy> resources (the number is represented by "0..n” in the figure, and n is an integer greater than or equal to 1);
  • ⁇ authorizationInformation> The number of resources may be one or more, or may not contain ⁇ authorizationInformation> resources (the number is represented by "0..n” in the figure, and n is an integer greater than or equal to 1).
  • n is an integer greater than or equal to 1; the attribute value can be a list with "L" (List) form.
  • resource attributes and sub-resources are defined as follows:
  • This attribute is used to carry access control decision information; the attribute name of the attribute can be represented as decision, the attribute value is an access control decision; the decision attribute is an optional attribute;
  • Allowed access attribute The attribute name used to carry the target resource that is allowed to access (that is, the target resource that the resource access initiator requests to access); the attribute name of the attribute can be expressed as permittedAttributes, and the attribute value is the attribute name of the target resource that is allowed to access. List; the permittedAttributes attribute is an optional attribute; further, the attribute value of the attribute may be in a list form;
  • the type of the resource that is allowed to be accessed the sub-resource type identifier used to carry the target resource that is allowed to access (that is, the target resource that the resource access initiator requests to access); the attribute name of the attribute can be represented as permittedResourceTypes, and the attribute value is the target resource that is allowed to access.
  • Status attribute used to carry the error describing the access control decision process;
  • the attribute name of the attribute can be expressed as status, the attribute value is an error describing the access control decision process;
  • the status attribute is an optional attribute;
  • Target attribute used to carry the resource address of the target resource requested by the resource access initiator; the attribute name of the attribute may be represented as to, the attribute value is the target resource address accessed by the resource access initiator (Originator); the to attribute is Optional attribute
  • Initiator attribute used to carry the identifier of the resource access initiator; the attribute name of the attribute can be expressed as from, the attribute value is the identifier of the resource access initiator; the from attribute is an optional attribute;
  • Operation attribute an operation identifier used to carry the resource access initiator to the target resource requested to access;
  • the attribute name of the attribute may be represented as operation, the attribute value is an operation identifier of the resource access initiator to the target resource; and the operation attribute is an optional attribute ;
  • Content attribute used to carry the specific content of the target resource requested by the resource access initiator;
  • the attribute name of the attribute is content, the attribute value is the specific content of the target resource that the resource access initiator wants to access;
  • the content attribute is optional Attributes;
  • Filter attribute usage attribute used to carry the parameter indicating the purpose of the filter condition in the resource access filter condition provided by the resource access initiator; the attribute name of the attribute can be expressed as filterUsage, and the attribute value is the resource access filter condition provided by the resource access initiator.
  • Role ID attribute An identifier used to carry a set of roles issued to the resource access initiator; the attribute name of the attribute can be represented as roleIDs, and the attribute value is a set of identifiers issued to the role of the resource access initiator; the roleIDs attribute is Selecting an attribute; further, the attribute value of the attribute may be in a list form;
  • Token identifier attribute used to carry a set of identifiers of tokens carrying authorization information issued to the resource access initiator; the attribute name of the attribute can be represented as tokenIDs, and the attribute value is a group of bearers issued to the resource access initiator.
  • the identifier of the token with the authorization information; the tokenIDs attribute is an optional attribute; further, the attribute value of the attribute may be in the form of a list;
  • Token attribute used to carry a set of tokens carrying authorization information issued to the resource access initiator; the attribute name of the attribute can be represented as tokens, and the attribute value is a set of entrusted information issued to the resource access initiator. Token; the token attribute is an optional attribute; further, the attribute value of the attribute may be in a list form;
  • the request time attribute is used to carry the time when the PEP receives the resource access request sent by the resource access initiator;
  • the attribute name of the attribute may be represented as requestTime, and the attribute value is the host CSE (Hosting CSE) receiving the resource access initiator resource.
  • the time of the request request; the requestTime attribute is an optional attribute;
  • Location attribute used to carry the location of the resource access initiator;
  • the attribute name of the attribute can be represented as requestLocation, the attribute value is the location information of the resource access initiator;
  • the requestLocation attribute is an optional attribute;
  • Requester IP address attribute used to carry the IP address carried in the resource access request sent by the resource access initiator; the attribute name of the attribute can be expressed as requestIP, and the attribute value is the IP carried in the resource access initiator resource access request packet. Address; the requestIP attribute is an optional attribute.
  • the ⁇ authorizationDecision> resource may also include a sub-resource, expressed as ⁇ subscription>.
  • the number of ⁇ subscription> resources contained in the ⁇ authorizationDecision> resource can be one or more.
