WO2020207233A1 - Permission control method and apparatus for blockchain - Google Patents

Permission control method and apparatus for blockchain Download PDF

Info

Publication number
WO2020207233A1
WO2020207233A1 PCT/CN2020/080519 CN2020080519W WO2020207233A1 WO 2020207233 A1 WO2020207233 A1 WO 2020207233A1 CN 2020080519 W CN2020080519 W CN 2020080519W WO 2020207233 A1 WO2020207233 A1 WO 2020207233A1
Authority
WO
WIPO (PCT)
Prior art keywords
authorized
authorization
resource
party
token
Prior art date
Application number
PCT/CN2020/080519
Other languages
French (fr)
Chinese (zh)
Inventor
胡朝新
张俊麒
陈浩
苏小康
张开翔
范瑞彬
Original Assignee
深圳前海微众银行股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳前海微众银行股份有限公司 filed Critical 深圳前海微众银行股份有限公司
Publication of WO2020207233A1 publication Critical patent/WO2020207233A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]

Definitions

  • the embodiments of the present invention relate to the technical field of Fintech, and in particular to a method and device for controlling permissions of a blockchain.
  • Single sign-on (Single Sign-On, SSO) is a user authentication process that allows users to access different applications in the system after one authentication; there is no need to re-enter the user account when accessing each application And password.
  • SSO integrates user login and user account management in all domains within an enterprise, which can reduce the time it takes for users to log in in different systems, reduce the possibility of user login errors, and achieve security while avoiding processing and saving multiple sets
  • the authentication information of system users reduces the time for system administrators to add, delete, and modify user permissions, and increase security.
  • system administrators have better ways to manage users, such as directly banning users or deleting users, to cancel the user's access to all system resources.
  • the present invention provides a blockchain permission Control method and device.
  • the present invention provides a permission control method for blockchain, including:
  • the verification agency receives the verification request sent by the resource party, and the verification request includes the authorization pass Token; the verification agency searches for the authorization digest matching the authorization Token through the blockchain, and finds the authorization digest that matches the authorization Token. After the authorization summary, a verification pass message is sent to the resource party; the block chain stores the authorization summary of the authorization token generated by each authorized party.
  • the authorization Token authorized by the authorized party is verified by the verification agency, instead of verifying the authorization rules in the prior art, it can avoid the rule storm problem caused by too many authorization rules on the blockchain, and can ensure the authorization of the Token. Privacy.
  • the authorization Token stores the corresponding authorization summary through the blockchain, it can also avoid the problem of low authorization security due to the possibility of the authorized party doing evil in the process of rights management for the user. Ensure the security of authorized tokens.
  • the method further includes: the verification agency receives an upload request sent by an authorized party, the upload request includes an authorization token; the verification agency verifies that the authorized party in the authorized token is legal and all If the authorization content in the authorization token includes authorized resources, the authorization summary of the authorization token is uploaded to the blockchain.
  • the authorization token stores the corresponding authorization digest through the blockchain, and verifies the legality of the authorization token on the chain, so that the security of the authorization token can be guaranteed, and the authorization party can avoid the authorization management for the user.
  • account information is also stored in the blockchain.
  • the account information includes the corresponding relationship between the account and the attribute, and the corresponding relationship between the attribute and the resource authority; the verification agency verifies the authorization Token in the
  • the authorizing party is legal, including: determining the attribute of the authorizing party according to the corresponding relationship between the account and the attribute, and determining whether the attribute of the authorizing party has the authorization token according to the corresponding relationship between the attribute and the resource authority If there is an access right of authorized content, it is determined that the authorized party of the authorized Token is legal.
  • the verification agency can verify the authorization party's access authority according to the authorization party's attributes, reducing the complexity of the verification process; The permission rules corresponding to the accounts that need to be stored are reduced, and the problem of rule storms can be further avoided.
  • the authorization Token is generated by an authorization organization.
  • the authorization Token is generated by the authorization agency, which can prevent the authorized party from generating the authorization Token privately, thereby improving the security of the authorization Token.
  • the present invention provides a method for controlling permissions of a blockchain, including:
  • the resource party obtains an access request for the first resource sent by the resource requester, the access request includes an authorization token, and the authorization Token includes an authorized party and authorized content; the resource party determines that the access request satisfies the access to the first resource.
  • the first access condition of the resource the first resource is sent to the resource requester; the first access condition is that the authorization digest matching the authorization Token and the authorization Token are found through the blockchain.
  • the authorized party is legal and the authorized content in the authorized token includes the first resource; the block chain stores the authorization summary of the authorized token generated by each authorized party.
  • the resource requester carries the authorization Token in the access request, so that the resource party can perform multi-party verification of the authorization Token, such as verifying the legitimacy of the authorization Token, the authorization content of the authorization Token, and the authorization of the authorizing party.
  • the party determines the authority by verifying the authorization token authorized by the authorizing party, instead of verifying authority rules in the prior art, which can not only avoid the rule storm caused by too many authority rules on the blockchain, but also ensure the privacy of the authorized token. It can also guarantee the validity of the verification results.
  • the authorization token since the authorization token stores the corresponding authorization digest through the blockchain and verifies the legality of the authorization token on the chain, the security of the authorization token can be guaranteed, and the authorization that the authorizing party has to manage permissions for users is avoided. The possibility of evil.
  • the access request further includes an authorized party signature
  • the authorized party signature is obtained by the authorized party signing the generated authorization token
  • the resource party determines that the access request satisfies the access to the Before the access condition of the first resource, it is also determined by the authorizing party's signature that the authorization Token is issued by the authorizing party.
  • the resource party before the resource party determines that the access request meets the first access condition for accessing the resource, it also determines that the access request does not meet the second access condition for accessing the resource; the second The access condition is that the account of the resource requester is an account with access authority to the first resource recorded in the account information.
  • the authorized content includes authorized attributes; determining that the authorized content in the authorization token includes the first resource is determined according to the following manner: according to the authorized attributes, in the attributes In the corresponding relationship with the resource authority, it is searched whether the resource corresponding to the authorized attribute includes the first resource; if it is determined that the first resource is included, it is determined that the authorized content in the authorization token includes the first resource .
  • the authorization and verification of authorized tokens are made more flexible, and by compressing the fields of authorized tokens, the transmission time of verification can also be shortened.
  • verifying the authorized attributes or the resources corresponding to the authorized attributes To verify the authorization Token more optional verification methods are provided and the verification efficiency is higher.
  • the authorized content includes authorized resources; determining that the authorized content in the authorization token includes the first resource is determined according to the following manner: if the authorized resources in the authorized content are determined If the first resource is included, it is determined that the authorized content in the authorization Token includes the first resource.
  • an embodiment of the present invention provides a permission control device for a blockchain, including:
  • the transceiver unit is configured to receive a verification request sent by the resource party, where the verification request includes an authorization token;
  • the processing unit is configured to search for an authorization summary matching the authorization Token through the blockchain; the blockchain stores the authorization summary of the authorization Token generated by each authorized party;
  • the transceiver unit is configured to send a verification pass message to the resource party after finding the authorization digest matching the authorization Token.
  • the transceiver unit is further configured to: receive an upload request sent by an authorized party, the upload request includes an authorization token; the processing unit is also used to verify that the authorized party in the authorized token is legal And the authorization content in the authorization token includes authorized resources, and the authorization summary of the authorization token is uploaded to the blockchain.
  • account information is also stored in the blockchain, and the account information includes the correspondence between accounts and attributes, and the correspondence between attributes and resource permissions; the processing unit is specifically configured to The corresponding relationship between the account and the attribute determines the attribute of the authorizing party; according to the corresponding relationship between the attribute and the resource authority, it is determined whether the attribute of the authorizing party has the access authority to the authorized content in the authorization token; if so , It is determined that the authorized party of the authorized Token is legal.
  • the authorization Token is generated by an authorization organization.
  • an embodiment of the present invention provides a permission control device for a blockchain, including:
  • the transceiver unit is configured to obtain an access request for the first resource sent by the resource requester; the access request includes an authorization voucher Token; the authorization Token includes an authorized party and authorized content;
  • the processing unit is configured to send the first resource to the resource requester when it is determined that the access request satisfies the first access condition for accessing the first resource; the first access condition is to find through the blockchain
  • the authorization summary matching the authorization Token, the authorization party in the authorization Token is legal, and the authorization content in the authorization Token includes the first resource; the blockchain stores the authorization Token generated by each authorization party Of authorization summary.
  • the access request further includes an authorized party signature
  • the authorized party signature is obtained by the authorized party signing the generated authorization token
  • the processing unit determines that the access request satisfies the access to the Before the access condition of the first resource, it is also determined by the authorizing party's signature that the authorization Token is issued by the authorizing party.
  • the processing unit determines that the access request meets the first access condition for accessing the resource, it also determines that the access request does not meet the second access condition for accessing the resource; the second The access condition is that the account of the resource requester is an account with access authority to the first resource recorded in the account information.
  • the authorized content includes authorized attributes; the processing unit is specifically configured to find the authorized attributes corresponding to the authorized attributes in the corresponding relationship between the attributes and the resource permissions according to the authorized attributes Whether the resource of includes the first resource; if it is determined that the first resource is included, it is determined that the authorized content in the authorization Token includes the first resource.
  • the authorized content includes authorized resources; the processing unit is specifically configured to determine that the authorized resource in the authorized content includes the first resource.
  • the authorized content includes the first resource.
  • an embodiment of the present invention provides a computer device, including at least one processing unit and at least one storage unit, wherein the storage unit stores a computer program, and when the program is executed by the processing unit, The processing unit is made to execute the steps of the permission control method of the blockchain.
  • an embodiment of the present invention provides a computer-readable medium that stores a computer program executable by a terminal device, and when the program runs on the terminal device, the terminal device has the authority to execute the blockchain Control method steps.
  • FIG. 1 is a schematic diagram of a system architecture of a blockchain network provided by an embodiment of the present invention
  • FIG. 2 is a schematic flowchart of a method for controlling permissions on a blockchain according to an embodiment of the present invention
  • FIG. 3 is a schematic flowchart of a method for controlling permissions on a blockchain according to an embodiment of the present invention
  • FIG. 4 is a schematic flowchart of a method for controlling permissions on a blockchain according to an embodiment of the present invention
  • FIG. 5 is a schematic structural diagram of a permission control device for a blockchain provided by an embodiment of the present invention.
  • FIG. 6 is a schematic structural diagram of another block chain permission control device provided by an embodiment of the present invention.
  • FIG. 7 is a schematic structural diagram of a computing device provided by an embodiment of the present invention.
  • Blockchain uses block-chain data structure to verify and store data, uses distributed node consensus algorithm to generate and update data, uses cryptography to ensure the security of data transmission and access, and is composed of automated script codes A new distributed infrastructure and calculation method that uses one or more of the smart contracts to program and manipulate data.
  • the embodiment of the present invention provides a method for controlling permissions on a blockchain, which can be applied in a blockchain network scenario to improve the security of single sign-on and avoid the possibility of an authorized party from doing evil.
  • FIG. 1 is a schematic diagram of the system architecture of a blockchain network provided by an embodiment of the present invention.
  • the blockchain network includes multiple network nodes, such as network node 101, network node 102, and The network node 103, any network node includes a block chain authority control device.
  • each network node can be a server or a server cluster composed of several servers, and each network node is connected through a wireless network.
  • each organization can correspond to one or more network nodes, and the tables in each network node in the blockchain are synchronized in real time.
  • the institution initiates a transaction request through a transaction account in other network nodes.
  • the network node determines the content to be operated based on the transaction information.
  • the transaction request can be an access request for accessing resources, or a verification request.
  • the content to be operated can be access to resources, or verification rights.
  • the network node determines the transaction account corresponding to the content to be operated from the preset permission table, and when it is determined that the transaction account matches the permission account corresponding to the content to be operated, returns the resource that the user needs to access.
  • the network node After that, the network node generates an operation record of the content to be operated, and sends the operation record to other network nodes in the blockchain network.
  • the operation record includes the identifier of the content to be operated, the authority content of the content to be operated, and the transaction. Account.
  • the resource mentioned in the present invention may be a resource URI.
  • the data webpage Uniform Resource Location (URL), executable state transfer application program interface (Resource Representational State Transfer Application Programming Interface, RESTful API), such as GET/POST/DELETE, etc. are not limited.
  • the embodiments of the present invention provide a flow of a blockchain permission control method to solve the technical problem of rule storms that occur in the prior art when the number of users and business volume increase rapidly.
  • Fig. 2 is a schematic flowchart of a method for controlling permission of a blockchain according to an embodiment of the present invention.
  • the method can be executed by a permission control device of a blockchain. As shown in Fig. 2, the method includes the following steps:
  • Step 201 The verification agency receives a verification request sent by the resource party, where the verification request includes an authorization token.
  • Step 202 The verification agency searches for an authorization digest matching the authorization Token through the blockchain; the blockchain stores the authorization digest of the authorization Token generated by each authorized party.
  • Step 203 After finding the authorization digest matching the authorization Token, the verification agency sends a verification pass message to the resource party.
  • the authorization Token is generated by the authorizer, so that the authorized content of the authorization Token does not need to be completely stored in the authorization table. Therefore, when the resource requester’s account initiates an access request, the authorizer and the authorization Token can be directly verified to Flexible control of access to resources. Moreover, since the authorizer does not need to write the authorization table when generating the authorization token, the authorizer can freely set the specific account permissions according to its own permissions, and add or delete the authorized content of the authorized token based on actual needs to achieve authorization. The free addition and deletion of the permissions of, avoid the problem of rule storm caused by all the rules on the chain, and improve the privacy protection of authorized tokens.
  • the authorizer can create a corresponding authorization Token for the resource requester.
  • the resource requester can be any user in the single sign-on system, or any account registered on the blockchain.
  • the specific generation process can include:
  • the authorizer generates an authorization token in a specified format according to the authorization target account (combined with the above scenarios, it can be the resource requester), the authorizer account, the authorization content, and the authorization start and end time.
  • the authorizing party can create a corresponding authorization token for the resource requester outside the chain.
  • the authorizing party is an authorized institution, and the authorized institution can be a device outside the chain. After the authorized institution is verified, the authorized Token can be sent to the resource requester.
  • the management node can be selected from the blockchain network, and then the account corresponding to the management node can be set as the administrator account. Only the administrator account can become the authorized party, and the non-administrator account cannot become the authorized party, that is, non-administrative The account has no authorization function.
  • the authorized content of the authorization token may include two types of authorized content of attributes and resources.
  • attribute authorization means that the authorizing party can authorize one of its own attributes to the resource party.
  • the attribute can be any feature of the account, such as the role of the account, the geographic location of the account, the access time and other features, which are not limited here.
  • Resource authorization means that the authorizing party can authorize its own access rights to a resource to the resource requesting party.
  • the permission information may be stored in the permission table, and used to determine the permission control usage rule.
  • the permission table When setting an account's authority to a certain table, add the authority record corresponding to the account in the authority table.
  • the permission table is located in a block of the blockchain.
  • the permission table is updated, the updated permission table takes effect in the next block of the current block. For example, when a new permission record A is added to the permission table, a new block is generated after the current block, and the new permission record A is stored in the block body of the new block. Or, when the permission record B is modified in the permission table, a new block is generated after the current block, and the modified permission record B is stored in the block body of the new block.
  • a preset permission contract interface can be used to operate the permission table.
  • the rights contract interface can include a write interface, a remove interface, a query interface, and so on.
  • the write interface sets the permission record through the table name and account address, and returns the set number of records.
  • the set record will be saved in the permission table. If the permission record is an existing permission record, it will refuse to set the same permission record repeatedly, that is Return 0 directly.
  • the removal interface removes the set permission records through the table name and account address, and returns the number of removed records.
  • the query interface queries the set permission record through the table name, and returns the permission record obtained by the query.
  • the record can be returned in the form of a json string.
  • the permission table may include an attribute account table and an attribute permission table.
  • the attribute account table is used to store attributes in the registered account and the account corresponding to each attribute.
  • the records in the attribute account table can be written by the registered party or by the authorized party.
  • the attribute authority table is used to store the access authority of the resource corresponding to each attribute in the registered account.
  • the authorized content includes authorized attributes; the authorizing party determines the authorized content of the authorized token according to the authorized resources required by the authorized target account and the attributes of the authorized target account.
  • the attributes of the authorized target account may be set by the authorized party for the authorized target account, or may be set by the registered party for the authorized target account when the authorized target account is registered, which is not limited here.
  • the access authority of the authorized party can be directly verified according to the attribute of the authorized party, thereby reducing the complexity of the verification process; and, by reducing the need
  • the permission rules corresponding to the stored accounts can further avoid the problem of rule storms.
  • the registrant may also write the attributes of the authorized target account into the block when the authorized target account is registered chain. For example, the attributes of the authorized target account and the account of the authorized target account are written into the account attribute table. In this way, the authorized party can directly determine the attribute corresponding to the account of the authorized target account by querying the account attribute table.
  • the account attribute table on the blockchain is public, in order to improve the security of authorized tokens, reduce the setting of rules, and avoid rule storms, when the authorizing party sets the authorized token for the authorized target account,
  • the attributes of the authorized target account can be reset, that is, the authorized attributes in the authorization token are not written into the account of the authorized target account.
  • the authorized content in the authorization token includes the first resource
