Access control policy configuration method, device and system and storage medium
阅读说明:本技术 访问控制策略配置方法、装置和系统以及存储介质 (Access control policy configuration method, device and system and storage medium ) 是由 张乾 赵君杰 苏京 于 2018-08-22 设计创作,主要内容包括:本公开提供了一种访问控制策略配置方法、装置和系统以及存储介质,涉及物联网技术领域,其中方法包括:在创建第二资源时,确定对于第二资源是否设置有接入控制策略继承属性;根据确定结果配置第二资源的访问控制策略;本公开的方法、装置和系统以及存储介质,可以根据接入控制策略继承属性确定是否继承父资源的访问策略权限,能够高效设置以及更改子资源的访问控制策略,能够根据用户对于继承关系的指示进行访问控制策略的配置和修改,提高了对于资源进行访问控制策略的设置和更改的效率,完善了现有的访问控制策略的相关标准。(The disclosure provides an access control strategy configuration method, device and system and a storage medium, and relates to the technical field of Internet of things, wherein the method comprises the following steps: when creating the second resource, determining whether an access control policy inheritance attribute is set for the second resource; configuring an access control strategy of the second resource according to the determination result; the method, the device, the system and the storage medium can determine whether to inherit the access strategy authority of the parent resource or not according to the inheritance property of the access control strategy, can efficiently set and change the access control strategy of the child resource, can configure and modify the access control strategy according to the indication of the inheritance relation of the user, improve the setting and changing efficiency of the access control strategy of the resource and perfect the relevant standard of the existing access control strategy.)
1. An access control policy configuration method for a first resource, the method comprising:
when creating a second resource, determining whether an access control policy inheritance attribute is set for the second resource;
and configuring the access control strategy of the second resource according to the determination result.
2. The method of claim 1, the configuring an access control policy of the second resource according to the determination comprising:
if the access control strategy inheritance attribute is set, judging whether the second resource inherits the access control strategy of a parent resource with parent-child inheritance relationship with the second resource based on the access control strategy inheritance attribute;
and setting an access control strategy of the second resource according to the judgment result.
3. The method of claim 2, further comprising:
if the attribute value of the access control strategy inheritance attribute is a first set value, determining that the second resource inherits the access control strategy of the parent resource;
if the attribute value of the access control strategy inheritance attribute is a second set value, determining that the second resource does not inherit the access control strategy of the parent resource;
and if the attribute value of the inheritance attribute of the access control policy is a third set value, determining whether the second resource inherits the access control policy of the parent resource according to a preset setting rule.
4. The method of claim 3, the configuring the access control policy for the second resource comprising:
when the attribute value of the access control strategy inheritance attribute is a first set value, setting a second access control strategy identification attribute of the second resource according to the first access control strategy identification attribute of the father resource;
when the attribute value of the access control strategy inheritance attribute is a second set value, requesting an application layer to formulate a second access control strategy identification attribute;
and when the attribute value of the inheritance attribute of the access control policy is a third set value, setting the identifier attribute of the second access control policy according to the identifier attribute of the first access control policy of the father resource or requesting an application layer to make the identifier attribute of the second access control policy.
5. The method of claim 4, further comprising:
when a second resource is created, determining whether a third access control strategy identification attribute is set for the second resource;
and if the third access control strategy identification attribute is set, adding the third access control strategy identification attribute into the second access control strategy identification attribute.
6. The method of claim 5, further comprising:
for a second resource of which the attribute value of the access control policy inheritance attribute is the first set value, if access control policy identification information is newly added or deleted in the first access control policy identification attribute corresponding to the second resource, the access control policy identification information is correspondingly newly added or deleted in the second access control policy identification attribute of the second resource.
7. The method of claim 5, further comprising:
receiving a resource creating message for creating the second resource, wherein the resource creating message carries an attribute value of the access control policy inheritance attribute, or the resource creating message carries an attribute value of the access control policy inheritance attribute and the third access control policy identification attribute;
and setting the second access control strategy identification attribute and returning.
8. The method of claim 2, further comprising:
and if the inheritance property of the access control strategy is not set, configuring the access control strategy of the second resource based on a preset strategy configuration rule.
9. An access control policy configuration apparatus for a first resource, comprising:
the attribute determining module is used for determining whether an access control strategy inheritance attribute is set for a second resource when the second resource is created;
and the control strategy configuration module is used for configuring the access control strategy of the second resource according to the determination result.