  • ⁇ subscription> can be a child resource defined by oneM2M.
  • the decision attribute, the permittedAttributes attribute, the permittedResourceTypes attribute, and the status attribute can be used to generate the “return result indication information” (such as the content parameter mentioned above) in the resource control decision request, and other attributes can be used to generate resource control.
  • “Resource access filter criteria” in the decision request (such as the Filter Criteria parameter described above).
  • the ⁇ authorizationDecision> resource extension can add new input parameters (such as the Filter Criteria parameter above) to the access control decision request, and add new output parameters (such as the content parameter above) in the access control decision response.
  • the structure of the ⁇ authorizationPolicy> resource type is shown in Figure 6.
  • the number of attributes is 1 with “1”; the number of possible attributes is represented by "0..n", and n is an integer greater than or equal to 1; L" indicates that the attribute value can be in the form of a list.
  • resource attributes and sub-resources are defined as follows:
  • Policy attribute used to carry the access control policy applicable to the target resource requested by the resource access initiator.
  • the attribute name of the attribute can be expressed as policies, the attribute value is the access control policy applicable to the target resource, and the policy attribute is optional. Further, the attribute value of the attribute may be in the form of a list;
  • Merging algorithm attribute used to carry the identifier of the policy merge algorithm used by multiple access control policies in the merge policy attribute; the attribute name of the attribute is combiningAlgorithm, and the attribute value is the policy merge used by multiple access control policies in the merged policies attribute.
  • Target attribute a resource address of a target resource used by the resource access initiator to request access; the attribute name of the attribute may be represented as to, the attribute value is a target resource address accessed by the resource access initiator, and the to attribute is an optional attribute;
  • Initiator attribute The identifier used to host the resource access initiator; the attribute name of the attribute can be expressed as from, the attribute value is the identifier of the resource access initiator; and the from attribute is an optional attribute.
  • the ⁇ authorizationPolicy> resource may also include a sub-resource, expressed as ⁇ subscription>.
  • the number of ⁇ subscription> resources contained in the ⁇ authorizationPolicy> resource can be one or more.
  • ⁇ subscription> can be a child resource defined by oneM2M.
  • the policies attribute and the combiningAlgorithm attribute can be used to generate the “return result indication information” (such as the content parameter mentioned above) in the resource control policy request, and other attributes can be used to generate the “resources” in the resource control policy request.
  • Access filter criteria as in the Filter Criteria parameter above).
  • new input parameters such as the Filter Criteria parameter described above
  • new output parameters such as the content parameter above
  • FIG. 7 The structure of the ⁇ authorizationInformation> resource type is shown in Figure 7.
  • the number of attributes is 1 with “1"; the number of possible attributes is represented by "0..n", n is an integer greater than or equal to 1; L" means the attribute value can be In the form of a list.
  • resource attributes and sub-resources are defined as follows:
  • Role resource The resource can be represented as ⁇ role>, which is used to carry a set of role resources issued to the resource access initiator; the sub-resource is an optional sub-resource; if the sub-resource is included in the ⁇ authorizationInformation> resource, the quantity is Can be one or more;
  • Token resource The resource can be represented as ⁇ token>, and is used to carry a set of token resources issued to the resource access initiator; the sub-resource is an optional sub-resource;
  • Initiator attribute used to carry the identifier of the resource access initiator; the attribute name of the attribute can be expressed as from, the attribute value is the identifier of the resource access initiator; the from attribute is an optional attribute;
  • Role ID attribute An identifier used to carry a set of roles issued to the resource access initiator; the attribute name of the attribute can be represented as roleIDs, and the attribute value is a set of identifiers issued to the role of the resource access initiator; the roleIDs attribute is Selecting an attribute; further, the attribute value of the attribute may be in a list form;
  • Token identifier attribute used to carry a set of identifiers of tokens carrying authorization information issued to the resource access initiator; the attribute name of the attribute can be represented as tokenIDs, and the attribute value is a group of bearers issued to the resource access initiator.
  • the identifier of the token with the authorization information; the tokenIDs attribute is an optional attribute; further, the attribute value of the attribute may be in the form of a list;
  • the ⁇ authorizationInformation> resource may also include other sub-resources, which are represented as ⁇ subscription>.
  • the number of ⁇ subscription> resources contained in the ⁇ authorizationInformation> resource can be one or more.
  • ⁇ subscription> can be a child resource defined by oneM2M.
  • ⁇ role> and ⁇ token> can be used to generate "return result indication information" (such as the content parameter mentioned above) in the resource control information request, and other attributes can be used to generate resource control information request.
  • “Resource access filter criteria” such as the Filter Criteria parameter above).
  • new input parameters such as the Filter Criteria parameter described above
  • new output parameters such as the content parameter described above
  • the following embodiments provide a resource access control (ie, resource authorization process) process.