  • the way to determine whether the first resource is included may be: the verification agency finds the corresponding attribute of the authorized attribute in the corresponding relationship between the attribute and the resource authority according to the authorized attribute Whether the resource includes the first resource; if it is determined that the first resource is included, it is determined that the authorized content in the authorization Token includes the first resource.
  • the authorization and verification of the authorization Token is made more flexible, and the fields of the authorization Token are compressed, and the transmission time of the verification is shortened. In this way, the verification agency can verify the authorization Token by verifying the authorized attributes, or pass the verification.
  • the resources corresponding to the authorized attributes are used to verify the authorization Token, thereby providing more optional verification methods and improving the verification efficiency.
  • the authorizing party in order to improve the security of the authorization token, reduce the setting of rules, and avoid rule storms, when the authorizing party sets the authorization token for the authorization target account, it can also reset the resource permissions of the authorization target account.
  • Method that is, the authorized resources in the authorization token are not written into the authorization table.
  • the authorized content may include authorized resources; the authorizing party determines the authorized content of the authorized token according to the authorized resources required by the authorized target account.
  • the authorized content in the authorized token is the authorized resource.
  • the authorized content in the authorization token includes the first resource
  • the way to determine whether the first resource is included may be: if it is determined that the authorized resource in the authorized content includes the first resource, then it is determined that the authorized content in the authorization token includes the first resource.
  • One resource By setting authorized resources in the authorized content, the verification time can be shortened and the verification efficiency can be improved.
  • the private key of the authorized party can also be used to sign the authorized token.
  • the private key of the authorizing party is the public key data of each account generated and stored when the authorizing party registers on the blockchain. Specifically, when creating an account for a user, the public and private key pair of the account is generated first, and then the public key is stored in the public key data contract; of course, the public key that meets the algorithm format requirements can also be uploaded for the user, and then verified and stored.
  • the authorization token is generated by an authorized institution.
  • the authorization Token is generated by the authorization agency, which can prevent the authorized party from generating the authorization Token privately, thereby improving the security of the authorization Token.
  • the authorized institution may be an institution outside the blockchain or an institution on the blockchain;
  • the verification institution may be an institution on the blockchain or an institution outside the blockchain, without limitation .
  • authorization records can be reduced by one field to reduce storage costs and future indexing time costs.
  • all authorized tokens are not chained. At this time, the security of the authorized Token can be guaranteed by the digital signature of the authorized user. In this way, the out-of-chain execution can greatly reduce the time overhead of the verification algorithm.
  • the authorization Token can be uploaded by an off-chain organization, and the off-chain organization can be at least one determined authoritative maintainer, which is used to maintain the authorized data record table.
  • the off-chain organization can be at least one determined authoritative maintainer, which is used to maintain the authorized data record table.
  • each authorized party needs to authorize the Token to be chained, it can send an upload request to at least one authoritative maintainer.
  • the off-chain tools on the chain by the authoritative maintainer can be implemented according to the process of the solution in the embodiment of the present invention, and accept audit supervision.
  • the off-chain tool can be SDK/RESTful Client.
  • the authorization record in the authorization data record table also adds a field signed by the chain owner, and the chain owner's signature can be generated based on the private key of the authority maintainer.
  • the authorizing party can also upload the authorization token created by itself.
  • the verification agency can receive the upload request sent by the authorized party, and the upload request includes the authorization Token; further, if the verification agency verifies that the authorized party in the authorized Token is legal and the authorized content in the authorized Token includes authorized resources, it will The authorization summary of the authorization token is uploaded to the blockchain.
  • the upload request can be processed by the nodes on the chain. Specifically:
  • Step 1 The verification agency checks whether the authorized Token content is legal.
  • the verification agency can check the digital signature of the authorized token to determine whether the public key value of the authorized party can be correctly solved. If yes, go to step 2; otherwise, go to step 4.
  • Step 2 The verification agency calls the attribute management module to check whether the authorization is valid.
  • the authorization verification logic can be off-chain or on-chain.
  • any request that includes the authorization token received by the verification agency needs to verify the validity and signature of the authorization token.
  • the verification agency can detect whether the authorized party has the access right to the corresponding authorized resource. If not, go to step 4; otherwise, go to step 3;
  • Step 3 The verification agency generates the hash value (ie, the Hash value) of the authorized Token and stores it on the chain.
  • the authorization digest of the authorization token may be the hash value of the authorization token.
  • the authorization record stored in the authorization data record table on the chain may include the following fields: UUID; Hash value.
  • the hash value of the authorization token may be a digest value generated based on a digest generation algorithm, such as sha3 (authorization token).
  • the authorization digest corresponding to the authorized Token is stored through the blockchain, the legitimacy of the authorized Token is verified on the chain, so that the security of the authorized Token can be guaranteed, and the existence of the authorization party to manage user permissions is avoided The possibility of evil by authorized parties.
  • the authorization data record table only allows one-way access by the verification agency. In other words, once a record is added, the record cannot be modified subsequently.
  • FIG. 3 is a schematic flow chart of a method for controlling permissions on a blockchain provided by an embodiment of the present invention.
  • the verification logic of the verification agency is separated from the data in the authorization data table, and the corresponding verification contract is only used for verification.
  • the agency verifies the authorization Token, and the verification agency supports upgrade and data migration.
  • each record has a validity period, and authorization records mainly include the following two types:
  • Attribute authorization record The data of each attribute authorization record represents the summary of the authorization token of the attribute type, that is, an account with the same attribute can authorize others to reuse the same attribute.
  • Resource authorization records The data of each resource authorization record indicates a summary of the authorization token of the resource type, that is, an account with the same operation authority can authorize others to access a certain resource.
  • the contents of the above two tables can be publicly queried by all nodes on the blockchain, and the authorized party of each authorization record can modify the authorization record.
  • Step 4 The verification agency returns a message that the upload request failed to the authorized party.
  • This method can be executed by a network node on the chain or off-chain. This method It includes the following steps:
  • Step 1 The authorization sends an authorization token generation request to the authorization institution.
  • the authorization token generation request includes authorization token parameters, that is, authorization target account (combined with the above scenario, it can be the resource requester), authorizer account, authorized content, authorization start and end time, digital signature, etc.
  • Step 2 The authorized institution checks the legality of the authorized Token parameters. If the check passes, then step 3 is executed; otherwise, step 5 is executed.
  • Step 3 The authorized institution generates the authorized token, and signs the authorized token with the private key passed in by the authorized party.
  • Step 4 The authorized institution sends the generated authorization token to the authorized party.
  • This method can be executed by a network node on the chain or off-chain. This method It includes the following steps:
  • Step 1 The authorization sends the signed authorization Token to the verification agency.
  • Step 2 The verification agency checks the validity of the authorized Token's parameters.
  • the parameters include the validity period and signature of the authorized Token. If the check passes, go to step 3; otherwise, go to step 5.
  • Step 3 Verify the access authority table of the agency and check whether the authorized content of the authorized token is true and effective. For example, check whether there are declared resource permissions in the authorized party that can be used for authorization. If the check passes, go to step 4; otherwise, go to step 5.
  • Step 4 The verification agency generates the Hash value of the authorized Token, stores it in the authorization data table on the chain, and returns the successful upload information and/or the record of the authorization data table to the authorized party.
  • the method can be executed by network nodes on the chain or off-chain.
  • the method includes the following steps:
  • Step 1 The resource party uploads the authorization token that needs to be verified.
  • the resource party can also selectively upload the on-chain record information corresponding to the authorized token on the resource requester chain, such as the index of the authorization digest of the authorized token, so that the verification agency can quickly verify the authorized token.
  • Step 2 The verification agency checks the legality of the parameters of the authorized Token; if it is legal, perform step three; otherwise, perform step five.
  • the verification agency can access the attribute management module to check whether the authorized content of the authorized Token is true and valid, that is, whether the authorized Token authorized party has declared resources that can be used for authorization.
  • Step 3 If the record information on the incoming chain is not empty, the verification agency accesses the authorization record table on the chain, determines the hash value of the authorization token that needs to be verified, and compares the hash value with the hash value in the authorization record table Is it consistent? If yes, go to step 4; otherwise, go to step 5.
  • Step 4. Confirm that the authorization token uploaded by the resource party needs to be verified successfully.
  • Step 5 It is determined that the authentication of the authorization token that needs to be verified uploaded by the resource party fails.
  • step 3 and step 4 can exchange the verification sequence, which is not limited here.
  • Fig. 4 is an embodiment of the present invention providing a method for controlling permissions on a blockchain. As shown in Fig. 4, the method includes:
  • Step 401 The resource party obtains an access request for the first resource sent by the resource requester.
  • the access request includes the authorization certificate Token
  • the authorization Token includes the authorized party and authorized content.
  • Step 402 When the resource party determines that the access request meets the first access condition for accessing the first resource, the resource party sends the first resource to the resource requester.
  • the authorization summary of the authorization token generated by each authorization party is stored in the blockchain.
  • the first access condition is: the authorization digest matching the authorization token is found in the blockchain, and the authorized party in the authorization token is legal, and the authorization content in the authorization token includes all The first resource.
  • the resource requester carries the authorization Token, and performs multi-party verification of the authorization Token, such as verifying the legitimacy of the authorized Token, verifying the authorized content of the authorized Token, and verifying the authority of the authorized party, etc., to ensure the validity of the verification result Sex.
  • the authorizer when the authorizer generates the authorization token, there is no need to write the authorization token into the authorization table. In this way, the authorizer can freely set the specific permissions of the account according to its own permissions, and can add or delete the authorized content of the authorized token based on actual needs.
  • the authorization token can also store the corresponding authorization summary through the blockchain. In this way, by verifying the legitimacy of the authorization token on the chain, the security of the authorization token can be guaranteed, avoiding the existence of the authorized party managing user permissions The possibility of the authorized party doing evil.
  • the access request further includes a signature of the authorized party; before the resource party determines that the access request meets the access conditions for accessing the first resource, the authorized party also determines the authorization through the signature of the authorized party.
  • the Token is issued by the authorized party; the authorized party signature is obtained by the authorized party signing the generated authorized Token. In this way, by verifying the authorized token based on the digital signature, the security of the authorized token can be further improved.
  • the resource party before the resource party determines that the access request meets the first access condition for accessing the resource, it also determines that the access request does not meet the second access condition for accessing the resource;
  • the second access condition is that the account of the resource requester is an account recorded in the account information that has access authority to the first resource.
  • the solution proposed by the present invention aims to achieve a balance between flexibility and scalability, and to ensure the multi-dimensional, multi-granularity of authorized content, and the tamper-proof modification of authorized Token.
  • the authorizer can divide the authorization types, and can also authorize its own capabilities to the authorized target account in terms of attributes and resources, and at the same time allow the authorization to be revoked.
  • the authorization summary of the authorization token can be stored on the blockchain. Since only the authorization summary of the authorization token is stored, the minimum disclosure and non-tampering can be guaranteed. Based on this, the present invention can greatly reduce the impact of regular storms and has good scalability.
  • the following describes the permission control method of the blockchain provided by the embodiments of the present invention in combination with specific implementation scenarios.
  • the method is executed by a network node, and the method includes the following steps:
  • Step 1 The resource requester sends a resource request to the resource party.
  • the resource request includes an authorization token and an authorization record address on the chain.
  • Step 2 The resource party checks whether the resource requester can directly meet the second resource access condition for accessing the resource without using the authorization token; if so, perform step five, otherwise, perform step three.
  • Step 3 The resource party verifies the authorized token through the verification agency. If the verification is successful, go to step 5; otherwise, go to step 6.
  • Step 4 The resource party checks whether the authorized Token meets the first resource access condition based on the authorized content in the authorized Token; if so, execute step 5.
  • Step 5 The resource returns the content of the requested resource to the resource requester.
  • Step 6 The resource returns a request failure message to the resource requester.
  • the authorized institution is an institution outside the blockchain
  • the verification institution is an institution on the blockchain; or, both the authorized institution and the verification institution are institutions outside the blockchain.
  • the embodiment of the present invention provides a block chain permission setting device.
  • Fig. 5 is a schematic structural diagram of a block chain permission setting device provided by an embodiment of the present invention, as shown in Fig. 5, including:
  • the transceiver unit 501 is configured to receive a verification request sent by a resource party, where the verification request includes an authorization token;
  • the processing unit 502 is configured to search for an authorization digest matching the authorization token through the blockchain; the blockchain stores the authorization digest of the authorization token generated by each authorized party;
  • the transceiver unit 501 is further configured to send a verification pass message to the resource party after finding an authorization digest matching the authorization Token.
  • the transceiver unit 501 is further configured to receive an upload request sent by an authorizing party, and the upload request includes an authorization token;
  • the processing unit 502 is further configured to upload the authorization digest of the authorization token to the blockchain after verifying that the authorized party in the authorization token is legal and the authorized content in the authorization token includes authorized resources. .
  • account information is also stored in the blockchain, and the account information includes the corresponding relationship between the account and the attribute, and the corresponding relationship between the attribute and the resource authority;
  • the processing unit 502 is specifically configured to determine the attribute of the authorizing party according to the corresponding relationship between the account and the attribute; according to the corresponding relationship between the attribute and the resource authority, determine whether the attribute of the authorizing party has the Authorize the access rights of the authorized content in the authorized token; if there is, determine that the authorized party of the authorized token is legal.
  • the authorization Token is generated by an authorization organization.
  • Fig. 6 is a schematic structural diagram of yet another block chain permission setting device provided by an embodiment of the present invention, as shown in Fig. 6, including:
  • the transceiver unit 601 is configured to obtain an access request for the first resource sent by the resource requester; the access request includes an authorization credential Token; the authorization Token includes an authorized party and authorized content;
  • the processing unit 602 is configured to send the first resource to the resource requester when it is determined that the access request satisfies the first access condition for accessing the first resource; the first access condition is searching through the blockchain To the authorization digest matching the authorization token, the authorized party in the authorization token is legal, and the authorized content in the authorization token includes the first resource; the blockchain stores the authorization generated by each authorized party Token authorization summary.
  • the access request further includes an authorized party signature, and the authorized party signature is obtained by the authorized party signing the generated authorization Token;
  • processing unit 602 Before the processing unit 602 determines that the access request meets the access condition for accessing the first resource, it is further configured to:
  • processing unit 602 before the processing unit 602 determines that the access request meets the first access condition for accessing the resource, it is further configured to:
  • the second access condition is that the account of the resource requester is the account that has access rights to the first resource recorded in the account information .
  • the authorized content includes authorized attributes
  • the processing unit 602 is specifically configured to find whether the resource corresponding to the authorized attribute includes the first resource in the corresponding relationship between the attribute and the resource authority according to the authorized attribute; The first resource, it is determined that the authorization content in the authorization Token includes the first resource.
  • the authorized content includes authorized resources
  • the processing unit 602 is specifically configured to determine that the authorized content in the authorization Token includes the first resource if it is determined that the authorized resource in the authorized content includes the first resource.
  • an embodiment of the present invention provides a computing device. As shown in FIG. 7, it includes at least one processor 701 and a memory 702 connected to the at least one processor.
  • the embodiment of the present invention does not limit the processor.
  • the specific connection medium between the 701 and the memory 702 is, for example, the connection between the processor 701 and the memory 702 through a bus in FIG. 7.
  • the bus can be divided into address bus, data bus, control bus, etc.
  • the memory 702 stores instructions that can be executed by at least one processor 701. By executing the instructions stored in the memory 702, the at least one processor 701 can execute the aforementioned blockchain permission control method. step.
  • the processor 701 is the control center of the computing device, which can use various interfaces and lines to connect to various parts of the computing device, and control the authority by running or executing instructions stored in the memory 702 and calling data stored in the memory 702 .
  • the processor 701 may include one or more processing units, and the processor 701 may integrate an application processor and a modem processor.
  • the application processor mainly processes the operating system, user interface, and application programs.
  • the adjustment processor mainly deals with wireless communication. It can be understood that the foregoing modem processor may not be integrated into the processor 701.
  • the processor 701 and the memory 702 may be implemented on the same chip, and in some embodiments, they may also be implemented on separate chips.
  • the processor 701 may be a general-purpose processor, such as a central processing unit (CPU), a digital signal processor, an application specific integrated circuit (ASIC), a field programmable gate array or other programmable logic devices, discrete gates or transistors Logic devices and discrete hardware components can implement or execute the methods, steps, and logic block diagrams disclosed in the embodiments of the present invention.
  • the general-purpose processor may be a microprocessor or any conventional processor. The steps of the method disclosed in the embodiments of the present invention may be directly embodied as being executed and completed by a hardware processor, or executed and completed by a combination of hardware and software modules in the processor.
  • the memory 702 as a non-volatile computer-readable storage medium, can be used to store non-volatile software programs, non-volatile computer-executable programs, and modules.
  • the memory 702 may include at least one type of storage medium, such as flash memory, hard disk, multimedia card, card-type memory, random access memory (Random Access Memory, RAM), static random access memory (Static Random Access Memory, SRAM), Programmable Read Only Memory (PROM), Read Only Memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), magnetic memory, disk , CD, etc.
  • the memory 702 is any other medium that can be used to carry or store desired program codes in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto.
  • the memory 702 in the embodiment of the present invention may also be a circuit or any other device capable of realizing a storage function for storing program instructions and/or data.
  • the embodiments of the present invention provide a computer-readable medium that stores a computer program executable by a terminal device.
  • the terminal device executes blockchain Steps of the permission control method.
  • the embodiments of the present invention may be provided as methods or computer program products. Therefore, the present invention may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, the present invention may adopt the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program codes.
  • a computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.
  • These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device.
  • the device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
  • These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment.
  • the instructions provide steps for implementing functions specified in a flow or multiple flows in the flowchart and/or a block or multiple blocks in the block diagram.