10. The apparatus of claim 9, wherein,
the control strategy configuration module comprises:
an inheritance judging unit, configured to judge, based on the access control policy inheritance attribute, whether the second resource inherits an access control policy of a parent resource having a parent-child inheritance relationship with the second resource, if the access control policy inheritance attribute is set;
and the strategy setting unit is used for setting the access control strategy of the second resource according to the judgment result.
11. The apparatus of claim 10, wherein,
the inheritance judging unit is used for determining that the second resource inherits the access control strategy of the parent resource if the attribute value of the inheritance attribute of the access control strategy is a first set value; if the attribute value of the access control strategy inheritance attribute is a second set value, determining that the second resource does not inherit the access control strategy of the parent resource;
and the policy setting unit is used for determining whether the second resource inherits the access control policy of the parent resource according to a preset setting rule if the attribute value of the inheritance attribute of the access control policy is a third set value.
12. The apparatus of claim 11, wherein,
the policy setting unit is configured to set a second access control policy identifier attribute of the second resource according to the first access control policy identifier attribute of the parent resource when the attribute value of the access control policy inheritance attribute is a first set value; when the attribute value of the access control strategy inheritance attribute is a second set value, requesting an application layer to formulate a second access control strategy identification attribute;
and the policy setting unit is configured to set the second access control policy identifier attribute according to the first access control policy identifier attribute of the parent resource, or request an application layer to make the second access control policy identifier attribute, when the attribute value of the access control policy inheritance attribute is a third set value.
13. The apparatus of claim 12, wherein,
the attribute determining module is used for determining whether a third access control strategy identification attribute is set for a second resource when the second resource is created;
the policy setting unit is configured to add the third access control policy identifier attribute to the second access control policy identifier attribute if the third access control policy identifier attribute is set.
14. The apparatus of claim 13, wherein,
the control strategy configuration module comprises:
and the policy updating module is used for adding or deleting access control policy identification information in the second access control policy identification attribute of the second resource if the access control policy identification information is added or deleted in the first access control policy identification attribute corresponding to the second resource for the second resource of which the attribute value of the access control policy inheritance attribute is the first set value.
15. The apparatus of claim 13, wherein,
the attribute determining module is configured to receive a resource creating message for creating the second resource, where the resource creating message carries an attribute value of the access control policy inheritance attribute, or the resource creating message carries an attribute value of the access control policy inheritance attribute and the third access control policy identification attribute;
and the policy setting unit is used for setting the second access control policy identifier attribute and returning.
16. The apparatus of claim 10, wherein,
the policy setting unit is configured to configure the access control policy of the second resource based on a preset policy configuration rule if the inheritance attribute of the access control policy is not set.
17. An access control policy configuration system comprising:
a first resource and a second resource, the first resource comprising an access control policy configuration means according to any one of claims 9 to 16.
18. The system of claim 17, wherein,
the first resource includes: a generic service entity; the second resource includes: an application entity.
19. An access control policy configuration apparatus comprising:
a memory; and a processor coupled to the memory, the processor configured to perform the method of any of claims 1-8 based on instructions stored in the memory.
20. A computer readable storage medium having stored thereon computer program instructions which, when executed by one or more processors, implement the steps of the method of any one of claims 1 to 8.
Technical Field
The present disclosure relates to the field of internet of things technology, and in particular, to a method, an apparatus, and a system for configuring an access control policy, and a storage medium.
Background
In the internet of things, access control for resources generally uses access control based on attributes, and resource access is controlled by setting resource attributes. Stored in the access control policy (accesscontrol policy) resource is the access control policy content, i.e. the content of the evaluation of whether the request can be authorized. The connection between the target resource and the access control policy resource is performed through an access control policy identifier (accesscontrol policyids) attribute value, and the request for accessing the target resource can only complete the request authorization operation through the authorization verification of one or more corresponding access control policy identifier resources in the access control policy identifier attribute value.