  • FIG. 8 is a schematic flowchart of a general process of resource access control according to an embodiment of the present application.
  • the process can include:
  • Step 801 The PEP sends an access control decision request to the PDP according to the resource access request of the resource access initiator.
  • the access control decision request sent by the PEP is generated according to the ⁇ authorizationDecision> resource.
  • the access control decision request may include return result indication information (such as the foregoing Content parameter), where the return result indication information is used to indicate a parameter that is requested to be returned by the access control decision request, and may be according to an attribute of the ⁇ authorizationDecision> resource.
  • the Content parameter may include an attribute name of the ⁇ authorizationDecision> resource and/or a sub-resource identifier of the resource.
  • the access control decision request further includes a resource access filter condition (such as the foregoing FilterCriteria parameter), and the resource access filter condition is used to indicate a filter condition of the resource operation, which may be generated according to the attribute and/or the child resource of the ⁇ authorizationDecision> resource.
  • the FilterCriteria parameter may include the attribute name and attribute value of the ⁇ authorizationDecision> resource, and/or the identifier of the child resource and the specific content (such as the attribute value of the child resource attribute).
  • Step 802 The PDP performs an access control decision according to the access control decision request.
  • the PDP can obtain an access control policy locally, or obtain an access control policy from the PRP.
  • the process for the PDP to obtain the access control policy from the PRP may include: the PDP may send an access control policy request to the PRP according to the access control decision request, and receive an access control policy response that the PRP returns according to the access control policy request, and the access control policy response Contains the access control policy that the PRP obtains according to the access control policy request.
  • the access control policy request is generated by the PDP according to the ⁇ authorizationPolicy> resource.
  • the access control policy request may include return result indication information (such as the foregoing Content parameter), where the return result indication information is used to indicate the parameter that the access control policy request is requested to return, according to the ⁇ authorizationPolicy> resource attribute and / or child resource generation, such as the Content parameter may include the attribute name of the ⁇ authorizationPolicy> resource and / or the child resource identifier of the resource.
  • return result indication information such as the foregoing Content parameter
  • the return result indication information is used to indicate the parameter that the access control policy request is requested to return, according to the ⁇ authorizationPolicy> resource attribute and / or child resource generation, such as the Content parameter may include the attribute name of the ⁇ authorizationPolicy> resource and / or the child resource identifier of the resource.
  • the access control policy request further includes a resource access filter condition (such as the foregoing FilterCriteria parameter), and the resource access filter condition is used to indicate a filter condition of the resource operation, and may be constructed according to the attribute and/or the child resource of the ⁇ authorizationPolicy> resource.
  • the FilterCriteria parameter can include the sub-resource ID of the ⁇ authorizationPolicy> resource and the specific content (such as the attribute value of the sub-resource attribute).
  • the access control policy response returned by the PRP to the PDP may include the attribute value of the ⁇ authorizationPolicy> resource and/or the content of the sub-resource of the resource obtained according to the return result indication information and the resource access filter condition.
  • the PDP may also obtain access control information from the locality, and may also obtain access control information from the PIP.
  • the process for the PDP to obtain the access control information from the PIP may include: the PDP may perform the decision request according to the access control, The PIP sends an access control information request, and receives an access control information response that the PIP returns according to the access control information request.
  • the access control information response includes the access control information that the PIP requests according to the access control information request.
  • the access control information request is generated by the PDP according to the ⁇ authorizationInformation> resource.
  • the access control information request may include return result indication information (such as the foregoing Content parameter), and the return result indication information is used to indicate the parameter requested by the access control information request, which may be according to the attribute of the ⁇ authorizationInformation> resource.
  • the Content parameter may include the attribute name of the ⁇ authorizationInformation> resource and / or the child resource identifier of the resource.
  • the access control information request further includes a resource access filtering condition (such as the foregoing FilterCriteria parameter), and the resource access filtering condition is used to indicate a filtering condition of the resource operation, and may be constructed according to attributes and/or sub-resources of the ⁇ authorizationInformation> resource.
  • the FilterCriteria parameter may include an attribute name and an attribute value of the ⁇ authorizationInformation> resource, and/or an identifier of the sub-resource and a specific content (such as an attribute value of the sub-resource attribute).