Abstract

Disclosed are a permission control method and apparatus for a blockchain, which relate to the technical field of fintech, and are used for solving the problem in the prior art of a rule storm occurring when the number of users and the volume of business grow rapidly. The method comprises: a verification authority receiving a verification request sent by a resource party, and if an authorization digest matching an authorization token in the verification request is found by means of a blockchain, sending a verification successful message to the resource party. An authorization token authorized by an authorization party is verified by means of a verification authority, so that the problem of a rule storm caused by overabundant permission rules configured on a blockchain can be prevented, and the privacy of the authorization token can be ensured. Moreover, since the authorization token stores a corresponding authorization digest by means of a blockchain, the problem of relatively low security of authorization caused by the possibility of an illegal behavior of an authorization party can also be prevented, and the security of the authorization token is ensured.

Description

一种区块链的权限控制方法及装置Method and device for controlling permission of blockchain
相关申请的交叉引用Cross references to related applications
本申请要求在2019年04月11日提交中国专利局、申请号为201910287244.5、申请名称为“一种区块链的权限控制方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on April 11, 2019, the application number is 201910287244.5, and the application name is "a method and device for controlling the authority of a blockchain", the entire content of which is incorporated by reference In this application.
技术领域Technical field
本发明实施例涉及金融科技(Fintech)技术领域,尤其涉及一种区块链的权限控制方法及装置。The embodiments of the present invention relate to the technical field of Fintech, and in particular to a method and device for controlling permissions of a blockchain.
背景技术Background technique
随着计算机技术的发展,越来越多的技术应用在金融领域,传统金融业正在逐步向金融科技(Fintech)转变,单点登录技术也不例外,但由于金融行业的安全性、实时性要求,也对技术提出的更高的要求。With the development of computer technology, more and more technologies are applied in the financial field. The traditional financial industry is gradually changing to Fintech. Single sign-on technology is no exception, but due to the security and real-time requirements of the financial industry , But also higher requirements for technology.
单点登录,(Single Sign-On,SSO)是一个用户认证的过程,允许用户在经过一次认证后,就可访问系统中的不同应用;而无需在访问每个应用时,都重新输入用户账号和密码。Single sign-on (Single Sign-On, SSO) is a user authentication process that allows users to access different applications in the system after one authentication; there is no need to re-enter the user account when accessing each application And password.
SSO将一个企业内部所有域中的用户登录和用户帐号管理集中到一起,可以减少用户在不同系统中登录所耗费的时间,减少用户登录出错的可能性,实现安全的同时避免处理和保存多套系统用户的认证信息,减少系统管理员增加、删除和修改用户权限的时间,增加了安全性。且,系统管理员有了更好的方法来管理用户,比如直接禁止用户或删除用户,以取消该用户对所有系统资源的访问权限。SSO integrates user login and user account management in all domains within an enterprise, which can reduce the time it takes for users to log in in different systems, reduce the possibility of user login errors, and achieve security while avoiding processing and saving multiple sets The authentication information of system users reduces the time for system administrators to add, delete, and modify user permissions, and increase security. In addition, system administrators have better ways to manage users, such as directly banning users or deleting users, to cancel the user's access to all system resources.
目前,在对SSO进行权限控制时,在用户数、业务量快速增长的情况下,容易出现规则风暴的问题;另外,现有技术中经由授权方为用户提供权限管理,而授权方存在作恶的可能性,无法保证授权的安全性。At present, when controlling the authority of SSO, when the number of users and business volume is increasing rapidly, the problem of rule storm is prone to occur; in addition, the prior art provides authority management for users through the authorized party, and the authorized party is malicious Possibility, the security of authorization cannot be guaranteed.
发明内容Summary of the invention
由于目前基于角色的权限控制方法中账户权限受限于角色的预设权限,在用户数、业务量快速增长的情况下,会出现规则风暴的问题,本发明提供了一种区块链的权限控制方法及装置。Since the account permissions in the current role-based permission control method are limited to the preset permissions of the role, the problem of rule storms will occur when the number of users and business volume increase rapidly. The present invention provides a blockchain permission Control method and device.
第一方面,本发明提供一种区块链的权限控制方法,包括:In the first aspect, the present invention provides a permission control method for blockchain, including:
验证机构接收资源方发送的验证请求,所述验证请求包括授权通证Token;所述验证机构通过区块链查找与所述授权Token匹配的授权摘要,并在查找到与所述授权Token匹配的授权摘要后,向所述资源方发送验证通过消息;所述区块链中存储有各授权方生成的授权Token的授权摘要。The verification agency receives the verification request sent by the resource party, and the verification request includes the authorization pass Token; the verification agency searches for the authorization digest matching the authorization Token through the blockchain, and finds the authorization digest that matches the authorization Token. After the authorization summary, a verification pass message is sent to the resource party; the block chain stores the authorization summary of the authorization token generated by each authorized party.
本发明中,通过验证机构验证授权方授权的授权Token,而不是像现有技术中验证权限规则,能够避免区块链上设置权限规则过多所导致的规则风暴问题,并能保证授权Token的隐私性。另外,由于该授权Token通过区块链存储对应的授权摘要,因此还能避免在为用户进行权限管理的过程中,由于授权方存在作恶的可能性所导致的授权的安全性较低的问题,保证授权Token的安全性。In the present invention, the authorization Token authorized by the authorized party is verified by the verification agency, instead of verifying the authorization rules in the prior art, it can avoid the rule storm problem caused by too many authorization rules on the blockchain, and can ensure the authorization of the Token. Privacy. In addition, because the authorization Token stores the corresponding authorization summary through the blockchain, it can also avoid the problem of low authorization security due to the possibility of the authorized party doing evil in the process of rights management for the user. Ensure the security of authorized tokens.
一种可能的实现方式,所述方法还包括:所述验证机构接收授权方发送的上传请求,所述上传请求中包括授权Token;所述验证机构验证所述授权Token中的授权方合法且所述授权Token中的授权内容包括授权的资源,则将所述授权Token的授权摘要上传至所述区块链。In a possible implementation manner, the method further includes: the verification agency receives an upload request sent by an authorized party, the upload request includes an authorization token; the verification agency verifies that the authorized party in the authorized token is legal and all If the authorization content in the authorization token includes authorized resources, the authorization summary of the authorization token is uploaded to the blockchain.
在上述实现方式中,该授权Token通过区块链存储对应的授权摘要,并在链上验证授权Token的合法性,使得授权Token的安全性能够得到保证,避免由授权方为用户进行权限管理的方式所存在的授权方作恶的可能性。In the above implementation, the authorization token stores the corresponding authorization digest through the blockchain, and verifies the legality of the authorization token on the chain, so that the security of the authorization token can be guaranteed, and the authorization party can avoid the authorization management for the user. The possibility that the authorized party does evil in the way.
一种可能的实现方式,所述区块链中还存储有账户信息,所述账户信息包括账户与属性的对应关系、属性与资源权限的对应关系;所述验证机构验证所述授权Token中的授权方合法,包括:根据所述账户与属性的对应关系,确定所述授权方的属性,根据所述属性与资源权限的对应关系,确定所述授权方的属性中是否具有所述授权Token中的授权内容的访问权限,若有,则 确定所述授权Token的授权方合法。In a possible implementation manner, account information is also stored in the blockchain. The account information includes the corresponding relationship between the account and the attribute, and the corresponding relationship between the attribute and the resource authority; the verification agency verifies the authorization Token in the The authorizing party is legal, including: determining the attribute of the authorizing party according to the corresponding relationship between the account and the attribute, and determining whether the attribute of the authorizing party has the authorization token according to the corresponding relationship between the attribute and the resource authority If there is an access right of authorized content, it is determined that the authorized party of the authorized Token is legal.
在上述实现方式中,通过设置账户与属性的对应关系、属性与资源权限的对应关系,使得验证机构根据授权方的属性即可验证授权方的访问权限,减少验证过程的复杂度;且,由于减少了需要存储的账户对应的权限规则,还能进一步避免规则风暴的问题。In the foregoing implementation manner, by setting the corresponding relationship between the account and the attribute, and the corresponding relationship between the attribute and the resource authority, the verification agency can verify the authorization party's access authority according to the authorization party's attributes, reducing the complexity of the verification process; The permission rules corresponding to the accounts that need to be stored are reduced, and the problem of rule storms can be further avoided.
一种可能的实现方式,所述授权Token是授权机构生成的。In a possible implementation manner, the authorization Token is generated by an authorization organization.
在上述实现方式中,通过授权机构生成授权Token,能够避免授权方私下生成授权Token,从而可以提高授权Token的安全性。In the foregoing implementation manner, the authorization Token is generated by the authorization agency, which can prevent the authorized party from generating the authorization Token privately, thereby improving the security of the authorization Token.
第二方面,本发明提供一种区块链的权限控制方法,包括:In the second aspect, the present invention provides a method for controlling permissions of a blockchain, including:
资源方获取资源请求方发送的针对第一资源的访问请求,所述访问请求包括授权Token,所述授权Token包括授权方及授权内容;所述资源方确定所述访问请求满足访问所述第一资源的第一访问条件时,向所述资源请求方发送所述资第一资源;所述第一访问条件为通过区块链查找到与所述授权Token匹配的授权摘要、所述授权Token中的授权方合法且所述授权Token中的授权内容包括所述第一资源;所述区块链中存储有各授权方生成的授权Token的授权摘要。The resource party obtains an access request for the first resource sent by the resource requester, the access request includes an authorization token, and the authorization Token includes an authorized party and authorized content; the resource party determines that the access request satisfies the access to the first resource. When the first access condition of the resource, the first resource is sent to the resource requester; the first access condition is that the authorization digest matching the authorization Token and the authorization Token are found through the blockchain The authorized party is legal and the authorized content in the authorized token includes the first resource; the block chain stores the authorization summary of the authorized token generated by each authorized party.
本发明中,资源请求方通过在访问请求中携带授权Token,使得资源方能够对授权Token进行多方验证,比如验证授权Token的合法性、授权Token的授权内容、授权方的权限等,如此,资源方通过验证授权方授权的授权Token确定权限,而不是像现有技术中验证权限规则,不仅可以避免区块链上设置权限规则过多所导致的规则风暴的问题,保证授权Token的隐私性,还能够保证验证结果的有效性。并且,由于该授权Token通过区块链存储对应的授权摘要,并在链上验证授权Token的合法性,使得授权Token的安全性能够得到保证,避免使用授权方为用户进行权限管理所存在的授权方作恶的可能性。In the present invention, the resource requester carries the authorization Token in the access request, so that the resource party can perform multi-party verification of the authorization Token, such as verifying the legitimacy of the authorization Token, the authorization content of the authorization Token, and the authorization of the authorizing party. The party determines the authority by verifying the authorization token authorized by the authorizing party, instead of verifying authority rules in the prior art, which can not only avoid the rule storm caused by too many authority rules on the blockchain, but also ensure the privacy of the authorized token. It can also guarantee the validity of the verification results. In addition, since the authorization token stores the corresponding authorization digest through the blockchain and verifies the legality of the authorization token on the chain, the security of the authorization token can be guaranteed, and the authorization that the authorizing party has to manage permissions for users is avoided. The possibility of evil.
一种可能的实现方式,所述访问请求还包括授权方签名,所述授权方签名是所述授权方对生成的授权Token进行签名得到的;所述资源方确定所述 访问请求满足访问所述第一资源的访问条件前,还通过所述授权方签名确定所述授权Token为所述授权方发布的。In a possible implementation manner, the access request further includes an authorized party signature, the authorized party signature is obtained by the authorized party signing the generated authorization token; the resource party determines that the access request satisfies the access to the Before the access condition of the first resource, it is also determined by the authorizing party's signature that the authorization Token is issued by the authorizing party.
在上述实现方式中,通过对授权Token进行数字签名,能进一步提高授权Token的安全性。In the foregoing implementation manner, by digitally signing the authorized token, the security of the authorized token can be further improved.
一种可能的实现方式,所述资源方确定所述访问请求满足访问所述资源的第一访问条件之前,还确定所述访问请求不满足访问所述资源的第二访问条件;所述第二访问条件为所述资源请求方的账户是所述账户信息中记录的针对所述第一资源具有访问权限的账户。In a possible implementation manner, before the resource party determines that the access request meets the first access condition for accessing the resource, it also determines that the access request does not meet the second access condition for accessing the resource; the second The access condition is that the account of the resource requester is an account with access authority to the first resource recorded in the account information.
在上述实现方式中,通过预先验证资源请求方对应的账户的权限,能够确保验证的全面性,提高验证的有效性。In the foregoing implementation manner, by pre-verifying the authority of the account corresponding to the resource requester, the comprehensiveness of the verification can be ensured and the effectiveness of the verification can be improved.
一种可能的实现方式,所述授权内容包括授权的属性;确定所述授权Token中的授权内容包括所述第一资源,为根据以下方式确定的:根据所述授权的属性,在所述属性与资源权限的对应关系中,查找所述授权的属性对应的资源是否包括所述第一资源;若确定包括所述第一资源,则确定所述授权Token中的授权内容包括所述第一资源。In a possible implementation manner, the authorized content includes authorized attributes; determining that the authorized content in the authorization token includes the first resource is determined according to the following manner: according to the authorized attributes, in the attributes In the corresponding relationship with the resource authority, it is searched whether the resource corresponding to the authorized attribute includes the first resource; if it is determined that the first resource is included, it is determined that the authorized content in the authorization token includes the first resource .
在上述实现方式中,通过设置授权的属性,使得授权Token的授权和验证更加灵活,并且通过压缩授权Token的字段,还能缩短验证的传输时间,通过验证授权的属性或授权的属性对应的资源来验证授权Token,使得提供的可选的验证方式更多,验证效率更高。In the above implementation, by setting authorized attributes, the authorization and verification of authorized tokens are made more flexible, and by compressing the fields of authorized tokens, the transmission time of verification can also be shortened. By verifying the authorized attributes or the resources corresponding to the authorized attributes To verify the authorization Token, more optional verification methods are provided and the verification efficiency is higher.
一种可能的实现方式,所述授权内容包括授权的资源;确定所述授权Token中的授权内容包括所述第一资源,为根据以下方式确定的:若确定所述授权内容中的授权的资源包括所述第一资源,则确定所述授权Token中的授权内容包括所述第一资源。In a possible implementation manner, the authorized content includes authorized resources; determining that the authorized content in the authorization token includes the first resource is determined according to the following manner: if the authorized resources in the authorized content are determined If the first resource is included, it is determined that the authorized content in the authorization Token includes the first resource.
在上述实现方式中,通过在授权内容中设置授权的资源,能够通过查找授权内容中的授权的资源直接确定是否存在第一资源,缩短验证时间,提高验证效率。In the foregoing implementation manner, by setting authorized resources in the authorized content, it is possible to directly determine whether the first resource exists by searching for the authorized resources in the authorized content, which shortens the verification time and improves the verification efficiency.
第三方面,本发明实施例提供一种区块链的权限控制装置,包括:In a third aspect, an embodiment of the present invention provides a permission control device for a blockchain, including:
收发单元,用于接收资源方发送的验证请求,所述验证请求包括授权Token;The transceiver unit is configured to receive a verification request sent by the resource party, where the verification request includes an authorization token;
处理单元,用于通过区块链查找与所述授权Token匹配的授权摘要;所述区块链中存储有各授权方生成的授权Token的授权摘要;The processing unit is configured to search for an authorization summary matching the authorization Token through the blockchain; the blockchain stores the authorization summary of the authorization Token generated by each authorized party;
所述收发单元,用于在查找到与所述授权Token匹配的授权摘要后,向所述资源方发送验证通过消息。The transceiver unit is configured to send a verification pass message to the resource party after finding the authorization digest matching the authorization Token.
一种可能的实现方式,所述收发单元还用于:接收授权方发送的上传请求,所述上传请求中包括授权Token;所述处理单元,还用于验证所述授权Token中的授权方合法且所述授权Token中的授权内容包括授权的资源,则将所述授权Token的授权摘要上传至所述区块链。In a possible implementation manner, the transceiver unit is further configured to: receive an upload request sent by an authorized party, the upload request includes an authorization token; the processing unit is also used to verify that the authorized party in the authorized token is legal And the authorization content in the authorization token includes authorized resources, and the authorization summary of the authorization token is uploaded to the blockchain.
一种可能的实现方式,所述区块链中还存储有账户信息,所述账户信息包括账户与属性的对应关系、属性与资源权限的对应关系;所述处理单元,具体用于根据所述账户与属性的对应关系,确定所述授权方的属性;根据所述属性与资源权限的对应关系,确定所述授权方的属性中是否具有所述授权Token中的授权内容的访问权限;若有,则确定所述授权Token的授权方合法。In a possible implementation manner, account information is also stored in the blockchain, and the account information includes the correspondence between accounts and attributes, and the correspondence between attributes and resource permissions; the processing unit is specifically configured to The corresponding relationship between the account and the attribute determines the attribute of the authorizing party; according to the corresponding relationship between the attribute and the resource authority, it is determined whether the attribute of the authorizing party has the access authority to the authorized content in the authorization token; if so , It is determined that the authorized party of the authorized Token is legal.
一种可能的实现方式,所述授权Token是授权机构生成的。In a possible implementation manner, the authorization Token is generated by an authorization organization.
第四方面,本发明实施例提供一种区块链的权限控制装置,包括:In a fourth aspect, an embodiment of the present invention provides a permission control device for a blockchain, including:
收发单元,用于获取资源请求方发送的针对第一资源的访问请求;所述访问请求包括授权凭证Token;所述授权Token包括授权方及授权内容;The transceiver unit is configured to obtain an access request for the first resource sent by the resource requester; the access request includes an authorization voucher Token; the authorization Token includes an authorized party and authorized content;
处理单元,用于确定所述访问请求满足访问所述第一资源的第一访问条件时,向所述资源请求方发送所述第一资源;所述第一访问条件为通过区块链查找到与所述授权Token匹配的授权摘要、所述授权Token中的授权方合法且所述授权Token中的授权内容包括所述第一资源;所述区块链中存储有各授权方生成的授权Token的授权摘要。The processing unit is configured to send the first resource to the resource requester when it is determined that the access request satisfies the first access condition for accessing the first resource; the first access condition is to find through the blockchain The authorization summary matching the authorization Token, the authorization party in the authorization Token is legal, and the authorization content in the authorization Token includes the first resource; the blockchain stores the authorization Token generated by each authorization party Of authorization summary.
一种可能的实现方式,所述访问请求还包括授权方签名,所述授权方签名是所述授权方对生成的授权Token进行签名得到的;所述处理单元确定所述访问请求满足访问所述第一资源的访问条件前,还通过所述授权方签名确 定所述授权Token为所述授权方发布的。In a possible implementation manner, the access request further includes an authorized party signature, the authorized party signature is obtained by the authorized party signing the generated authorization token; the processing unit determines that the access request satisfies the access to the Before the access condition of the first resource, it is also determined by the authorizing party's signature that the authorization Token is issued by the authorizing party.