In the related technology, if the target resource does not set its own access control policy identifier attribute value, the authorization evaluation is performed according to the access control policy resource corresponding to the access control policy identifier attribute value of its parent resource. When a target resource is created, if the access control strategy identification attribute value of the target resource is set, the target resource does not inherit the strategy authority of a parent resource; or the target resource does not have the own access control strategy identification attribute value, inherits the access control strategy of the father resource, and does not inherit the strategy authority of the father resource after the own access control strategy identification attribute value is independently added. If the user wants that the target resource with the own access control policy identification attribute value inherits the policy authority of the parent resource, after the target resource is created, the user needs to regenerate a new access control policy and then deploy the new access control policy.
BRIEF SUMMARY OF THE PRESENT DISCLOSURE
In view of the above, an object of the present disclosure is to provide an access control policy configuration method, apparatus and system, and a storage medium.
According to an aspect of the present disclosure, there is provided an access control policy configuration method for a first resource, the method comprising: when creating a second resource, determining whether an access control policy inheritance attribute is set for the second resource; and configuring the access control strategy of the second resource according to the determination result.
Optionally, the configuring the access control policy of the second resource according to the determination result includes: if the access control strategy inheritance attribute is set, judging whether the second resource inherits the access control strategy of a parent resource with parent-child inheritance relationship with the second resource based on the access control strategy inheritance attribute; and setting an access control strategy of the second resource according to the judgment result.
Optionally, if the attribute value of the access control policy inheritance attribute is a first set value, determining that the second resource inherits the access control policy of the parent resource; if the attribute value of the access control strategy inheritance attribute is a second set value, determining that the second resource does not inherit the access control strategy of the parent resource; and if the attribute value of the inheritance attribute of the access control policy is a third set value, determining whether the second resource inherits the access control policy of the parent resource according to a preset setting rule.
Optionally, the configuring the access control policy of the second resource includes: when the attribute value of the access control strategy inheritance attribute is a first set value, setting a second access control strategy identification attribute of the second resource according to the first access control strategy identification attribute of the father resource; when the attribute value of the access control strategy inheritance attribute is a second set value, requesting an application layer to formulate a second access control strategy identification attribute; and when the attribute value of the inheritance attribute of the access control policy is a third set value, setting the identifier attribute of the second access control policy according to the identifier attribute of the first access control policy of the father resource, or requesting an application layer to make the identifier attribute of the second access control policy.
Optionally, when a second resource is created, determining whether a third access control policy identifier attribute is set for the second resource; and if the third access control strategy identification attribute is set, adding the third access control strategy identification attribute into the second access control strategy identification attribute.
Optionally, for a second resource whose attribute value of the access control policy inheritance attribute is the first set value, if access control policy identification information is newly added or deleted in the first access control policy identification attribute corresponding to the second resource, the access control policy identification information is correspondingly newly added or deleted in the second access control policy identification attribute of the second resource.
Optionally, a resource creating message for creating the second resource is received, where the resource creating message carries an attribute value of the access control policy inheritance attribute, or the resource creating message carries an attribute value of the access control policy inheritance attribute and the third access control policy identification attribute; and setting the second access control strategy identification attribute and returning.
Optionally, if the access control policy inheritance attribute is not set, configuring the access control policy of the second resource based on a preset policy configuration rule.
According to another aspect of the present disclosure, there is provided an access control policy configuration apparatus for a first resource, including: the attribute determining module is used for determining whether an access control strategy inheritance attribute is set for a second resource when the second resource is created; and the control strategy configuration module is used for configuring the access control strategy of the second resource according to the determination result.
Optionally, the control policy configuration module includes: an inheritance judging unit, configured to judge, based on the access control policy inheritance attribute, whether the second resource inherits an access control policy of a parent resource having a parent-child inheritance relationship with the second resource, if the access control policy inheritance attribute is set; and the strategy setting unit is used for setting the access control strategy of the second resource according to the judgment result.
Optionally, the inheritance judging unit is configured to determine that the second resource inherits the access control policy of the parent resource if the attribute value of the access control policy inheritance attribute is a first set value; if the attribute value of the access control strategy inheritance attribute is a second set value, determining that the second resource does not inherit the access control strategy of the parent resource; and the policy setting unit is used for determining whether the second resource inherits the access control policy of the parent resource according to a preset setting rule if the attribute value of the inheritance attribute of the access control policy is a third set value.