  • the access control information response returned by the PIP to the PDP may include the attribute value of the ⁇ authorizationInformation> resource and/or the content of the sub-resource of the resource obtained according to the return result indication information and the resource access filter condition.
  • the PDP obtains the access control policy according to the obtained access control policy, and further combines the obtained access control information to obtain an access control decision information.
  • Step 803 The PDP returns an access control decision response to the PEP, where the access control decision response includes access control decision information.
  • the access control decision response returned by the PDP to the PEP may be included in step 803.
  • the attribute value of the ⁇ authorizationDecision> resource and/or the content of the sub-resource of the resource obtained according to the return result indication information and the resource access filter condition in the access control decision request.
  • FIG. 9 exemplarily shows an interaction flow between a PEP and a PDP.
  • the process may include the following steps:
  • Step 901 The PEP in the Hosting CSE generates an Access Control Decision Request according to the resource access request of the resource access initiator (originator), and sends the request to the CSE with the PDP function.
  • the access control decision request can be implemented by using the read operation of oneM2M, that is, using the Retrieve operation of oneM2M to read the ⁇ authorizationDecision> resource in the CSE resource tree with PDP function, and utilizing the attributes in the resource. Build the Content parameter in the Request.
  • the decision attribute of the ⁇ authorizationDecision> resource is a mandatory attribute, indicating that the PDP needs to return access control decision information, and the others are optional attributes.
  • the Content parameter can also be constructed using the permittedAttributes attribute of the ⁇ authorizationDecision> resource.
  • the Content parameter indicates that the PDP also needs to return a list of suggested accessible resource attribute names.
  • the Content parameter can also be constructed using the permittedResourceTypes attribute of the ⁇ authorizationDecision> resource.
  • the Content parameter indicates that the PDP also needs to return a list of suggested accessible sub-resource type identifiers.
  • the Content parameter can also be constructed using the status attribute of the ⁇ authorizationDecision> resource.
  • the Content parameter indicates that the PDP also needs to return an error message during the decision process.
  • the Filter Criteria parameter in the access control decision request can also be constructed by using the attributes in the ⁇ authorizationDecision> resource.
  • the to attribute, from attribute, and operation attribute of the ⁇ authorizationDecision> resource are mandatory attributes, and other attributes are optional attributes.
  • Step 902 After receiving the resource access request from the PEP carrying the Access Control Decision Request, the CSE having the PDP function performs the following operations:
  • the PDP obtains an access control policy based on the data provided in the Filter Criteria parameter. If the access control policy cannot be obtained locally, refer to the interaction process between the PDP and the PRP.
  • the PDP obtains access control information based on the data provided in the Filter Criteria parameter. If the access control information cannot be obtained locally, refer to the interaction process between the PDP and the PIP.
  • the PDP obtains various attributes required for the access control decision evaluation process from the Filter Criteria parameter, for example, the resource access initiator identifier, the target resource address, the operation on the target resource, and the context information such as the time, place, and IP address of the request. Then, the resource access request is evaluated according to the obtained access control policy and the access control information, and corresponding evaluation results are generated.
  • the specific evaluation process refer to the related description in the oneM2M protocol.
  • the PDP If the request includes the resource attribute permittedAttributes and/or the permittedResourceTypes, the PDP generates a corresponding value according to the description in the access control policy, that is, allows the resource to access the resource attribute name list or the sub-resource type identifier list accessed by the initiator; The resource attribute status is included, and the corresponding value is generated to indicate whether the evaluation process has an error and what error has occurred, such as missing attributes or syntax errors required for the access control decision process.
  • Step 903 The PDP-CSE generates an access control decision response (Access) according to the evaluation result of step 902. Control Decision Response)
  • the resource access response which contains the values of attributes such as the decision attribute, the permittedAttributes attribute, the permittedResourceTypes attribute, or the status attribute. These resource attribute names and their attribute values are placed in the Content parameter of the response.
  • the PDP-CSE then sends the generated response to the PEP.
  • FIG. 10 exemplarily shows an interaction flow between a PDP and a PRP.
  • the process may include the following steps:
  • Step 1001 The PDP located in the CSE generates an Access Control Policy Request according to the access control decision request sent by the PEP, and sends the request to the CSE with the PRP function.
  • the access control policy request can be implemented by using the read operation of oneM2M, that is, using the Retrieve operation of oneM2M to read the ⁇ authorizationPolicy> resource in the CSE resource tree with PRP function, and constructing the Content parameter in the request by using the attribute in the resource.
  • the policy attribute of the ⁇ authorizationPolicy> resource is a mandatory attribute, indicating that the PRP needs to return the access control policy, and the others are optional attributes.
  • the Filter Criteria parameter in the request can also be constructed using the attributes in the ⁇ authorizationPolicy> resource.