一种可能的实现方式,所述处理单元确定所述访问请求满足访问所述资源的第一访问条件之前,还确定所述访问请求不满足访问所述资源的第二访问条件;所述第二访问条件为所述资源请求方的账户是所述账户信息中记录的针对所述第一资源具有访问权限的账户。In a possible implementation manner, before the processing unit determines that the access request meets the first access condition for accessing the resource, it also determines that the access request does not meet the second access condition for accessing the resource; the second The access condition is that the account of the resource requester is an account with access authority to the first resource recorded in the account information.
一种可能的实现方式,所述授权内容包括授权的属性;所述处理单元,具体用于根据所述授权的属性,在所述属性与资源权限的对应关系中,查找所述授权的属性对应的资源是否包括所述第一资源;若确定包括所述第一资源,则确定所述授权Token中的授权内容包括所述第一资源。In a possible implementation manner, the authorized content includes authorized attributes; the processing unit is specifically configured to find the authorized attributes corresponding to the authorized attributes in the corresponding relationship between the attributes and the resource permissions according to the authorized attributes Whether the resource of includes the first resource; if it is determined that the first resource is included, it is determined that the authorized content in the authorization Token includes the first resource.
一种可能的实现方式,所述授权内容包括授权的资源;所述处理单元,具体用于若确定所述授权内容中的授权的资源包括所述第一资源,则确定所述授权Token中的授权内容包括所述第一资源。In a possible implementation manner, the authorized content includes authorized resources; the processing unit is specifically configured to determine that the authorized resource in the authorized content includes the first resource. The authorized content includes the first resource.
第五方面,本发明实施例提供了一种计算机设备,包括至少一个处理单元、以及至少一个存储单元,其中,所述存储单元存储有计算机程序,当所述程序被所述处理单元执行时,使得所述处理单元执行区块链的权限控制方法的步骤。In a fifth aspect, an embodiment of the present invention provides a computer device, including at least one processing unit and at least one storage unit, wherein the storage unit stores a computer program, and when the program is executed by the processing unit, The processing unit is made to execute the steps of the permission control method of the blockchain.
第六方面,本发明实施例提供了一种计算机可读介质,其存储有可由终端设备执行的计算机程序,当所述程序在终端设备上运行时,使得所述终端设备执行区块链的权限控制方法的步骤。In a sixth aspect, an embodiment of the present invention provides a computer-readable medium that stores a computer program executable by a terminal device, and when the program runs on the terminal device, the terminal device has the authority to execute the blockchain Control method steps.
附图说明Description of the drawings
为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简要介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域的普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to more clearly describe the technical solutions in the embodiments of the present invention, the following will briefly introduce the drawings needed in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments of the present invention. For those of ordinary skill in the art, other drawings may be obtained from these drawings without creative labor.
图1为本发明实施例提供的一种区块链网络的系统架构示意图;FIG. 1 is a schematic diagram of a system architecture of a blockchain network provided by an embodiment of the present invention;
图2为本发明实施例提供的一种区块链的权限控制方法的流程示意图;FIG. 2 is a schematic flowchart of a method for controlling permissions on a blockchain according to an embodiment of the present invention;
图3为本发明实施例提供的一种区块链的权限控制方法的流程示意图;FIG. 3 is a schematic flowchart of a method for controlling permissions on a blockchain according to an embodiment of the present invention;
图4为本发明实施例提供的一种区块链的权限控制方法的流程示意图;FIG. 4 is a schematic flowchart of a method for controlling permissions on a blockchain according to an embodiment of the present invention;
图5为本发明实施例提供的一种区块链的权限控制装置的结构示意图;5 is a schematic structural diagram of a permission control device for a blockchain provided by an embodiment of the present invention;
图6为本发明实施例提供的又一种区块链的权限控制装置的结构示意图;FIG. 6 is a schematic structural diagram of another block chain permission control device provided by an embodiment of the present invention;
图7为本发明实施例提供的一种计算设备的结构示意图。FIG. 7 is a schematic structural diagram of a computing device provided by an embodiment of the present invention.
具体实施方式detailed description
为了使本发明的目的、技术方案及有益效果更加清楚明白,以下结合附图及实施例,对本发明进行进一步详细说明。应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。In order to make the objectives, technical solutions and beneficial effects of the present invention clearer, the following further describes the present invention in detail with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain the present invention, but not to limit the present invention.
为了方便理解,下面对本发明实施例中涉及的名词进行解释。To facilitate understanding, the terms involved in the embodiments of the present invention are explained below.
区块链:区块链是利用块链式数据结构来验证与存储数据、利用分布式节点共识算法来生成和更新数据、利用密码学的方式保证数据传输和访问的安全、利用自动化脚本代码组成的智能合约来编程和操作数据等一项或多项的一种全新的分布式基础架构与计算方式。Blockchain: Blockchain uses block-chain data structure to verify and store data, uses distributed node consensus algorithm to generate and update data, uses cryptography to ensure the security of data transmission and access, and is composed of automated script codes A new distributed infrastructure and calculation method that uses one or more of the smart contracts to program and manipulate data.
本发明实施例提供一种区块链的权限控制方法,可以应用于区块链网络场景中,以提高单点登录的安全性,避免授权方作恶的可能。The embodiment of the present invention provides a method for controlling permissions on a blockchain, which can be applied in a blockchain network scenario to improve the security of single sign-on and avoid the possibility of an authorized party from doing evil.
示例性地,图1为本发明实施例提供的一种区块链网络的系统架构示意图,如图1所示,区块链网络中包括多个网络节点,比如网络节点101、网络节点102和网络节点103,任一网络节点中包括区块链的权限控制装置。其中,每个网络节点可以是一台服务器,也可以是若干台服务器组成的服务器集群,各个网络节点之间通过无线网络连接。Exemplarily, FIG. 1 is a schematic diagram of the system architecture of a blockchain network provided by an embodiment of the present invention. As shown in FIG. 1, the blockchain network includes multiple network nodes, such as network node 101, network node 102, and The network node 103, any network node includes a block chain authority control device. Among them, each network node can be a server or a server cluster composed of several servers, and each network node is connected through a wireless network.
在维护区块链的机构中,每个机构可以对应一个或多个网络节点,区块链中各网络节点中的表实时同步。针对每个网络节点,机构在其它网络节点中通过交易账户发起交易请求,该网络节点在接收到交易请求后,根据交易信息确定待操作的内容。其中,交易请求可以为访问资源的访问请求,也可以为验证请求等。对应的,待操作的内容可以为访问资源,也可以为验证权 限等。进一步地,该网络节点从预设的权限表中确定待操作的内容对应的交易账户,在确定交易账户与待操作的内容对应的权限账户匹配时,返回给用户需要访问的资源。之后,该网络节点生成待操作的内容的操作记录,并将所述操作记录发送至区块链网络中的其他网络节点,操作记录包括待操作的内容标识、待操作的内容的权限内容和交易账户。In the organization that maintains the blockchain, each organization can correspond to one or more network nodes, and the tables in each network node in the blockchain are synchronized in real time. For each network node, the institution initiates a transaction request through a transaction account in other network nodes. After receiving the transaction request, the network node determines the content to be operated based on the transaction information. Among them, the transaction request can be an access request for accessing resources, or a verification request. Correspondingly, the content to be operated can be access to resources, or verification rights. Further, the network node determines the transaction account corresponding to the content to be operated from the preset permission table, and when it is determined that the transaction account matches the permission account corresponding to the content to be operated, returns the resource that the user needs to access. After that, the network node generates an operation record of the content to be operated, and sends the operation record to other network nodes in the blockchain network. The operation record includes the identifier of the content to be operated, the authority content of the content to be operated, and the transaction. Account.
其中,本发明中提到的资源可以为资源URI。例如,数据网页统一资源定位符(Uniform Resource Location,URL)、可执行的状态转移应用程序接口(Resource Representational State TransferApplication Programming Interface,RESTful API),例如GET/POST/DELETE等,不作限定。Wherein, the resource mentioned in the present invention may be a resource URI. For example, the data webpage Uniform Resource Location (URL), executable state transfer application program interface (Resource Representational State Transfer Application Programming Interface, RESTful API), such as GET/POST/DELETE, etc., are not limited.
区块链上的用户拥有不同的角色,同时对不同的资源有不同的访问权限,用户存在着权限授权的需求。传统安全领域里存在一种现有的权限管理方法,在该方法中,授权一般通过SSO Token来表示,但SSO Token直接移植到区块链系统上会出现规则风暴的问题。比如,若每个权限都不加区分地上链,则会导致授权类型单一的问题,且还需要设置大量的权限规则,每个权限在使用时都需要链上检查等。如此,在用户数、业务量快速增长的情况下(即业务量较大),过多的规则会使得传统数据库难以接纳,从而出现规则风暴的问题。Users on the blockchain have different roles and different access rights to different resources. Users have requirements for authorization. There is an existing authority management method in the traditional security field. In this method, authorization is generally expressed by SSO Token, but the problem of rule storms will occur when SSO Token is directly transplanted to the blockchain system. For example, if each permission is on the chain without distinction, it will cause the problem of a single authorization type, and a large number of permission rules need to be set, and each permission needs to be checked on the chain when it is used. In this way, in the case of rapid growth in the number of users and business volume (that is, the business volume is large), too many rules will make it difficult for traditional databases to accept, and the problem of rule storms will arise.
基于上述问题,本发明实施例提供了一种区块链的权限控制方法的流程,用以解决现有技术在用户数、业务量快速增长的情况下出现的规则风暴的技术问题。Based on the foregoing problems, the embodiments of the present invention provide a flow of a blockchain permission control method to solve the technical problem of rule storms that occur in the prior art when the number of users and business volume increase rapidly.
图2为本发明实施例提供的区块链的权限控制方法的流程示意图,该方法可以由区块链的权限控制装置执行,如图2所示,包括以下步骤:Fig. 2 is a schematic flowchart of a method for controlling permission of a blockchain according to an embodiment of the present invention. The method can be executed by a permission control device of a blockchain. As shown in Fig. 2, the method includes the following steps:
步骤201:验证机构接收资源方发送的验证请求,所述验证请求包括授权Token。Step 201: The verification agency receives a verification request sent by the resource party, where the verification request includes an authorization token.
其中,资源方具体是指资源的持有者。授权Token为用于描述授权信息的单元,可以表示为一个json字符串。授权Token的字段可以包括:授权Token的通用唯一识别码(Universally Unique Identifier,UUID),UUID用于表示授 权Token的唯一标识;授权原用户区块链地址;授权目的用户区块链地址(可以通配);授权内容;授权发生时间;授权终止时间;授权用户数字签名等。Among them, the resource party specifically refers to the holder of the resource. Authorization Token is a unit used to describe authorization information, which can be expressed as a json string. The field of the authorization token can include: the universally unique identifier (UUID) of the authorized token, UUID is used to represent the unique identifier of the authorized token; the original authorized user's blockchain address; the authorized user's blockchain address (can pass through Authorized content; authorized time; authorization termination time; authorized user digital signature, etc.
步骤202:验证机构通过区块链查找与所述授权Token匹配的授权摘要;所述区块链中存储有各授权方生成的授权Token的授权摘要。Step 202: The verification agency searches for an authorization digest matching the authorization Token through the blockchain; the blockchain stores the authorization digest of the authorization Token generated by each authorized party.
步骤203:验证机构在查找到与所述授权Token匹配的授权摘要后,向所述资源方发送验证通过消息。Step 203: After finding the authorization digest matching the authorization Token, the verification agency sends a verification pass message to the resource party.
本发明实施例中,由授权方生成授权Token,使得授权Token的授权内容不需要完全保存在权限表中,因此当资源请求方的账户发起访问请求时,可以直接验证授权方及授权Token,以灵活实现对访问资源的权限控制。且,由于授权方在生成授权Token时,无需写入权限表,因此授权方还可以根据自身的权限自由设置账户的具体权限,并基于实际需要对授权Token的授权内容进行增删,以实现对授权的权限的自由增删,避免将所有规则都上链所导致的规则风暴的问题,提高授权Token的隐私保护。In the embodiment of the present invention, the authorization Token is generated by the authorizer, so that the authorized content of the authorization Token does not need to be completely stored in the authorization table. Therefore, when the resource requester’s account initiates an access request, the authorizer and the authorization Token can be directly verified to Flexible control of access to resources. Moreover, since the authorizer does not need to write the authorization table when generating the authorization token, the authorizer can freely set the specific account permissions according to its own permissions, and add or delete the authorized content of the authorized token based on actual needs to achieve authorization. The free addition and deletion of the permissions of, avoid the problem of rule storm caused by all the rules on the chain, and improve the privacy protection of authorized tokens.
在步骤201中,授权方可以为资源请求方创建对应的授权Token。其中,资源请求方可以为单点登录系统中的任一用户,也可以为区块链上注册的任一账户。In step 201, the authorizer can create a corresponding authorization Token for the resource requester. Among them, the resource requester can be any user in the single sign-on system, or any account registered on the blockchain.
其中,具体的生成过程可以包括:Among them, the specific generation process can include:
授权方根据授权目标账户(结合上述场景,可以为资源请求方)、授权方账户、授权内容、授权起止时间,生成指定格式的授权Token。授权方可以在链外为资源请求方创建对应的授权Token,例如,授权方为授权机构,授权机构可以为链外的设备,授权机构经过验证后,就可以将授权Token发送给资源请求方。The authorizer generates an authorization token in a specified format according to the authorization target account (combined with the above scenarios, it can be the resource requester), the authorizer account, the authorization content, and the authorization start and end time. The authorizing party can create a corresponding authorization token for the resource requester outside the chain. For example, the authorizing party is an authorized institution, and the authorized institution can be a device outside the chain. After the authorized institution is verified, the authorized Token can be sent to the resource requester.
示例性地,可以从区块链网络中推选出管理节点,然后将管理节点对应的账户设置为管理员账户,只有管理员账户可以成为授权方,非管理员账户不能成为授权方,即非管理账户无授权功能。Illustratively, the management node can be selected from the blockchain network, and then the account corresponding to the management node can be set as the administrator account. Only the administrator account can become the authorized party, and the non-administrator account cannot become the authorized party, that is, non-administrative The account has no authorization function.
本发明实施例中,授权Token的授权内容可以包括属性、资源这两种类型的授权内容。其中,属性授权是指授权方可以将自己的某个属性授权给资 源方使用。需要说明的是,属性可以为账户的任一特征,例如账户的角色,账户的地理位置,访问时间等特征,在此不做限定。资源授权是指授权方可以将自己对某个资源的访问权限授权给资源请求方使用。In the embodiment of the present invention, the authorized content of the authorization token may include two types of authorized content of attributes and resources. Among them, attribute authorization means that the authorizing party can authorize one of its own attributes to the resource party. It should be noted that the attribute can be any feature of the account, such as the role of the account, the geographic location of the account, the access time and other features, which are not limited here. Resource authorization means that the authorizing party can authorize its own access rights to a resource to the resource requesting party.
具体地,权限信息可以存储于权限表中,用于确定权限控制使用规则。在设置一个账户对某个表的权限时,在权限表中添加该账户对应的权限记录。示例性地,权限表位于区块链的区块中,在更新权限表时,更新后的权限表在当前区块的下一个区块生效。比如,在权限表中添加新权限记录A时,在当前区块之后生成新区块,将新权限记录A保存在新区块的区块主体中。或者,在权限表中修改权限记录B时,在当前区块之后生成新区块,将修改后的权限记录B保存在新区块的区块主体中。Specifically, the permission information may be stored in the permission table, and used to determine the permission control usage rule. When setting an account's authority to a certain table, add the authority record corresponding to the account in the authority table. Exemplarily, the permission table is located in a block of the blockchain. When the permission table is updated, the updated permission table takes effect in the next block of the current block. For example, when a new permission record A is added to the permission table, a new block is generated after the current block, and the new permission record A is stored in the block body of the new block. Or, when the permission record B is modified in the permission table, a new block is generated after the current block, and the modified permission record B is stored in the block body of the new block.
具体实施中,可以采用预设的权限合约接口对权限表进行操作。权限合约接口可以包括写入接口、移除接口、查询接口等。写入接口通过表名称和账户地址设置权限记录,并返回设置的记录数,设置的记录将保存在权限表中,若权限记录为已存在的权限记录,则拒绝重复设置相同的权限记录,即直接返回0。移除接口通过表名称和账户地址移除设置的权限记录,并返回移除的记录数。查询接口通过表名称查询设置的权限记录,并返回查询得到的权限记录,记录可以以json字符串的形式返回。In specific implementation, a preset permission contract interface can be used to operate the permission table. The rights contract interface can include a write interface, a remove interface, a query interface, and so on. The write interface sets the permission record through the table name and account address, and returns the set number of records. The set record will be saved in the permission table. If the permission record is an existing permission record, it will refuse to set the same permission record repeatedly, that is Return 0 directly. The removal interface removes the set permission records through the table name and account address, and returns the number of removed records. The query interface queries the set permission record through the table name, and returns the permission record obtained by the query. The record can be returned in the form of a json string.
一种可能的实现方式中,权限表可以包括属性账户表及属性权限表。其中,属性账户表用于存储注册的账户中的属性,以及每个属性对应的账户。属性账户表中的记录可以由注册方写入,也可以由授权方写入。相应地,属性权限表用于存储注册的账户中的每个属性对应的资源的访问权限。In a possible implementation manner, the permission table may include an attribute account table and an attribute permission table. Among them, the attribute account table is used to store attributes in the registered account and the account corresponding to each attribute. The records in the attribute account table can be written by the registered party or by the authorized party. Correspondingly, the attribute authority table is used to store the access authority of the resource corresponding to each attribute in the registered account.
一种可能的实现方式中,授权内容包括授权的属性;授权方根据授权目标账户所需授权的资源,及授权目标账户的属性,确定授权Token的授权内容。其中,授权目标账户的属性可以是授权方为授权目标账户设置的,也可以是授权目标账户在注册时,注册方为授权目标账户设置的,在此不做限定。In a possible implementation manner, the authorized content includes authorized attributes; the authorizing party determines the authorized content of the authorized token according to the authorized resources required by the authorized target account and the attributes of the authorized target account. The attributes of the authorized target account may be set by the authorized party for the authorized target account, or may be set by the registered party for the authorized target account when the authorized target account is registered, which is not limited here.
在上述实现方式中,通过设置账户与属性的对应关系、属性与资源权限的对应关系,使得能够根据授权方的属性直接验证授权方的访问权限,减少 验证过程的复杂度;且,通过减少需要存储的账户对应的权限规则,能够进一步避免规则风暴的问题。In the above implementation, by setting the corresponding relationship between the account and the attribute, and the corresponding relationship between the attribute and the resource authority, the access authority of the authorized party can be directly verified according to the attribute of the authorized party, thereby reducing the complexity of the verification process; and, by reducing the need The permission rules corresponding to the stored accounts can further avoid the problem of rule storms.
本发明实施例中,若授权目标账户的属性是授权目标账户在注册时注册方为授权目标账户设置的,则注册方还可以在授权目标账户注册时,将授权目标账户的属性写入区块链。例如,将授权目标账户的属性与授权目标账户的账户写入账户属性表中。如此,授权方可以通过查询账户属性表,直接确定授权目标账户的账户对应的属性。In the embodiment of the present invention, if the attributes of the authorized target account are set by the registrant for the authorized target account when the authorized target account is registered, the registrant may also write the attributes of the authorized target account into the block when the authorized target account is registered chain. For example, the attributes of the authorized target account and the account of the authorized target account are written into the account attribute table. In this way, the authorized party can directly determine the attribute corresponding to the account of the authorized target account by querying the account attribute table.