Optionally, the policy setting unit is configured to set, when the attribute value of the inheritance attribute of the access control policy is a first set value, a second access control policy identifier attribute of the second resource according to the first access control policy identifier attribute of the parent resource; when the attribute value of the access control strategy inheritance attribute is a second set value, requesting an application layer to formulate a second access control strategy identification attribute; and the policy setting unit is configured to set the second access control policy identifier attribute according to the first access control policy identifier attribute of the parent resource, or request an application layer to make the second access control policy identifier attribute, when the attribute value of the access control policy inheritance attribute is a third set value.
Optionally, the attribute determining module is configured to determine, when creating a second resource, whether a third access control policy identifier attribute is set for the second resource; the policy setting unit is configured to add the third access control policy identifier attribute to the second access control policy identifier attribute if the third access control policy identifier attribute is set.
Optionally, the control policy configuration module includes: and the policy updating module is used for adding or deleting access control policy identification information in the second access control policy identification attribute of the second resource if the access control policy identification information is added or deleted in the first access control policy identification attribute corresponding to the second resource for the second resource of which the attribute value of the access control policy inheritance attribute is the first set value.
Optionally, the attribute determining module is configured to receive a resource creating message for creating the second resource, where the resource creating message carries an attribute value of the inherited access control policy attribute, or the resource creating message carries an attribute value of the inherited access control policy attribute and the third access control policy identifier attribute; and the policy setting unit is used for setting the second access control policy identifier attribute and returning.
Optionally, the policy setting unit is configured to configure the access control policy of the second resource based on a preset policy configuration rule if the access control policy inheritance attribute is not set.
According to still another aspect of the present disclosure, there is provided an access control policy configuration system including: a first resource and a second resource, the first resource comprising an access control policy configuration apparatus as described above.
Optionally, the first resource includes: a generic service entity; the second resource includes: an application entity.
According to still another aspect of the present disclosure, there is provided an access control policy configuration apparatus including: a memory; and a processor coupled to the memory, the processor configured to perform the method as described above based on instructions stored in the memory.
According to yet another aspect of the present disclosure, there is provided a computer readable storage medium having stored thereon computer program instructions which, when executed by one or more processors, implement the steps of the method as described above.
The access control strategy configuration method, the access control strategy configuration device, the access control strategy configuration system and the storage medium can determine whether to inherit the access strategy authority of the parent resource according to the inheritance property of the access control strategy, can efficiently set and change the access control strategy of the child resource, can configure and modify the access control strategy according to the indication of the inheritance relation of the user, improve the efficiency of setting and changing the access control strategy of the resource, perfect the relevant standard of the existing access control strategy and improve the use experience of the user.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present disclosure, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic flow chart diagram illustrating an embodiment of an access control policy configuration method according to the present disclosure;
fig. 2 is a schematic flowchart of setting an access control policy in an embodiment of an access control policy configuration method according to the present disclosure;
fig. 3 is a schematic flowchart of setting an access control policy in another embodiment of the access control policy configuration method of the present disclosure;
fig. 4 is a schematic flow chart diagram illustrating another embodiment of an access control policy configuration method according to the present disclosure;
FIG. 5 is a flowchart illustrating a method for configuring an access control policy according to another embodiment of the disclosure
FIG. 6 is a diagram illustrating a tree structure of a parent resource and a child resource and attributes set by the parent resource and the child resource;
FIG. 7 is a block diagram illustrating one embodiment of an access control policy configuration apparatus according to the present disclosure;
FIG. 8 is a block diagram of a control policy configuration module in an embodiment of an access control policy configuration apparatus according to the present disclosure;
fig. 9 is a block diagram of another control policy configuration module in an embodiment of the access control policy configuration apparatus of the present disclosure;
fig. 10 is a block diagram illustrating another embodiment of an access control policy configuration apparatus according to the present disclosure.
Detailed Description
Various exemplary embodiments of the present disclosure will now be described in detail with reference to the accompanying drawings. It should be noted that: the relative arrangement of the components and steps, the numerical expressions, and numerical values set forth in these embodiments do not limit the scope of the present disclosure unless specifically stated otherwise. It is to be understood that the described embodiments are merely illustrative of some, and not restrictive, of the embodiments of the disclosure. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
The terms "first", "second", and the like are used hereinafter only for descriptive distinction and not for other specific meanings.