  • the Filter Criteria parameter when the Filter Criteria parameter is constructed, the to attribute in the ⁇ authorizationPolicy> resource is mandatory, and the other attributes are optional.
  • Step 1002 After receiving the resource access request from the PDP carrying the Access Control Policy Request, the CSE having the PRP function performs the following operations:
  • CSE-PRP obtains an access control policy based on the data provided in the Filter Criteria parameter.
  • the PRP puts the obtained access control policy into the resource attribute policy; if the request contains the resource attribute combiningAlgorithm, the PRP also needs to provide the corresponding value.
  • Step 1003 The PRP-CSE generates an access control policy response that carries an Access Control Policy Response according to the query result of step 1002, and includes a value of an attribute such as a policy attribute or a bindingAlgorithm attribute, and the resource attribute name and the The attribute value is placed in the Content parameter of the response.
  • the PRP-CSE then sends the generated response to the PDP.
  • FIG. 11 exemplarily shows an interaction flow between a PDP and a PIP.
  • the process may include the following steps:
  • Step 1101 The PDP located in the CSE generates an Access Control Information Request according to the access control decision request sent by the PEP, and sends the request to the CSE with the PIP function.
  • the access control information request can be implemented by using oneM2M read operation, that is, using oneM2M's Retrieve operation to read Take the ⁇ authorizationInformation> resource in the CSE resource tree with PIP function, and use the attribute in the resource to construct the Content parameter in the Request, or ask the PIP to return the queried sub-resource.
  • the value of the Result Content parameter in the access control information request is set to: "child-resources". This setting requires the PIP to return the role resource and/or token resource belonging to the resource access initiator according to the roleIDs and/or tokenIDs provided in the Filter Criteria parameter.
  • the Filter Criteria parameter in the request can be constructed using the attributes in the ⁇ authorizationInformation> resource.
  • the from attribute of the ⁇ authorizationInformation> resource is mandatory and the others are optional.
  • the Filter Criteria parameter can be constructed using the roleIDs attribute of the ⁇ authorizationInformation> resource.
  • the PDP when the access control decision request received by the PDP includes the tokenIDs (if the Filter Criteria parameter of the request includes the tokenIDs attribute name and the attribute value), the PDP generates the access control information request sent to the PIP.
  • the Filter Criteria parameter can be constructed using the tokenIDs attribute of the ⁇ authorizationInformation> resource.
  • Step 1102 After receiving the resource access request from the PDP and carrying the access control information request (Access Control Information Request), the CSE having the PIP function performs the following operations:
  • the PIP obtains access control information based on the data provided in the Filter Criteria parameter.
  • the PRP puts the obtained access control information into corresponding resource attributes or corresponding destination sub-resources, such as ⁇ role> resources and ⁇ token> resources.
  • Step 1103 The PIP-CSE generates, according to the query result of step 1102, a resource access response carrying an Access Control Information Response, which includes the queried ⁇ role> resource and/or ⁇ token> resource equivalent.
  • the PIP-CSE then sends the generated response to the PDP.
  • the interaction function of the above-mentioned authorized entity key may also be implemented by using a resource creation operation (Create) of oneM2M.
  • the initiator of the request carries the information that needs to be input through the Content parameter in the Create operation; after receiving the request, the receiver will trigger a corresponding authorization process, and the authorization process performs the corresponding authorization by using the input information provided in the Content parameter.
  • the existing oneM2M only defines the high-level architecture of the authorization system, and does not provide a specific solution.
  • the embodiment of the present application provides a method for implementing a distributed authorization system in a oneM2M system.
  • the new resource and resource operations defined in the embodiment of the present application conform to the common resource type specified by oneM2M, and the RESTful operation mode is well satisfied, and there is no need to make excessive changes to the existing oneM2M technology.
  • the embodiment of the present application further provides a PDP, and the provided PDP can practice the flow described in the foregoing embodiment.
  • FIG. 12 is a schematic structural diagram of a PDP according to an embodiment of the present disclosure.
  • the PDP may include: a receiving module 1201, a decision module 1202, and a sending module 1203. Further, the PDP may further include a first acquiring module 1204, and further A second acquisition module 1205 can be included, wherein:
  • the receiving module 1201 is configured to receive an access control decision request sent by the PEP, where the access control decision request is generated by the PEP according to an authorization decision resource;
  • the decision module 1202 is configured to perform an access control decision according to the access control decision request, and obtain access control decision information.
  • the sending module 1203 is configured to send the access control decision information to the access control decision response and send the response to the PEP.
  • the first obtaining module 1204 is configured to send, according to the access control decision request, an access control policy request to the PRP, where the access control policy request is generated by the PDP according to the authorization policy resource; and the receiving the PRP returns And an access control policy response, where the access control policy response includes an access control policy obtained by the PRP according to the access control decision request.