示例性地,由于区块链上的账户属性表是公开的,因此,为提高授权Token的安全性,并减少规则的设置,避免规则风暴,在授权方为授权目标账户设置授权Token时,还可以重新设置授权目标账户的属性,即授权Token中的授权属性不写入授权目标账户的账户中。Exemplarily, because the account attribute table on the blockchain is public, in order to improve the security of authorized tokens, reduce the setting of rules, and avoid rule storms, when the authorizing party sets the authorized token for the authorized target account, The attributes of the authorized target account can be reset, that is, the authorized attributes in the authorization token are not written into the account of the authorized target account.
示例性地,授权Token中的授权内容包括第一资源,判断是否包括第一资源的方式可以为:验证机构根据授权的属性,在该属性与资源权限的对应关系中,查找授权的属性对应的资源是否包括第一资源;若确定包括第一资源,则确定授权Token中的授权内容包括第一资源。通过设置授权的属性,使得授权Token的授权和验证更加灵活,并且压缩了授权Token的字段,缩短了验证的传输时间,如此,验证机构可以通过验证授权的属性来验证授权Token,也可以通过验证授权的属性对应的资源来验证授权Token,从而提供了更多可选的验证方式,提高验证效率。Exemplarily, the authorized content in the authorization token includes the first resource, and the way to determine whether the first resource is included may be: the verification agency finds the corresponding attribute of the authorized attribute in the corresponding relationship between the attribute and the resource authority according to the authorized attribute Whether the resource includes the first resource; if it is determined that the first resource is included, it is determined that the authorized content in the authorization Token includes the first resource. By setting the attributes of the authorization, the authorization and verification of the authorization Token is made more flexible, and the fields of the authorization Token are compressed, and the transmission time of the verification is shortened. In this way, the verification agency can verify the authorization Token by verifying the authorized attributes, or pass the verification. The resources corresponding to the authorized attributes are used to verify the authorization Token, thereby providing more optional verification methods and improving the verification efficiency.
一种可能的实现方式中,为提高授权Token的安全性,并减少规则的设置,避免规则风暴,授权方在为授权目标账户设置授权Token时,还可以采用重新设置授权目标账户的资源权限的方式,即授权Token中的授权资源不写入权限表中。In a possible implementation method, in order to improve the security of the authorization token, reduce the setting of rules, and avoid rule storms, when the authorizing party sets the authorization token for the authorization target account, it can also reset the resource permissions of the authorization target account. Method, that is, the authorized resources in the authorization token are not written into the authorization table.
具体的,授权内容可以包括授权的资源;授权方根据授权目标账户所需授权的资源,确定授权Token的授权内容,如此,授权Token中的授权内容为授权资源。Specifically, the authorized content may include authorized resources; the authorizing party determines the authorized content of the authorized token according to the authorized resources required by the authorized target account. Thus, the authorized content in the authorized token is the authorized resource.
示例性地,授权Token中的授权内容包括第一资源,判断是否包括第一 资源的方式可以为:若确定授权内容中的授权的资源包括第一资源,则确定授权Token中的授权内容包括第一资源。通过在授权内容中设置授权的资源,能够缩短验证时间,提高验证效率。Exemplarily, the authorized content in the authorization token includes the first resource, and the way to determine whether the first resource is included may be: if it is determined that the authorized resource in the authorized content includes the first resource, then it is determined that the authorized content in the authorization token includes the first resource. One resource. By setting authorized resources in the authorized content, the verification time can be shortened and the verification efficiency can be improved.
示例性地,为提高授权Token的安全性,还可以使用授权方的私钥对授权Token进行签名。其中,授权方的私钥为授权方在区块链上注册时生成并存储每个账户的公钥数据。具体地,为用户创建账户时,先生成账户的公私钥对,再将公钥存入公钥数据合约;当然,也可以先为用户上传符合算法格式要求的公钥,再验证并存储。Exemplarily, in order to improve the security of the authorized token, the private key of the authorized party can also be used to sign the authorized token. Among them, the private key of the authorizing party is the public key data of each account generated and stored when the authorizing party registers on the blockchain. Specifically, when creating an account for a user, the public and private key pair of the account is generated first, and then the public key is stored in the public key data contract; of course, the public key that meets the algorithm format requirements can also be uploaded for the user, and then verified and stored.
一种可能的实现方式中,授权Token由授权机构生成。如此,通过授权机构生成授权Token,能够避免授权方私下生成授权Token,从而提高授权Token的安全性。In a possible implementation manner, the authorization token is generated by an authorized institution. In this way, the authorization Token is generated by the authorization agency, which can prevent the authorized party from generating the authorization Token privately, thereby improving the security of the authorization Token.
本发明实施例中,授权机构可以为区块链外的机构,也可以为区块链上的机构;验证机构可以为区块链上的机构,也可以为区块链外的机构,不作限定。In the embodiment of the present invention, the authorized institution may be an institution outside the blockchain or an institution on the blockchain; the verification institution may be an institution on the blockchain or an institution outside the blockchain, without limitation .
一种可能的实现方式中,授权Token全部上链。此时,上链逻辑由具体的用户转向成为智能合约,如此,规则和执行均全网可见,而不须额外的道德风险。其次,授权记录可以减少一个字段,以降低存储开销和未来的索引时间开销。In one possible implementation, all authorized tokens are on the chain. At this time, the logic on the chain has changed from a specific user to a smart contract, so that the rules and execution are visible to the entire network without additional moral hazard. Second, authorization records can be reduced by one field to reduce storage costs and future indexing time costs.
一种可能的实现方式中,授权Token全部不上链。此时,授权Token的安全性可以通过授权用户的数字签名来保证,如此,通过链外执行可以使得验签算法时间开销大大降低。In one possible implementation, all authorized tokens are not chained. At this time, the security of the authorized Token can be guaranteed by the digital signature of the authorized user. In this way, the out-of-chain execution can greatly reduce the time overhead of the verification algorithm.
一种可能的实现方式中,授权Token的上链方式可以通过链外机构上链,链外机构可以为确定出的至少一个权威维护方,权威维护方用于维护授权数据记录表。如此,每个授权方需要授权Token上链时,可以向至少一个权威维护者发送上传请求。In a possible implementation manner, the authorization Token can be uploaded by an off-chain organization, and the off-chain organization can be at least one determined authoritative maintainer, which is used to maintain the authorized data record table. In this way, when each authorized party needs to authorize the Token to be chained, it can send an upload request to at least one authoritative maintainer.
其中,权威维护者上链的链外工具可以按照本发明实施例中的方案的流程实现,且接受审计监督。链外工具可以为SDK/RESTful Client。Among them, the off-chain tools on the chain by the authoritative maintainer can be implemented according to the process of the solution in the embodiment of the present invention, and accept audit supervision. The off-chain tool can be SDK/RESTful Client.
示例性地,授权数据记录表中的授权记录中还增加一个上链者签名的字段,上链者签名可以根据权威维护者的私钥生成。Exemplarily, the authorization record in the authorization data record table also adds a field signed by the chain owner, and the chain owner's signature can be generated based on the private key of the authority maintainer.
一种可能的实现方式中,为减少区块链的存储内容,并提高授权Token的安全性,授权方还可以对自己创建的授权Token上链。具体实施中,验证机构可以接收授权方发送的上传请求,上传请求中包括授权Token;进一步地,验证机构若验证授权Token中的授权方合法且授权Token中的授权内容包括授权的资源,则将授权Token的授权摘要上传至区块链。In a possible implementation, in order to reduce the storage content of the blockchain and improve the security of the authorization token, the authorizing party can also upload the authorization token created by itself. In specific implementation, the verification agency can receive the upload request sent by the authorized party, and the upload request includes the authorization Token; further, if the verification agency verifies that the authorized party in the authorized Token is legal and the authorized content in the authorized Token includes authorized resources, it will The authorization summary of the authorization token is uploaded to the blockchain.
其中,上传请求可以由链上的节点进行处理。具体包括:Among them, the upload request can be processed by the nodes on the chain. Specifically:
步骤一,验证机构检查该授权Token内容是否合法。Step 1: The verification agency checks whether the authorized Token content is legal.
具体实施中,验证机构可以检查授权token的数字签名,判断能否正确地解出授权方的公钥值。如果可以,则执行步骤二;否则,执行步骤四。In specific implementation, the verification agency can check the digital signature of the authorized token to determine whether the public key value of the authorized party can be correctly solved. If yes, go to step 2; otherwise, go to step 4.
步骤二、验证机构调用属性管理模块检查该授权是否有效。Step 2: The verification agency calls the attribute management module to check whether the authorization is valid.
此处,授权的验证逻辑可以在链外,也可以在链上。但是,验证机构接收的任何包括授权Token的请求均需验证授权Token的有效性和签名。Here, the authorization verification logic can be off-chain or on-chain. However, any request that includes the authorization token received by the verification agency needs to verify the validity and signature of the authorization token.
具体的,验证机构可以检测授权方是否有对应的授权资源的访问权限。若无,则执行步骤四;否则,执行步骤三;Specifically, the verification agency can detect whether the authorized party has the access right to the corresponding authorized resource. If not, go to step 4; otherwise, go to step 3;
步骤三、验证机构生成授权Token的哈希值(即Hash值),并存入链上。Step 3: The verification agency generates the hash value (ie, the Hash value) of the authorized Token and stores it on the chain.
此处,可以存入区块链上的授权数据表,并返回授权方的链上表项索引。Here, it can be stored in the authorization data table on the blockchain, and the index of the table entry on the chain of the authorized party is returned.
一种可能的实现方式中,授权Token的授权摘要可以为授权Token的哈希值。其中,存于链上授权数据记录表的授权记录可以包括以下字段:UUID;Hash值。授权Token的哈希值可以为基于摘要生成算法生成的摘要值,如sha3(授权Token)。In a possible implementation, the authorization digest of the authorization token may be the hash value of the authorization token. Among them, the authorization record stored in the authorization data record table on the chain may include the following fields: UUID; Hash value. The hash value of the authorization token may be a digest value generated based on a digest generation algorithm, such as sha3 (authorization token).
在上述实现方式中,由于通过区块链存储授权Token对应的授权摘要,因此,在链上验证授权Token的合法性,使得授权Token的安全性能够得到保证,避免使用授权方管理用户权限所存在的授权方作恶的可能性。In the above implementation, because the authorization digest corresponding to the authorized Token is stored through the blockchain, the legitimacy of the authorized Token is verified on the chain, so that the security of the authorized Token can be guaranteed, and the existence of the authorization party to manage user permissions is avoided The possibility of evil by authorized parties.
示例性地,为提高验证Token的安全性,授权数据记录表只允许验证机构单向访问。也就是说,一旦新增某条记录,则该条记录后续不可修改。Exemplarily, in order to improve the security of the verification Token, the authorization data record table only allows one-way access by the verification agency. In other words, once a record is added, the record cannot be modified subsequently.
图3为本发明实施例提供的一种区块链的权限控制方法的流程示意图,如图3所示,验证机构的验证逻辑与授权数据表中的数据分离,对应的验证合约只用于验证机构进行验证授权Token,验证机构支持升级与数据迁移。授权数据表中,每条记录均存在有效期,授权记录主要包括如下两类:Figure 3 is a schematic flow chart of a method for controlling permissions on a blockchain provided by an embodiment of the present invention. As shown in Figure 3, the verification logic of the verification agency is separated from the data in the authorization data table, and the corresponding verification contract is only used for verification. The agency verifies the authorization Token, and the verification agency supports upgrade and data migration. In the authorization data table, each record has a validity period, and authorization records mainly include the following two types:
i.属性授权记录:每条属性授权记录的数据表示存在属性类型的授权Token的摘要,即,已有相同属性的账户可以授权他人复用同样属性。i. Attribute authorization record: The data of each attribute authorization record represents the summary of the authorization token of the attribute type, that is, an account with the same attribute can authorize others to reuse the same attribute.
ii.资源授权记录:每条资源授权记录的数据表示存在资源类型的授权Token的摘要,即,已有相同操作权限的账户可以授权他人访问某资源。ii. Resource authorization records: The data of each resource authorization record indicates a summary of the authorization token of the resource type, that is, an account with the same operation authority can authorize others to access a certain resource.
以上两个表的内容可以被区块链上的所有节点公开查询,每条授权记录的授权方可以对授权记录进行修改。The contents of the above two tables can be publicly queried by all nodes on the blockchain, and the authorized party of each authorization record can modify the authorization record.
步骤四、验证机构向授权方返回上传请求失败的消息。Step 4. The verification agency returns a message that the upload request failed to the authorized party.
为了更好的解释本发明实施例,下面结合具体的实施场景描述本发明实施例提供的区块链的权限控制方法,该方法可以由网络节点在链上执行,也可以链外执行,该方法包括以下步骤:In order to better explain the embodiments of the present invention, the following describes the permission control method of the blockchain provided by the embodiments of the present invention in combination with specific implementation scenarios. This method can be executed by a network node on the chain or off-chain. This method It includes the following steps:
步骤一、授权方向授权机构发送授权Token的生成请求。Step 1. The authorization sends an authorization token generation request to the authorization institution.
其中,授权Token的生成请求中包括授权Token的参数,即授权目标账户(结合上述场景,可以为资源请求方)、授权方账户、授权内容、授权起止时间、数字签名等。Wherein, the authorization token generation request includes authorization token parameters, that is, authorization target account (combined with the above scenario, it can be the resource requester), authorizer account, authorized content, authorization start and end time, digital signature, etc.
步骤二、授权机构对授权Token的参数进行合法性检查,如果检查通过,则执行步骤三;否则,执行步骤五。Step 2: The authorized institution checks the legality of the authorized Token parameters. If the check passes, then step 3 is executed; otherwise, step 5 is executed.
步骤三、授权机构生成授权Token,并使用授权方传入的私钥对授权Token进行签名。Step 3: The authorized institution generates the authorized token, and signs the authorized token with the private key passed in by the authorized party.
步骤四、授权机构将生成的授权Token发送至授权方。Step 4. The authorized institution sends the generated authorization token to the authorized party.
步骤五、授权机构向授权方返回生成失败的消息。Step 5. The authorized institution returns a message that the generation failed to the authorized party.
为了更好的解释本发明实施例,下面结合具体的实施场景描述本发明实施例提供的区块链的权限控制方法,该方法可以由网络节点在链上执行,也可以链外执行,该方法包括以下步骤:In order to better explain the embodiments of the present invention, the following describes the permission control method of the blockchain provided by the embodiments of the present invention in combination with specific implementation scenarios. This method can be executed by a network node on the chain or off-chain. This method It includes the following steps:
步骤一、授权方向验证机构发送已签名的授权Token。Step 1: The authorization sends the signed authorization Token to the verification agency.
步骤二、验证机构检查授权Token的参数合法性,参数包括授权Token的有效期、签名等。如果检查通过,则执行步骤三;否则,执行步骤五。Step 2: The verification agency checks the validity of the authorized Token's parameters. The parameters include the validity period and signature of the authorized Token. If the check passes, go to step 3; otherwise, go to step 5.
步骤三、验证机构访问权限表,检查授权Token的授权内容是否真实有效。例如,检查授权方中是否有所声明的资源权限可以用于授权。如果检查通过,则执行步骤四;否则,执行步骤五。Step 3: Verify the access authority table of the agency and check whether the authorized content of the authorized token is true and effective. For example, check whether there are declared resource permissions in the authorized party that can be used for authorization. If the check passes, go to step 4; otherwise, go to step 5.
步骤四、验证机构生成授权Token的Hash值,存入至链上授权数据表,并给授权方返回上传成功的信息,和/或授权数据表的记录。Step 4. The verification agency generates the Hash value of the authorized Token, stores it in the authorization data table on the chain, and returns the successful upload information and/or the record of the authorization data table to the authorized party.
为了更好的解释本发明实施例,下面结合具体的实施场景描述本发明实施例提供的一种区块链的权限控制方法,该方法可以由网络节点在链上执行,也可以链外执行,该方法包括以下步骤:In order to better explain the embodiments of the present invention, the following describes a block chain permission control method provided by the embodiments of the present invention in combination with specific implementation scenarios. The method can be executed by network nodes on the chain or off-chain. The method includes the following steps:
步骤一、资源方上传需要验证的授权Token。Step 1. The resource party uploads the authorization token that needs to be verified.
一种可能的实现方式中,资源方也可以选择性上传资源请求方链上的授权Token所对应的链上记录信息,例如授权Token的授权摘要的索引,以便验证机构快速验证所述授权Token。In a possible implementation manner, the resource party can also selectively upload the on-chain record information corresponding to the authorized token on the resource requester chain, such as the index of the authorization digest of the authorized token, so that the verification agency can quickly verify the authorized token.
步骤二、验证机构对授权Token进行参数合法性检查;若合法,则执行步骤三;否则,执行步骤五。Step 2: The verification agency checks the legality of the parameters of the authorized Token; if it is legal, perform step three; otherwise, perform step five.
具体的,验证机构可以访问属性管理模块,以检查授权Token的授权内容是否真实有效,即授权Token的授权方中是否有所声明的资源可以被用来授权。Specifically, the verification agency can access the attribute management module to check whether the authorized content of the authorized Token is true and valid, that is, whether the authorized Token authorized party has declared resources that can be used for authorization.
步骤三、如果传入的链上记录信息不为空,则验证机构访问链上的授权记录表,确定出需要验证的授权Token的Hash值,并对比该Hash值与授权记录表中的Hash值是否一致。若是,则执行步骤四;否则,执行步骤五。Step 3. If the record information on the incoming chain is not empty, the verification agency accesses the authorization record table on the chain, determines the hash value of the authorization token that needs to be verified, and compares the hash value with the hash value in the authorization record table Is it consistent? If yes, go to step 4; otherwise, go to step 5.
步骤四、确定资源方上传的需要验证的授权Token验证成功。Step 4. Confirm that the authorization token uploaded by the resource party needs to be verified successfully.
步骤五、确定资源方上传的需要验证的授权Token验证失败。Step 5. It is determined that the authentication of the authorization token that needs to be verified uploaded by the resource party fails.
需要说明的是,步骤三与步骤四可以交换验证顺序,在此不做限定。It should be noted that step 3 and step 4 can exchange the verification sequence, which is not limited here.
图4为本发明实施例提供一种区块链的权限控制方法,如图4所示,该方法包括:Fig. 4 is an embodiment of the present invention providing a method for controlling permissions on a blockchain. As shown in Fig. 4, the method includes:
步骤401:资源方获取资源请求方发送的针对第一资源的访问请求。Step 401: The resource party obtains an access request for the first resource sent by the resource requester.
其中,访问请求包括授权凭证Token,授权Token包括授权方及授权内容。Among them, the access request includes the authorization certificate Token, and the authorization Token includes the authorized party and authorized content.
步骤402:资源方确定所述访问请求满足访问所述第一资源的第一访问条件时,向所述资源请求方发送所述第一资源。Step 402: When the resource party determines that the access request meets the first access condition for accessing the first resource, the resource party sends the first resource to the resource requester.
此处,区块链中存储有各授权方生成的授权Token的授权摘要。Here, the authorization summary of the authorization token generated by each authorization party is stored in the blockchain.
相应地,所述第一访问条件为:在区块链中查找到与所述授权Token匹配的授权摘要,且所述授权Token中的授权方合法,且所述授权Token中的授权内容包括所述第一资源。Correspondingly, the first access condition is: the authorization digest matching the authorization token is found in the blockchain, and the authorized party in the authorization token is legal, and the authorization content in the authorization token includes all The first resource.