The Internet of things comprises a sensing layer, a network layer and an application layer; the sensing layer is composed of various sensors, including sensing terminals such as an infrared sensor, an electronic tag, a card reader and an inductor, and is a source for identifying objects and acquiring information of the Internet of things; the network layer consists of various networks including the Internet, a broadcast and television network, a network management system, a cloud computing platform and the like and is responsible for transmitting and processing information acquired by the sensing layer; the application layer is an interface of the Internet of things and a user, and is combined with industrial requirements to realize intelligent application of the Internet of things.
At the application layer corresponding to the M2M architecture, an Application Entity (AE) in each device and sensor provides a standardized interface to manage and interact with applications; at a service layer corresponding between an application layer and a network layer, a Common Services Entity (CSE) supports resource sharing and interoperability. In the existing access control policy configuration scheme, access control policy (access control policy) resources store access control policy content, where the access control policy for resource access includes attribute rights representing a set of access control rules, and multiple access control policy resources may be set, and each access control policy resource is provided with a corresponding identifier.
An access control policy resource may be set under a root resource, an access control policy identifier (accesscontrol policyids) attribute is set under a target resource under the root resource, an attribute value of the access control policy identifier attribute includes an identifier list of an access control policy, and the list includes at least one access control policy identifier. The target resource is connected with the access control strategy resource through the access control strategy identification attribute value.
The request for accessing the target resource needs to pass the authorization verification of the access control policy resource corresponding to one or more identifiers in the identifier list of the access control policy in the access control policy identification attribute, so that the request authorization operation can be completed. If the target resource does not have the access control strategy identification attribute, the authorization evaluation is carried out according to the access control strategy identification attribute corresponding to the parent resource access control strategy identification attribute value, or the evaluation is carried out according to the related content of the requester in the local strategy.
The existing access control strategy configuration scheme has more serious loopholes: once deployed through an active security policy, as an initiator, for example, when creating a resource, an access control policy identification attribute is sent to a receiver as one of the attributes, which means that the policy authority of the parent resource is not inherited without intervention of an application layer; and secondly, when the target resource does not have the access control strategy identification attribute value initially, inheriting the access control strategy of the parent resource, and if the access control strategy identification attribute is added separately, the target resource does not inherit the strategy authority of the parent resource. The access control policy identification attribute value is a list of identifiers of access control policies contained in the access control policy identification attribute.
The large-scale Internet of things equipment management platform has a large number of registered equipment and a large number of access interaction data. In terms of the security layer, there has been deployment of access control policies, including: the system comprises the following steps of restriction on known blacklist users, release/restriction on internal big data analysis hosts, local permission release/restriction on special organization organizations, permission deployment on regional prevention and control and the like. In the case where these security policies are deployed, the access control policy is: a top-down access control strategy is provided, and the access control authority of the superior resource is observed while the inferior resource is accessed.
The platform uses users to rank and there is a containment relationship. For example, for advanced confidentiality organizations, the users used for the management of device information are classified into different confidentiality levels, and the higher the confidentiality level, the more information can be seen. The existing access control policy configuration method is to perform independent deployment and configuration on the control access policy of the resource, that is, to configure the access control policy of each user independently.
However, the global access control policy information of the large internet of things device management platform should belong to confidential information, and the global access control policy information is access control policy information that can be used by any resource under the internet of things device management platform and should not be known by a common user; the global access control strategy information of the large Internet of things equipment management platform is large in quantity, and the user has no feasibility in obtaining; the global access control strategy information of the large-scale Internet of things equipment management platform is acquired by a user, reassembled, generated into a new access control set and deployed, and feasibility is not available for most Internet of things equipment with low computing power. The existing access control strategy configuration method can not realize the setting of the access security control strategy reflecting the intention of the user.
The resources of the present disclosure include: CSE, Application Entity (AE) in various devices and sensors, container, software, etc. In one embodiment, the present disclosure provides an access control policy configuration method for a first resource, which may be a peer. Fig. 1 is a schematic flowchart of an embodiment of an access control policy configuration method according to the present disclosure, as shown in fig. 1:
step 101, when creating a second resource, determining whether an access control policy inheritance attribute is set for the second resource. The access control policy inheritance attribute can be set, for example, as an access control policy inheritance attribute, the second resource can be AE, and the like.
And 102, configuring an access control strategy of the second resource according to the determination result. The second resource may be an AE, etc. The access control policy of the second resource can be configured according to the inheritance property of the access control policy, and the access control policy can be configured according to the indication of the inheritance relationship of the user.