  • the decision module 1202 can perform an access control decision according to the access control policy acquired by the first obtaining module 1204.
  • the second obtaining module 1205 is configured to send, according to the access control decision request, an access control information request to the PIP, where the access control information request is generated by the PDP according to the authorization information resource; and the receiving the PIP returns Access control information response, wherein the access control information response includes the PIP according to the access control information Obtain the access control information obtained.
  • the decision module 1202 can perform an access control decision according to the access control information acquired by the second obtaining module 1205.
  • FIG. 13 is a schematic structural diagram of a PDP according to another embodiment of the present application.
  • the PDP may include: a receiving module 1301, an obtaining module 1302, a decision module 1303, and a sending module 1304, where:
  • the receiving module 1301 is configured to receive an access control decision request sent by the PEP.
  • the obtaining module 1302 is configured to send, according to the access control decision request, an access control policy request to the PRP, where the access control policy request is generated by the PDP according to the authorization policy resource, and receive an access control policy response returned by the PRP.
  • the access control policy response includes an access control policy obtained by the PRP according to the access control decision request;
  • the decision module 1303 is configured to perform an access control decision according to the obtained access control policy, and obtain access control decision information.
  • the sending module 1304 is configured to send the access control decision information to the access control decision response and send the response to the PEP.
  • FIG. 14 is a schematic structural diagram of a PDP according to another embodiment of the present application.
  • the PDP may include: a receiving module 1401, an obtaining module 1402, a decision module 1403, and a sending module 1404, where:
  • the receiving module 1401 is configured to receive an access control decision request sent by the PEP.
  • the obtaining module 1402 is configured to send, according to the access control decision request, an access control information request to the PIP, where the access control information request is generated by the PDP according to the authorization information resource; and the access control information response returned by the PIP is received.
  • the access control information response includes the access control information that the PIP requests according to the access control information request;
  • the decision module 1403 is configured to perform an access control decision according to the obtained access control information, and obtain access control decision information.
  • the sending module 1404 is configured to send the access control decision information to the access control decision response and send the response to the PEP.
  • FIG. 15 is a schematic structural diagram of a PDP according to an embodiment of the present disclosure, where the PDP may include:
  • the processor 1501 is configured to send and receive data through the transceiver 1502, and read the program in the memory 1504, and perform the following process:
  • the transceiver 1502 is configured to receive and transmit data under the control of the processor 1501.
  • the processor 1501 is configured to send, according to the access control decision request, an access control policy request to the PRP, where the access control policy request is generated by the PDP according to the authorization policy resource; and the access control returned by the PRP is received.
  • the policy response includes: the access control policy response includes an access control policy obtained by the PRP according to the access control decision request.
  • the processor 1501 can make an access control decision according to the obtained access control policy.
  • the processor 1501 is configured to send, according to the access control decision request, an access control information request to the PIP, where the access control information request is generated by the PDP according to the authorization information resource; and the access control returned by the PIP is received.
  • the access control information response includes access control information acquired by the PIP according to the access control information request.
  • the processor 1501 can perform an access control decision according to the acquired access control information.
  • bus 1500 can include any number of interconnected Bus and bridge, bus 1500 will link together various circuits including one or more processors represented by processor 1501 and memory represented by memory 1504.
  • the bus 1500 can also link various other circuits, such as peripherals, voltage regulators, and power management circuits, as is known in the art and, therefore, will not be further described herein.
  • Bus interface 1503 provides an interface between bus 1500 and transceiver 1502.
  • Transceiver 1502 can be an element or a plurality of elements, such as multiple receivers and transmitters, providing means for communicating with various other devices on a transmission medium. Data processed by processor 1501 is transmitted by transceiver 1502. Further, transceiver 1502 also receives data and transmits the data to processor 1501.
  • the processor 1501 is responsible for managing the bus 1500 and the usual processing, and can also provide various functions including timing, peripheral interfaces, voltage regulation, power management, and other control functions.
  • the memory 1504 can be used to store data used by the processor 1501 when performing operations.