本发明实施例中,通过资源请求方携带授权Token,并对授权Token进行多方验证,比如验证授权Token的合法性、验证授权Token的授权内容、验证授权方的权限等,能够保证验证结果的有效性。且,通过授权方在生成授权Token,可以无需将授权Token写入权限表中,如此,授权方可以根据自身的权限自由设置账户的具体权限,并能基于实际需要对授权Token的授权内容进行增删,以实现对授权的权限的自由增删,相比于现有技术验证权限规则的方式来说,能够避免对所有规则都上链所导致的规则风暴的问题,提高授权Token的隐私保护。此外,该授权Token还能通过区块链存储对应的授权摘要,如此,通过在链上验证授权Token的合法性,使得授权Token的安全性能够得到保证,避免授权方管理用户权限时所存在的授权方作恶的可能性。In the embodiment of the present invention, the resource requester carries the authorization Token, and performs multi-party verification of the authorization Token, such as verifying the legitimacy of the authorized Token, verifying the authorized content of the authorized Token, and verifying the authority of the authorized party, etc., to ensure the validity of the verification result Sex. Moreover, when the authorizer generates the authorization token, there is no need to write the authorization token into the authorization table. In this way, the authorizer can freely set the specific permissions of the account according to its own permissions, and can add or delete the authorized content of the authorized token based on actual needs. In order to realize the free addition and deletion of authorized permissions, compared with the method of verifying permission rules in the prior art, it can avoid the problem of rule storm caused by chaining all rules and improve the privacy protection of authorized tokens. In addition, the authorization token can also store the corresponding authorization summary through the blockchain. In this way, by verifying the legitimacy of the authorization token on the chain, the security of the authorization token can be guaranteed, avoiding the existence of the authorized party managing user permissions The possibility of the authorized party doing evil.
一种可能的实现方式中,所述访问请求还包括授权方签名;所述资源方确定所述访问请求满足访问所述第一资源的访问条件前,还通过所述授权方签名确定所述授权Token为所述授权方发布的;所述授权方签名是所述授权方对生成的授权Token进行签名得到的。如此,通过基于数字签名来验证授权Token,还能进一步提高授权Token的安全性。In a possible implementation manner, the access request further includes a signature of the authorized party; before the resource party determines that the access request meets the access conditions for accessing the first resource, the authorized party also determines the authorization through the signature of the authorized party. The Token is issued by the authorized party; the authorized party signature is obtained by the authorized party signing the generated authorized Token. In this way, by verifying the authorized token based on the digital signature, the security of the authorized token can be further improved.
一种可能的实现方式中,所述资源方确定所述访问请求满足访问所述资 源的第一访问条件之前,还确定所述访问请求不满足访问所述资源的第二访问条件;所述第二访问条件为所述资源请求方的账户是所述账户信息中记录的针对所述第一资源具有访问权限的账户。如此,通过预先验证资源请求方对应的账户的权限,能够确保验证的全面性,提高验证的有效性。In a possible implementation manner, before the resource party determines that the access request meets the first access condition for accessing the resource, it also determines that the access request does not meet the second access condition for accessing the resource; The second access condition is that the account of the resource requester is an account recorded in the account information that has access authority to the first resource. In this way, by pre-verifying the authority of the account corresponding to the resource requester, the comprehensiveness of the verification can be ensured, and the effectiveness of the verification can be improved.
本发明提出的方案旨在灵活性和可扩展性上取得平衡,并保证授权内容的多维、多粒度、授权Token的不可篡改性。且,授权方可以对授权类型进行划分,还可以在属性、资源两个授权类型上,将自己的能力授权给授权目标账户,同时允许撤销授权。且,授权Token的授权摘要可以存储在区块链上,由于只存储授权Token的授权摘要,因此能够保证其最小披露且不可篡改。基于此,故而本发明能大大降低了规则风暴的影响,具有良好的可扩展性。The solution proposed by the present invention aims to achieve a balance between flexibility and scalability, and to ensure the multi-dimensional, multi-granularity of authorized content, and the tamper-proof modification of authorized Token. Moreover, the authorizer can divide the authorization types, and can also authorize its own capabilities to the authorized target account in terms of attributes and resources, and at the same time allow the authorization to be revoked. In addition, the authorization summary of the authorization token can be stored on the blockchain. Since only the authorization summary of the authorization token is stored, the minimum disclosure and non-tampering can be guaranteed. Based on this, the present invention can greatly reduce the impact of regular storms and has good scalability.
为了更好的解释本发明实施例,下面结合具体的实施场景描述本发明实施例提供的区块链的权限控制方法,该方法由网络节点执行,该方法包括以下步骤:In order to better explain the embodiments of the present invention, the following describes the permission control method of the blockchain provided by the embodiments of the present invention in combination with specific implementation scenarios. The method is executed by a network node, and the method includes the following steps:
步骤一、资源请求方向资源方发送资源请求,所述资源请求包括授权Token,及链上授权记录地址。Step 1: The resource requester sends a resource request to the resource party. The resource request includes an authorization token and an authorization record address on the chain.
步骤二、资源方检查资源请求方在不使用授权Token的情况下能否直接满足访问资源的第二访问资源条件;若是,则执行步骤五,否则,执行步骤三。Step 2: The resource party checks whether the resource requester can directly meet the second resource access condition for accessing the resource without using the authorization token; if so, perform step five, otherwise, perform step three.
步骤三、资源方通过验证机构,验证授权Token。若验证成功,则执行步骤五;否则,执行步骤六。Step 3: The resource party verifies the authorized token through the verification agency. If the verification is successful, go to step 5; otherwise, go to step 6.
具体流程见上述实施例中的验证授权Token的方法,在此不再赘述。For the specific process, refer to the method of verifying the authorization token in the above embodiment, which will not be repeated here.
步骤四、资源方根据授权Token中的授权内容,检查授权Token是否满足第一访问资源条件;若是,则执行步骤五。Step 4: The resource party checks whether the authorized Token meets the first resource access condition based on the authorized content in the authorized Token; if so, execute step 5.
步骤五、资源方向资源请求方返回所请求资源的内容。Step 5. The resource returns the content of the requested resource to the resource requester.
步骤六、资源方向资源请求方返回请求失败的消息。Step 6. The resource returns a request failure message to the resource requester.
示例性地,本发明实施例中,授权机构为区块链外的机构,验证机构为 区块链上的机构;或,授权机构与验证机构均为区块链外的机构。Illustratively, in the embodiment of the present invention, the authorized institution is an institution outside the blockchain, and the verification institution is an institution on the blockchain; or, both the authorized institution and the verification institution are institutions outside the blockchain.
基于相同的技术构思,本发明实施例提供了一种区块链的权限设置装置。Based on the same technical concept, the embodiment of the present invention provides a block chain permission setting device.
图5为本发明实施例提供的一种区块链的权限设置装置的结构示意图,如图5所示,包括:Fig. 5 is a schematic structural diagram of a block chain permission setting device provided by an embodiment of the present invention, as shown in Fig. 5, including:
收发单元501,用于接收资源方发送的验证请求,所述验证请求包括授权Token;The transceiver unit 501 is configured to receive a verification request sent by a resource party, where the verification request includes an authorization token;
处理单元502,用于通过区块链查找与所述授权Token匹配的授权摘要;所述区块链中存储有各授权方生成的授权Token的授权摘要;The processing unit 502 is configured to search for an authorization digest matching the authorization token through the blockchain; the blockchain stores the authorization digest of the authorization token generated by each authorized party;
所述收发单元501,还用于在查找到与所述授权Token匹配的授权摘要后,向所述资源方发送验证通过消息。The transceiver unit 501 is further configured to send a verification pass message to the resource party after finding an authorization digest matching the authorization Token.
一种可能的实现方式中,所述收发单元501还用于接收授权方发送的上传请求,所述上传请求中包括授权Token;In a possible implementation manner, the transceiver unit 501 is further configured to receive an upload request sent by an authorizing party, and the upload request includes an authorization token;
所述处理单元502,还用于在验证所述授权Token中的授权方合法且所述授权Token中的授权内容包括授权的资源后,将所述授权Token的授权摘要上传至所述区块链。The processing unit 502 is further configured to upload the authorization digest of the authorization token to the blockchain after verifying that the authorized party in the authorization token is legal and the authorized content in the authorization token includes authorized resources. .
一种可能的实现方式中,所述区块链中还存储有账户信息,所述账户信息包括账户与属性的对应关系、属性与资源权限的对应关系;In a possible implementation manner, account information is also stored in the blockchain, and the account information includes the corresponding relationship between the account and the attribute, and the corresponding relationship between the attribute and the resource authority;
所述处理单元502,具体用于根据所述账户与属性的对应关系,确定所述授权方的属性;根据所述属性与资源权限的对应关系,确定所述授权方的属性中是否具有所述授权Token中的授权内容的访问权限;若有,则确定所述授权Token的授权方合法。The processing unit 502 is specifically configured to determine the attribute of the authorizing party according to the corresponding relationship between the account and the attribute; according to the corresponding relationship between the attribute and the resource authority, determine whether the attribute of the authorizing party has the Authorize the access rights of the authorized content in the authorized token; if there is, determine that the authorized party of the authorized token is legal.
一种可能的实现方式,所述授权Token是授权机构生成的。In a possible implementation manner, the authorization Token is generated by an authorization organization.
图6为本发明实施例提供的又一种区块链的权限设置装置的结构示意图,如图6所示,包括:Fig. 6 is a schematic structural diagram of yet another block chain permission setting device provided by an embodiment of the present invention, as shown in Fig. 6, including:
收发单元601,用于获取资源请求方发送的针对第一资源的访问请求;所述访问请求包括授权凭证Token;所述授权Token包括授权方及授权内容;The transceiver unit 601 is configured to obtain an access request for the first resource sent by the resource requester; the access request includes an authorization credential Token; the authorization Token includes an authorized party and authorized content;
处理单元602,用于确定所述访问请求满足访问所述第一资源的第一访问 条件时,向所述资源请求方发送所述第一资源;所述第一访问条件为通过区块链查找到与所述授权Token匹配的授权摘要、所述授权Token中的授权方合法且所述授权Token中的授权内容包括所述第一资源;所述区块链中存储有各授权方生成的授权Token的授权摘要。The processing unit 602 is configured to send the first resource to the resource requester when it is determined that the access request satisfies the first access condition for accessing the first resource; the first access condition is searching through the blockchain To the authorization digest matching the authorization token, the authorized party in the authorization token is legal, and the authorized content in the authorization token includes the first resource; the blockchain stores the authorization generated by each authorized party Token authorization summary.
一种可能的实现方式中,所述访问请求还包括授权方签名,所述授权方签名是所述授权方对生成的授权Token进行签名得到的;In a possible implementation manner, the access request further includes an authorized party signature, and the authorized party signature is obtained by the authorized party signing the generated authorization Token;
所述处理单元602确定所述访问请求满足访问所述第一资源的访问条件前,还用于:Before the processing unit 602 determines that the access request meets the access condition for accessing the first resource, it is further configured to:
通过所述授权方签名确定所述授权Token为所述授权方发布的。It is determined by the authorizing party's signature that the authorization Token is issued by the authorizing party.
一种可能的实现方式,所述处理单元602确定所述访问请求满足访问所述资源的第一访问条件之前,还用于:In a possible implementation manner, before the processing unit 602 determines that the access request meets the first access condition for accessing the resource, it is further configured to:
确定所述访问请求不满足访问所述资源的第二访问条件;所述第二访问条件为所述资源请求方的账户是所述账户信息中记录的针对所述第一资源具有访问权限的账户。It is determined that the access request does not satisfy the second access condition for accessing the resource; the second access condition is that the account of the resource requester is the account that has access rights to the first resource recorded in the account information .
一种可能的实现方式,所述授权内容包括授权的属性;In a possible implementation manner, the authorized content includes authorized attributes;
所述处理单元602,具体用于根据所述授权的属性,在所述属性与资源权限的对应关系中,查找所述授权的属性对应的资源是否包括所述第一资源;若确定包括所述第一资源,则确定所述授权Token中的授权内容包括所述第一资源。The processing unit 602 is specifically configured to find whether the resource corresponding to the authorized attribute includes the first resource in the corresponding relationship between the attribute and the resource authority according to the authorized attribute; The first resource, it is determined that the authorization content in the authorization Token includes the first resource.
一种可能的实现方式,所述授权内容包括授权的资源;In a possible implementation manner, the authorized content includes authorized resources;
所述处理单元602,具体用于若确定所述授权内容中的授权的资源包括所述第一资源,则确定所述授权Token中的授权内容包括所述第一资源。The processing unit 602 is specifically configured to determine that the authorized content in the authorization Token includes the first resource if it is determined that the authorized resource in the authorized content includes the first resource.
基于相同的技术构思,本发明实施例提供了一种计算设备,如图7所示,包括至少一个处理器701,以及与至少一个处理器连接的存储器702,本发明实施例中不限定处理器701与存储器702之间的具体连接介质,图7中处理器701和存储器702之间通过总线连接为例。总线可以分为地址总线、数据总线、控制总线等。Based on the same technical concept, an embodiment of the present invention provides a computing device. As shown in FIG. 7, it includes at least one processor 701 and a memory 702 connected to the at least one processor. The embodiment of the present invention does not limit the processor. The specific connection medium between the 701 and the memory 702 is, for example, the connection between the processor 701 and the memory 702 through a bus in FIG. 7. The bus can be divided into address bus, data bus, control bus, etc.
在本发明实施例中,存储器702存储有可被至少一个处理器701执行的指令,至少一个处理器701通过执行存储器702存储的指令,可以执行前述的区块链的权限控制方法中所包括的步骤。In the embodiment of the present invention, the memory 702 stores instructions that can be executed by at least one processor 701. By executing the instructions stored in the memory 702, the at least one processor 701 can execute the aforementioned blockchain permission control method. step.
其中,处理器701是计算设备的控制中心,可以利用各种接口和线路连接计算设备的各个部分,通过运行或执行存储在存储器702内的指令以及调用存储在存储器702内的数据,从而控制权限。可选的,处理器701可包括一个或多个处理单元,处理器701可集成应用处理器和调制解调处理器,其中,应用处理器主要处理操作系统、用户界面和应用程序等,调制解调处理器主要处理无线通信。可以理解的是,上述调制解调处理器也可以不集成到处理器701中。在一些实施例中,处理器701和存储器702可以在同一芯片上实现,在一些实施例中,它们也可以在独立的芯片上分别实现。Among them, the processor 701 is the control center of the computing device, which can use various interfaces and lines to connect to various parts of the computing device, and control the authority by running or executing instructions stored in the memory 702 and calling data stored in the memory 702 . Optionally, the processor 701 may include one or more processing units, and the processor 701 may integrate an application processor and a modem processor. The application processor mainly processes the operating system, user interface, and application programs. The adjustment processor mainly deals with wireless communication. It can be understood that the foregoing modem processor may not be integrated into the processor 701. In some embodiments, the processor 701 and the memory 702 may be implemented on the same chip, and in some embodiments, they may also be implemented on separate chips.
处理器701可以是通用处理器,例如中央处理器(CPU)、数字信号处理器、专用集成电路(Application Specific Integrated Circuit,ASIC)、现场可编程门阵列或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件,可以实现或者执行本发明实施例中公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本发明实施例所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。The processor 701 may be a general-purpose processor, such as a central processing unit (CPU), a digital signal processor, an application specific integrated circuit (ASIC), a field programmable gate array or other programmable logic devices, discrete gates or transistors Logic devices and discrete hardware components can implement or execute the methods, steps, and logic block diagrams disclosed in the embodiments of the present invention. The general-purpose processor may be a microprocessor or any conventional processor. The steps of the method disclosed in the embodiments of the present invention may be directly embodied as being executed and completed by a hardware processor, or executed and completed by a combination of hardware and software modules in the processor.
存储器702作为一种非易失性计算机可读存储介质,可用于存储非易失性软件程序、非易失性计算机可执行程序以及模块。存储器702可以包括至少一种类型的存储介质,例如可以包括闪存、硬盘、多媒体卡、卡型存储器、随机访问存储器(Random Access Memory,RAM)、静态随机访问存储器(Static Random Access Memory,SRAM)、可编程只读存储器(Programmable Read Only Memory,PROM)、只读存储器(Read Only Memory,ROM)、带电可擦除可编程只读存储器(Electrically Erasable Programmable Read-Only Memory,EEPROM)、磁性存储器、磁盘、光盘等等。存储器702是能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其 他介质,但不限于此。本发明实施例中的存储器702还可以是电路或者其它任意能够实现存储功能的装置,用于存储程序指令和/或数据。The memory 702, as a non-volatile computer-readable storage medium, can be used to store non-volatile software programs, non-volatile computer-executable programs, and modules. The memory 702 may include at least one type of storage medium, such as flash memory, hard disk, multimedia card, card-type memory, random access memory (Random Access Memory, RAM), static random access memory (Static Random Access Memory, SRAM), Programmable Read Only Memory (PROM), Read Only Memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), magnetic memory, disk , CD, etc. The memory 702 is any other medium that can be used to carry or store desired program codes in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto. The memory 702 in the embodiment of the present invention may also be a circuit or any other device capable of realizing a storage function for storing program instructions and/or data.
基于同一发明构思,本发明实施例提供了一种计算机可读介质,其存储有可由终端设备执行的计算机程序,当所述程序在终端设备上运行时,使得所述终端设备执行区块链的权限控制方法的步骤。Based on the same inventive concept, the embodiments of the present invention provide a computer-readable medium that stores a computer program executable by a terminal device. When the program runs on the terminal device, the terminal device executes blockchain Steps of the permission control method.
本领域内的技术人员应明白,本发明的实施例可提供为方法、或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present invention may be provided as methods or computer program products. Therefore, the present invention may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, the present invention may adopt the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program codes.
本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to flowcharts and/or block diagrams of methods, devices (systems), and computer program products according to embodiments of the present invention. It should be understood that each process and/or block in the flowchart and/or block diagram, and the combination of processes and/or blocks in the flowchart and/or block diagram can be implemented by computer program instructions. These computer program instructions can be provided to the processor of a general-purpose computer, a special-purpose computer, an embedded processor, or other programmable data processing equipment to generate a machine, so that the instructions executed by the processor of the computer or other programmable data processing equipment are generated It is a device that realizes the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device. The device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment. The instructions provide steps for implementing functions specified in a flow or multiple flows in the flowchart and/or a block or multiple blocks in the block diagram.
尽管已描述了本发明的优选实施例,但本领域内的技术人员一旦得知了 基本创造性概念,则可对这些实施例作出另外的变更和修改。所以,所附权利要求意欲解释为包括优选实施例以及落入本发明范围的所有变更和修改。Although the preferred embodiments of the present invention have been described, those skilled in the art can make additional changes and modifications to these embodiments once they learn the basic creative concept. Therefore, the appended claims are intended to be interpreted as including the preferred embodiments and all changes and modifications falling within the scope of the present invention.
显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the present invention without departing from the spirit and scope of the present invention. In this way, if these modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalent technologies, the present invention is also intended to include these modifications and variations.