Fig. 2 is a schematic flowchart of setting an access control policy in an embodiment of an access control policy configuration method according to the present disclosure, as shown in fig. 2:
step 201, if the access control policy inheritance attribute is set, whether the second resource inherits the access control policy of the parent resource having parent-child inheritance relationship with the second resource is judged based on the access control policy inheritance attribute.
The parent-child inheritance relationship may be various, for example, the parent resource may be a black box installed on an automobile, the second resource may be a fault code recording device, a fuel consumption recording device, or the like installed in the black box, the fault code recording device, the fuel consumption recording device, or the like, inheritance relationship with the black box, or the parent resource may be an air conditioner installed indoors, the second resource may be a temperature sensor, a humidity sensor, or the like installed in the air conditioner, the temperature sensor, the humidity sensor, or the like installed in the parent resource may inherit relationship with the air conditioner. In the tree-type device or resource topology structure diagram, the parent resource is a parent node, and the second resource is a child node of the parent resource.
And step 202, setting an access control strategy of the second resource according to the judgment result. The attribute value of the inheritance attribute of the access control policy can indicate the access control willingness of a resource request initiator and the access control policy configuration condition of a resource, and determine whether to inherit the policy authority of a parent resource of the access control policy or to configure a default access control policy.
In one embodiment, if the attribute value of the access control policy inheritance attribute is a first set value, it is determined that the second resource inherits the access control policy of the parent resource; if the attribute value of the inheritance attribute of the access control policy is a second set value, determining that the second resource does not inherit the access control policy of the parent resource; and if the attribute value of the inheritance attribute of the access control policy is a third set value, determining whether to inherit the access control policy of the parent resource according to a preset setting rule, wherein the access control policy of the parent resource can be inherited or not.
The first set value, the second set value, and the third set value may be set, for example, the first set value is 1, the second set value is 0, the third set value is null, or the like. And when the attribute value is 1, setting a second access control strategy identification attribute of the second resource according to the first access control strategy identification attribute of the parent resource. And when the attribute value is 0, requesting the application layer to formulate a second access control strategy identification attribute. When the attribute value is a null value, there may be a plurality of preset setting rules, for example, setting a second access control policy identifier attribute according to the first access control policy identifier attribute of the parent resource or requesting the application layer to make a third access control policy identifier attribute.
In one embodiment, the first access control policy identification attribute value is a list of identifiers of access control policies contained by the first access control policy identification attribute; the second access control strategy identification attribute value is an identifier list of the access control strategy contained in the second access control strategy identification attribute; the third access control policy identification attribute value is a list of identifiers of access control policies contained in the third access control policy identification attribute. The identifier list contains identifiers of at least one access control policy.
Fig. 3 is a schematic flowchart of setting an access control policy in another embodiment of the access control policy configuration method of the present disclosure, as shown in fig. 3:
step 301, when creating the second resource, determining whether a third access control policy identification attribute is set for the second resource.
Step 302, if a third access control policy identification attribute is set, adding the third access control policy identification attribute to the second access control policy identification attribute.
In one embodiment, when the value of the access control policy inheritance attribute set for the second resource is 1 and the third access control policy identification attribute is not set for the second resource when the second resource is created, the common service entity CSE copies the first access control policy identification attribute of the parent resource into the second resource as the second access control policy identification attribute of the second resource. The first access control policy identification attribute contains a list of identifiers of access control policies, the list of identifiers containing identifiers of at least one access control policy.
If the attribute value of the inheritance attribute of the access control policy set for the second resource is 1, a third identification attribute of the access control policy is set for the second resource, the third identification attribute of the access control policy contains an identifier list of the access control policy, and the identifier list contains at least one identifier of the access control policy. The public service entity copies the first access control policy identity attribute of the parent resource to the second resource and adds the third access control policy identity attribute to the second resource as a second access control policy identity attribute of the second resource, the second access control policy identity attribute of the second resource including the first access control policy identity attribute and the third access control policy identity attribute.
When a second resource is created, the attribute value of the inheritance attribute of the access control policy set for the second resource is 0, and the attribute value of the third access control policy identifier is not set for the second resource, the public service entity requests the application layer to determine the access control policy identifier, and adds the identifier list of the access control policy determined by the application layer to the second resource as the second access control policy identifier attribute value of the second resource.