  • the processor 1501 may be a CPU (Central Embedded Device), an ASIC (Application Specific Integrated Circuit), an FPGA (Field-Programmable Gate Array), or a CPLD (Complex Programmable Logic Device). , complex programmable logic devices).
  • CPU Central Embedded Device
  • ASIC Application Specific Integrated Circuit
  • FPGA Field-Programmable Gate Array
  • CPLD Complex Programmable Logic Device
  • FIG. 16 is a schematic structural diagram of a PDP according to another embodiment of the present application.
  • the PDP can include:
  • the processor 1601 is configured to send and receive data through the transceiver 1602, and read the program in the memory 1604, and perform the following process:
  • the PEP Receiving an access control decision request sent by the PEP; sending, according to the access control decision request, an access control policy request to the PRP, where the access control policy request is generated by the PDP according to an authorization policy resource; and receiving an access control policy returned by the PRP Responding to: the access control policy response includes an access control policy obtained by the PRP according to the access control decision request; performing an access control decision according to the obtained access control policy, and obtaining access control decision information; and performing the access control The decision information is carried in the access control decision response and sent to the PEP.
  • the transceiver 1602 is configured to receive and transmit data under the control of the processor 1601.
  • bus 1600 can include any number of interconnected buses and bridges, and bus 1600 will include one or more processors represented by processor 1601 and memory represented by memory 1604. The various circuits are linked together. Bus 1600 can also link various other circuits, such as peripherals, voltage regulators, and power management circuits, as is known in the art, and therefore, will not be further described herein.
  • Bus interface 1603 provides an interface between bus 1600 and transceiver 1602. Transceiver 1602 It can be an element or a plurality of elements, such as multiple receivers and transmitters, providing means for communicating with various other devices on a transmission medium. Data processed by processor 1601 is transmitted by transceiver 1602. Further, transceiver 1602 also receives data and transmits the data to processor 1601.
  • the processor 1601 is responsible for managing the bus 1600 and the usual processing, and can also provide various functions including timing, peripheral interfaces, voltage regulation, power management, and other control functions.
  • the memory 1604 can be used to store data used by the processor 1601 in performing operations.
  • the processor 1601 may be a CPU, an ASIC, an FPGA, or a CPLD.
  • FIG. 17 is a schematic structural diagram of a PDP according to another embodiment of the present application.
  • the PDP can include:
  • the processor 1701 is configured to send and receive data through the transceiver 1702, and read the program in the memory 1704, and perform the following process:
  • the PEP Receiving an access control decision request sent by the PEP; sending, according to the access control decision request, an access control information request to the PIP, where the access control information request is generated by the PDP according to the authorization information resource; and receiving the access control information returned by the PIP
  • the access control information response includes access control information acquired by the PIP according to the access control information request; performing an access control decision according to the obtained access control information to obtain access control decision information; and performing the access control The decision information is carried in the access control decision response and sent to the PEP.
  • the transceiver 1702 is configured to receive and transmit data under the control of the processor 1701.
  • bus 1700 which may include any number of interconnected buses and bridges, will include one or more processors represented by processor 1701 and memory represented by memory 1704. The various circuits are linked together.
  • the bus 1700 can also link various other circuits, such as peripherals, voltage regulators, and power management circuits, as is well known in the art, and therefore, will not be further described herein.
  • Bus interface 1703 provides an interface between bus 1700 and transceiver 1702.
  • the transceiver 1702 can be an element or a plurality of elements, such as a plurality of receivers and transmitters, providing means for communicating with various other devices on a transmission medium. Data processed by processor 1701 is transmitted by transceiver 1702. Further, transceiver 1702 also receives data and transmits the data to processor 1701.
  • the processor 1701 is responsible for managing the bus 1700 and the usual processing, and can also provide various functions including timing, peripheral interfaces, voltage regulation, power management, and other control functions.
  • the memory 1704 can be used to store data used by the processor 1701 in performing operations.
  • the processor 1701 may be a CPU, an ASIC, an FPGA, or a CPLD.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Multimedia (AREA)
  • Storage Device Security (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente invention concerne un procédé et un appareil de contrôle d'accès à des ressources. Dans la présente invention, une entité d'autorisation génère un message de demande dans un processus de contrôle d'accès à des ressources selon une ressource nouvellement définie, telle qu'une ressource de décision d'autorisation, une ressource de politique d'autorisation ou une ressource d'informations d'autorisation, de sorte à obtenir des informations nécessaires d'une autre entité d'autorisation et de sorte à fournir une solution de contrôle d'accès à des ressources sur une couche de structure de ressources.
PCT/CN2017/079937 2016-04-18 2017-04-10 Procédé et appareil de contrôle d'accès à des ressources WO2017181863A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610243763.8 2016-04-18
CN201610243763.8A CN107306247B (zh) 2016-04-18 2016-04-18 资源访问控制方法及装置