Claims (13)

  1. 一种区块链的权限控制方法,其特征在于,所述方法包括:A permission control method for blockchain, characterized in that the method comprises:
    验证机构接收资源方发送的验证请求,所述验证请求包括授权通证Token;The verification agency receives the verification request sent by the resource party, where the verification request includes the authorization token Token;
    所述验证机构通过区块链查找与所述授权Token匹配的授权摘要;所述区块链中存储有各授权方生成的授权Token的授权摘要;The verification agency searches for the authorization digest matching the authorization Token through the blockchain; the blockchain stores the authorization digest of the authorization Token generated by each authorized party;
    所述验证机构在查找到与所述授权Token匹配的授权摘要后,向所述资源方发送验证通过消息。After finding the authorization digest that matches the authorization token, the verification agency sends a verification pass message to the resource party.
  2. 如权利要求1所述的方法,其特征在于,所述方法还包括:The method of claim 1, wherein the method further comprises:
    所述验证机构接收授权方发送的上传请求,所述上传请求中包括授权Token;The verification agency receives an upload request sent by an authorized party, and the upload request includes an authorization Token;
    所述验证机构验证所述授权Token中的授权方合法且所述授权Token中的授权内容包括授权的资源,则将所述授权Token的授权摘要上传至所述区块链。The verification agency verifies that the authorized party in the authorized token is legal and the authorized content in the authorized token includes authorized resources, and then uploads the authorization digest of the authorized token to the blockchain.
  3. 如权利要求2所述的方法,其特征在于,所述区块链中还存储有账户信息,所述账户信息包括账户与属性的对应关系、属性与资源权限的对应关系;The method according to claim 2, wherein account information is also stored in the blockchain, and the account information includes the corresponding relationship between the account and the attribute, and the corresponding relationship between the attribute and the resource authority;
    所述验证机构验证所述授权Token中的授权方合法,包括:The verification by the verification agency that the authorized party in the authorization Token is legal includes:
    根据所述账户与属性的对应关系,确定所述授权方的属性;Determine the attribute of the authorizing party according to the correspondence between the account and the attribute;
    根据所述属性与资源权限的对应关系,确定所述授权方的属性中是否具有所述授权Token中的授权内容的访问权限;According to the corresponding relationship between the attribute and the resource authority, determine whether the attribute of the authorizer has the access authority of the authorized content in the authorization token;
    若有,则确定所述授权Token的授权方合法。If yes, it is determined that the authorized party of the authorized Token is legal.
  4. 如权利要求1所述的方法,其特征在于,所述授权Token是授权机构生成的。The method of claim 1, wherein the authorization Token is generated by an authorized institution.
  5. 一种区块链的权限控制方法,其特征在于,所述方法包括:A permission control method for blockchain, characterized in that the method comprises:
    资源方获取资源请求方发送的针对第一资源的访问请求;所述访问请求包括授权凭证Token;所述授权Token包括授权方及授权内容;The resource party obtains an access request for the first resource sent by the resource requester; the access request includes an authorization voucher Token; the authorization Token includes an authorized party and authorized content;
    所述资源方确定所述访问请求满足访问所述第一资源的第一访问条件时,向所述资源请求方发送所述第一资源;所述第一访问条件为通过区块链查找到与所述授权Token匹配的授权摘要、所述授权Token中的授权方合法且所述授权Token中的授权内容包括所述第一资源;所述区块链中存储有各授权方生成的授权Token的授权摘要。When the resource party determines that the access request satisfies the first access condition for accessing the first resource, it sends the first resource to the resource requester; the first access condition is to find and The authorization summary matched by the authorization Token, the authorization party in the authorization Token is legal, and the authorization content in the authorization Token includes the first resource; the blockchain stores the authorization Token generated by each authorization party Authorization summary.
  6. 如权利要求5所述的方法,其特征在于,所述访问请求还包括授权方签名;The method according to claim 5, wherein the access request further includes a signature of the authorized party;
    所述资源方确定所述访问请求满足访问所述第一资源的访问条件前,还包括:Before the resource party determines that the access request meets the access condition for accessing the first resource, the method further includes:
    所述资源方通过所述授权方签名确定所述授权Token为所述授权方发布的;所述授权方签名是所述授权方对生成的授权Token进行签名得到的。The resource party determines that the authorized Token is issued by the authorized party through the authorized party's signature; the authorized party signature is obtained by the authorized party signing the generated authorized Token.
  7. 如权利要求6所述的方法,其特征在于,所述资源方确定所述访问请求满足访问所述资源的第一访问条件之前,还包括:The method according to claim 6, wherein before the resource party determines that the access request satisfies the first access condition for accessing the resource, the method further comprises:
    所述资源方确定所述访问请求不满足访问所述资源的第二访问条件;所述第二访问条件为所述资源请求方的账户是所述账户信息中记录的针对所述第一资源具有访问权限的账户。The resource party determines that the access request does not meet the second access condition for accessing the resource; the second access condition is that the account of the resource requester is recorded in the account information for the first resource Account with access rights.
  8. 如权利要求5所述的方法,其特征在于,所述授权内容包括授权的属性;所述授权Token中的授权内容包括所述第一资源为根据以下方式确定的:The method according to claim 5, wherein the authorized content includes authorized attributes; the authorized content in the authorization token including the first resource is determined according to the following method:
    根据所述授权的属性,在所述属性与资源权限的对应关系中,查找所述授权的属性对应的资源是否包括所述第一资源;According to the authorized attribute, in the corresponding relationship between the attribute and the resource authority, searching whether the resource corresponding to the authorized attribute includes the first resource;
    若确定包括所述第一资源,则确定所述授权Token中的授权内容包括所述第一资源。If it is determined that the first resource is included, it is determined that the authorized content in the authorization Token includes the first resource.
  9. 如权利要求5所述的方法,其特征在于,所述授权内容包括授权的资源;所述授权Token中的授权内容包括所述第一资源为根据以下方式确定的:The method of claim 5, wherein the authorized content includes authorized resources; the authorized content in the authorization Token includes the first resource, which is determined according to the following method:
    若确定所述授权内容中的授权的资源包括所述第一资源,则确定所述授权Token中的授权内容包括所述第一资源。If it is determined that the authorized resource in the authorized content includes the first resource, it is determined that the authorized content in the authorization Token includes the first resource.
  10. 一种区块链的权限控制装置,其特征在于,所述装置包括:A permission control device for blockchain, characterized in that the device includes:
    收发单元,用于接收资源方发送的验证请求,所述验证请求包括授权Token;The transceiver unit is configured to receive a verification request sent by the resource party, where the verification request includes an authorization token;
    处理单元,用于通过区块链查找与所述授权Token匹配的授权摘要;所述区块链中存储有各授权方生成的授权Token的授权摘要;The processing unit is configured to search for an authorization summary matching the authorization Token through the blockchain; the blockchain stores the authorization summary of the authorization Token generated by each authorized party;
    所述收发单元,还用于在查找到与所述授权Token匹配的授权摘要后,向所述资源方发送验证通过消息。The transceiver unit is further configured to send a verification pass message to the resource party after finding the authorization digest matching the authorization Token.
  11. 一种区块链的权限控制装置,其特征在于,所述装置包括:A permission control device for blockchain, characterized in that the device includes:
    收发单元,用于获取资源请求方发送的针对第一资源的访问请求;所述访问请求包括授权凭证Token;所述授权Token包括授权方及授权内容;The transceiver unit is configured to obtain an access request for the first resource sent by the resource requester; the access request includes an authorization voucher Token; the authorization Token includes an authorized party and authorized content;
    处理单元,用于确定所述访问请求满足访问所述第一资源的第一访问条件时,向所述资源请求方发送所述第一资源;所述第一访问条件为通过区块链查找到与所述授权Token匹配的授权摘要、所述授权Token中的授权方合法且所述授权Token中的授权内容包括所述第一资源;所述区块链中存储有各授权方生成的授权Token的授权摘要。The processing unit is configured to send the first resource to the resource requester when it is determined that the access request satisfies the first access condition for accessing the first resource; the first access condition is to find through the blockchain The authorization summary matching the authorization Token, the authorization party in the authorization Token is legal, and the authorization content in the authorization Token includes the first resource; the blockchain stores the authorization Token generated by each authorization party Of authorization summary.
  12. 一种计算机设备,其特征在于,包括至少一个处理单元、以及至少一个存储单元,其中,所述存储单元存储有计算机程序,当所述程序被所述处理单元执行时,使得所述处理单元执行权利要求1~4或权利要求5~9任一权利要求所述方法的步骤。A computer device, which is characterized by comprising at least one processing unit and at least one storage unit, wherein the storage unit stores a computer program, and when the program is executed by the processing unit, the processing unit executes The steps of the method according to any one of claims 1 to 4 or claims 5 to 9.
  13. 一种计算机可读介质,其特征在于,其存储有可由终端设备执行的计算机程序,当所述程序在终端设备上运行时,使得所述终端设备执行权利要求1~4或权利要求5~9任一所述方法的步骤。A computer-readable medium, characterized in that it stores a computer program executable by a terminal device, and when the program runs on the terminal device, the terminal device executes claims 1 to 4 or claims 5 to 9 Any of the steps of the method.
PCT/CN2020/080519 2019-04-11 2020-03-20 Permission control method and apparatus for blockchain WO2020207233A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910287244.5 2019-04-11
CN201910287244.5A CN110069908A (en) 2019-04-11 2019-04-11 A kind of authority control method and device of block chain