And if the attribute value of the inheritance attribute of the access control policy set for the second resource is 0, and a third access control policy identification attribute is set for the second resource, the public service entity requests the application layer to determine the access control policy identification. The public service entity copies the access control policy identifier decided by the application layer into the second resource, and adds a third access control policy identifier attribute to the second resource as a second access control policy identifier attribute of the second resource, wherein the second access control policy identifier attribute of the second resource comprises: the identifier list of the access control strategy decided by the application layer and the third access control strategy identification attribute.
In one embodiment, a first resource receives a resource creation message for creating a second resource, where the resource creation message carries a value of an access control policy inheritance attribute, or the resource creation message carries a value of an access control policy inheritance attribute and a third access control policy identification attribute. And the first resource sets a second access control strategy identification attribute and returns.
Fig. 4 is a flowchart illustrating another embodiment of the access control policy configuration method of the present disclosure, as shown in fig. 4:
step 401, the initiator creates resource request information to the public service entity cse (hosting cse), where the created resource request information includes contents such as inheritance attribute of access control policy.
Step 402, the public service entity feeds back the created resource details to the initiator according to the value of the inheritance property of the access control policy in the resource request information, which includes: when the inheritance property of the access control strategy is set to be null, the access control strategy of the initiator inherits the parent resource or the default access control strategy; when the access control policy inheritance attribute is set to 1, the initiator can inherit the access control policy of the parent resource of the initiator; when the access control policy inheritance attribute is set to 0, the initiator need not inherit the access control policy of its parent resource.
At step 403, the created resource details are fed back to the initiator.
Fig. 5 is a flowchart illustrating a method for configuring an access control policy according to another embodiment of the present disclosure, as shown in fig. 5:
in step 501, a resource creation message for creating a second resource is received.
Step 502, determining whether the resource creation message carries an access control policy inheritance attribute. If yes, go to step 504, if no, go to step 503. The inheritance attribute of the access control strategy is set as the inheritance attribute of the access control strategy, and the value of the inheritance attribute of the access control strategy is the value of the inheritance attribute of the access control strategy.
Step 503, if the access control policy inheritance attribute is not set, configuring the access control policy of the second resource based on a preset policy configuration rule, and configuring a second access control policy identification attribute value of the second resource by the Hosting CSE. The preset policy configuration rule may be various, for example, the first access control policy identification attribute value of the parent resource is copied in the second resource as the second access control policy identification attribute value.
Step 504, judging whether the value of the inheritance property of the access control strategy is 1, if so, entering step 505, and if not, entering step 508.
When the initiator establishes a new resource, the initiator hopes that the resource can inherit the access control strategy information of the parent resource of the resource, and sets the attribute value of the inheritance attribute of the access control strategy to be 1; for the case of no active defense: and setting the attribute value of the inheritance attribute of the access control policy to be 1, wherein the content of the resource creation message does not carry a third access control policy identification attribute value set for the second resource. For active defense situations: and setting the attribute value of the inheritance attribute of the access control policy to be 1, wherein the content of the resource creation message carries a third access control policy identification attribute value set for the second resource.
Step 505, determining whether the creating message carries a third access control policy identifier attribute value, if so, entering step 506, and if not, entering step 507.
Step 506, copy the first access control policy identification attribute value of the parent resource to the newly created second resource.
Step 507, the first access control policy identification attribute value of the parent resource is copied to the newly created second resource, and the third access control policy identification attribute value is copied to the newly created second resource.
Step 508, determine whether the attribute value of the inheritance attribute of the access control policy is 0, if yes, go to step 509, if no, go to step 512.
When an initiator establishes a new resource, the initiator hopes that the resource does not need to inherit the access control policy information of the parent resource of the resource, and needs to set the attribute value of the inheritance attribute of the access control policy to 0; for the case of no active defense: and setting the attribute value of the inheritance attribute of the access control policy to be 0, wherein the content of the resource creation message does not carry the attribute value information of a third access control policy identifier set for the second resource. For active defense situations: and setting the attribute value of the inheritance attribute of the access control policy to be 0, wherein the content of the resource creation message carries the attribute value information of a third access control policy identifier set for the second resource.