Publications (1)

Publication Number Publication Date
WO2017181863A1 true WO2017181863A1 (fr) 2017-10-26

Family

ID=60115568

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/079937 WO2017181863A1 (fr) 2016-04-18 2017-04-10 Procédé et appareil de contrôle d'accès à des ressources

Country Status (2)

Country Link
CN (1) CN107306247B (fr)
WO (1) WO2017181863A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110197075A (zh) * 2018-04-11 2019-09-03 腾讯科技(深圳)有限公司 资源访问方法、装置、计算设备以及存储介质
CN111241519A (zh) * 2020-01-19 2020-06-05 北京工业大学 基于证书的访问控制系统和方法

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109165516A (zh) * 2018-08-14 2019-01-08 中国银联股份有限公司 一种访问控制方法和装置
CN111490966A (zh) * 2019-01-28 2020-08-04 电信科学技术研究院有限公司 一种访问控制策略的处理方法、装置及计算机可读存储介质
CN111669386B (zh) * 2020-05-29 2021-06-04 武汉理工大学 一种基于令牌且支持客体属性的访问控制方法及装置

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130227638A1 (en) * 2012-02-27 2013-08-29 Axiomatics Ab Provisioning authorization claims using attribute-based access-control policies
WO2015080401A1 (fr) * 2013-12-01 2015-06-04 엘지전자 주식회사 Procédé et appareil de gestion de ressources spécifiques dans un système de communications sans fil
CN104811465A (zh) * 2014-01-27 2015-07-29 电信科学技术研究院 一种访问控制的决策方法和设备

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104955153B (zh) * 2015-05-29 2022-03-11 青岛海尔智能家电科技有限公司 一种发现资源的方法、装置及设备

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130227638A1 (en) * 2012-02-27 2013-08-29 Axiomatics Ab Provisioning authorization claims using attribute-based access-control policies
WO2015080401A1 (fr) * 2013-12-01 2015-06-04 엘지전자 주식회사 Procédé et appareil de gestion de ressources spécifiques dans un système de communications sans fil
CN104811465A (zh) * 2014-01-27 2015-07-29 电信科学技术研究院 一种访问控制的决策方法和设备

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110197075A (zh) * 2018-04-11 2019-09-03 腾讯科技(深圳)有限公司 资源访问方法、装置、计算设备以及存储介质
CN111241519A (zh) * 2020-01-19 2020-06-05 北京工业大学 基于证书的访问控制系统和方法
CN111241519B (zh) * 2020-01-19 2022-07-26 北京工业大学 基于证书的访问控制系统和方法

Also Published As

Publication number Publication date
CN107306247B (zh) 2020-09-01
CN107306247A (zh) 2017-10-31

Similar Documents

Publication Publication Date Title
WO2017181863A1 (fr) Procédé et appareil de contrôle d'accès à des ressources
US20220255796A1 (en) Object identification for groups of iot devices
JP6636631B2 (ja) セマンティックiotのためのrestful動作
EP3861706B1 (fr) Cadre de courtage et de gestion dynamique de thèmes et données à la couche de service
CN109936571B (zh) 一种海量数据共享方法、开放共享平台及电子设备
WO2017076165A1 (fr) Procédé de contrôle d'accès, procédé et dispositif d'émission de jeton d'accès
WO2020038400A1 (fr) Procédé, dispositif et système de configuration de politique de contrôle d'accès et support d'informations
EP3547634A1 (fr) Procédé et appareil de détermination d'autorisation d'accès, et terminal
US20210158353A1 (en) Methods, systems, apparatuses, and devices for processing request in consortium blockchain
WO2018090191A1 (fr) Procédé de gestion, unité et système de gestion destinés à une fonction de réseau
EP2586155A1 (fr) Contrôle d'autorisation
WO2016141783A1 (fr) Procédé de contrôle d'accès, d'acquisition de politique, d'acquisition d'attribut et appareil associé
WO2017045450A1 (fr) Procédé et dispositif de traitement d'exploitation de ressources
WO2020253344A1 (fr) Procédé et appareil de contrôle d'autorisation et support de stockage
US20220060390A1 (en) System and methods for supporting artificial intelligence service in a network
WO2017121240A1 (fr) Procédé, dispositif et système de contrôle d'accès aux ressources
KR20210008525A (ko) 가입 서버, 가입 단말기, 정보 가입 방법, 및 시스템
KR20200047720A (ko) 통신 네트워크에서의 서비스 계층 메시지 템플릿들
EP4423957A1 (fr) Procédés et systèmes pour fonctionnalités de chaîne de blocs distribuée
CN106656942B (zh) 角色令牌颁发方法、访问控制方法及相关设备
US20230086068A1 (en) Enabling an action based on a permission identifier for real-time identity resolution in a distributed system
CN112181599A (zh) 模型训练方法、装置及存储介质
CN115396494A (zh) 基于流式计算的实时监控方法及系统
WO2017076129A1 (fr) Procédé d'émission de rôle, procédé de commande d'accès, et dispositif pertinent
JP2023518004A (ja) ネットワークへのアクセスの取り消し

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17785348

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 17785348

Country of ref document: EP

Kind code of ref document: A1