Publications (1)

Publication Number Publication Date
WO2020207233A1 true WO2020207233A1 (en) 2020-10-15

Family

ID=67367576

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/080519 WO2020207233A1 (en) 2019-04-11 2020-03-20 Permission control method and apparatus for blockchain

Country Status (2)

Country Link
CN (1) CN110069908A (en)
WO (1) WO2020207233A1 (en)

Families Citing this family (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110069908A (en) * 2019-04-11 2019-07-30 深圳前海微众银行股份有限公司 A kind of authority control method and device of block chain
CN110619222A (en) * 2019-08-21 2019-12-27 上海唯链信息科技有限公司 Authorization processing method, device, system and medium based on block chain
CN111191212B (en) * 2019-12-31 2020-12-15 卓尔智联(武汉)研究院有限公司 Block chain-based digital certificate processing method, device, equipment and storage medium
CN111209113B (en) * 2019-12-31 2022-12-13 卓尔智联(武汉)研究院有限公司 Resource allocation method, device, equipment and storage medium based on intelligent contract
CN110990804B (en) * 2020-03-03 2020-08-14 支付宝(杭州)信息技术有限公司 Resource access method, device and equipment
CN112184222B (en) * 2020-05-29 2022-09-30 支付宝(杭州)信息技术有限公司 Service processing method, device and equipment based on block chain
CN111865580A (en) * 2020-07-13 2020-10-30 深圳前海益链网络科技有限公司 token generation and verification method and device, computer equipment and storage medium
TWI829215B (en) * 2020-11-10 2024-01-11 林庠序 De-centralized data authorization control system capable of inspecting transfer history of read token to verify activity of read token
TWI766430B (en) * 2020-11-10 2022-06-01 林庠序 De-centralized data authorization control system capable of dynamically adjusting data authorization policy
TWI829221B (en) * 2020-11-10 2024-01-11 林庠序 De-centralized data authorization control system capable of allowing data requestetr device to inspect correctness of data authorization policy stored in block chain subsystem
TWI829222B (en) * 2020-11-10 2024-01-11 林庠序 De-centralized data authorization control system capable of utilizing third-party service subsystem to provide accessible data list to data requester device
TWI829216B (en) * 2020-11-10 2024-01-11 林庠序 De-centralized data authorization control system capable of forwarding token request through third-party service subsystem
TWI829217B (en) * 2020-11-10 2024-01-11 林庠序 De-centralized data authorization control system capable of flexibly adjusting data authorization policy
TWI829219B (en) * 2020-11-10 2024-01-11 林庠序 De-centralized data authorization control system capable of transferring read token from block chain subsystem to data requester device
TWI829220B (en) * 2020-11-10 2024-01-11 林庠序 De-centralized data authorization control system capable of utilizing smart contract to generate and transfer authorization token
TWI829218B (en) * 2020-11-10 2024-01-11 林庠序 De-centralized data authorization control system capable of indirectly transferring read token through third-party service subsystem
CN112100610B (en) * 2020-11-20 2021-05-04 支付宝(杭州)信息技术有限公司 Processing method, device and equipment for login and user login related services
CN113541969A (en) * 2021-09-16 2021-10-22 中关村科学城城市大脑股份有限公司 Data acquisition method and system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106209749A (en) * 2015-05-08 2016-12-07 阿里巴巴集团控股有限公司 Single-point logging method and the processing method and processing device of device, relevant device and application
CN108599936A (en) * 2018-04-20 2018-09-28 西安电子科技大学 A kind of OpenStack increases income the safety certifying method of cloud user
CN108833363A (en) * 2018-05-23 2018-11-16 文丹 A kind of block chain right management method and system
CN109242636A (en) * 2018-09-26 2019-01-18 盈盈(杭州)网络技术有限公司 A kind of data transacting system and its implementation based on block chain
CN110069908A (en) * 2019-04-11 2019-07-30 深圳前海微众银行股份有限公司 A kind of authority control method and device of block chain

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106209749A (en) * 2015-05-08 2016-12-07 阿里巴巴集团控股有限公司 Single-point logging method and the processing method and processing device of device, relevant device and application
CN108599936A (en) * 2018-04-20 2018-09-28 西安电子科技大学 A kind of OpenStack increases income the safety certifying method of cloud user
CN108833363A (en) * 2018-05-23 2018-11-16 文丹 A kind of block chain right management method and system
CN109242636A (en) * 2018-09-26 2019-01-18 盈盈(杭州)网络技术有限公司 A kind of data transacting system and its implementation based on block chain
CN110069908A (en) * 2019-04-11 2019-07-30 深圳前海微众银行股份有限公司 A kind of authority control method and device of block chain

Also Published As

Publication number Publication date
CN110069908A (en) 2019-07-30

Similar Documents

Publication Publication Date Title
WO2020207233A1 (en) Permission control method and apparatus for blockchain
US11762970B2 (en) Fine-grained structured data store access using federated identity management
US10055561B2 (en) Identity risk score generation and implementation
US11716357B2 (en) Data access policies
US8549326B2 (en) Method and system for extending encrypting file system
US9613224B2 (en) Integrating a user's security context in a database for access control
US11829502B2 (en) Data sharing via distributed ledgers
US11863677B2 (en) Security token validation
US20220078017A1 (en) Authorized Data Sharing Using Smart Contracts
US10049205B2 (en) Asserting identities of application users in a database system based on delegated trust
WO2018219056A1 (en) Authentication method, device, system and storage medium
US20230370265A1 (en) Method, Apparatus and Device for Constructing Token for Cloud Platform Resource Access Control
WO2022121538A1 (en) Data synchronization method and system based on blockchain, and related device
CN110543545A (en) file management method and device based on block chain and storage medium
WO2021115231A1 (en) Authentication method and related device
US11157897B2 (en) Methods and devices for managing access to account in blockchain system
US10664451B1 (en) Systems and methods for encrypting data in backend storage caches shared by multiple decentralized applications
US11146552B1 (en) Decentralized application authentication
WO2023087760A1 (en) Data sharing method and apparatus, device, and storage medium
US20230325521A1 (en) Data processing method and apparatus based on blockchain network, device, and storage medium
WO2022193494A1 (en) Permission control method, server, terminal, storage medium, and computer program
WO2023173908A1 (en) Method, apparatus and system for accessing file, and storage medium
US11809589B2 (en) Secure data structure for database system
WO2023160632A1 (en) Method for setting cloud service access permissions of enclave instance, and cloud management platform
CN107276965B (en) Authority control method and device of service discovery component

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20786997

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 31.01.2022)

122 Ep: pct application non-entry in european phase

Ref document number: 20786997

Country of ref document: EP

Kind code of ref document: A1