In step 509, it is determined whether the creation message carries the attribute of the third access control policy identifier attribute value, if yes, step 510 is performed, and if no, step 511 is performed.
And step 510, copying the access control strategy identification attribute value formulated by the application layer into the newly created second resource.
If the attribute value of the inheritance attribute of the access control policy is set to 0 and the request resource creation is passed, the Hosting CSE requests the application layer to make a relevant access control policy for the application layer, and fills a second access control policy identification attribute value of a second resource.
Step 511, copying the access control policy identifier attribute value formulated by the application layer to the newly created second resource, copying the third access control policy identifier attribute value to the newly created second resource, and adding the third access control policy identifier attribute value in the creation message to the second access control policy identifier attribute value of the second resource. The access control policy formulated by the application layer identifies a list of identifiers whose attribute values are the access control policy formulated by the application layer.
Step 512, determine whether the inheritance property of the access control policy is null, if yes, go to step 513.
Step 513, determine whether the creation message carries the third access control policy identifier attribute value, if yes, go to step 514, if no, go to step 515.
If the attribute value of the inheritance attribute of the access control policy is set to be null, the access control policy represents that: 1. the initiator is possibly light Internet of things equipment, the Hosting CSE sets an access control strategy identification attribute value for the initiator, and assigns an access control strategy inheritance attribute value (1, 0, null) for the created resource, if the access control strategy identification attribute value of the newly created resource is null, the access control strategy inherits the parent resource or the default access control strategy; 2. the initiator does not know whether the initiator should inherit the access control policy information of the parent resource, the Hosting CSE sets an access control policy identification attribute value for the initiator, and specifies a value (1, 0, null) of the inheritance attribute of the access control policy for the created resource, and if the newly established resource access control policy identification attribute value is null, the access control policy inherits the parent resource or a default access control policy.
And 514, copying the first access control strategy identification attribute value or the preset access control strategy identification attribute according to the parent resource into the newly created second resource.
Step 515, copying the first access control policy identification attribute value or the preset access control policy identification attribute according to the parent resource to the newly created second resource, and copying the third access control policy identification attribute value to the newly created second resource.
In one embodiment, for a second resource with an attribute value of a first set value, if access control policy identification information, which may be an identifier of an access control policy, is newly added or deleted in a first access control policy identification attribute corresponding to the second resource, one or more access control policy identification information is newly added or deleted in a second access control policy identification attribute of the second resource, respectively. For example, if the attribute value of the access control policy inheritance attribute is set to 1 and the request resource creation gets through, the created new resource copies the first access control policy identification attribute value content of its parent resource into its second access control policy identification attribute value. If the parent resource changes the content of the first access control strategy identification attribute value at the moment, adding the access control strategy identification information added in the access control strategy identification attribute added by the parent resource to a second access control strategy identification attribute of a second resource (child resource) with an access control strategy inheritance attribute value of 1 under the condition of adding the access control strategy identification information, and performing an iterative reaction; for the deletion, the access control policy identification information for deleting the parent resource is deleted from the second access control policy identification attribute of the second resource (child resource) whose access control policy inheritance attribute value is 1, which is an iterative reaction.
As shown in fig. 6, in the resource tree, the universal service entity 1 is a root node, and is provided with an access control policy identifier attribute 1, an attribute value of the access control policy identifier attribute 1 is an identifier list 1 of an access control policy included in the access control policy identifier attribute 1, and the list 1 is { ACP _1, ACP _2, ACP _3 }. The universal service entity 1 has a plurality of child nodes, which are an application entity 2, an application entity 3 and an application entity 5.
The application entity 2 is provided with an access control policy inheritance attribute 1 and an access control policy identification attribute 2, the value of the access control policy inheritance attribute 1 is 1, the attribute value of the access control policy identification attribute 2 is an identifier list 2 of the access control policy contained in the access control policy identification attribute 2, and the list 2 is { ACP _1, ACP _2 and ACP _3 }.
The application entity 3 is provided with an access control policy inheritance attribute 3 and an access control policy identification attribute 3, the value of the access control policy inheritance attribute 3 is 1, the attribute value of the access control policy identification attribute 3 is an identifier list 3 of the access control policy contained in the access control policy identification attribute 3, and the list 3 is { ACP _1, ACP _2 and ACP _3 }.
The application entity 5 is provided with an access control policy inheritance attribute 5 and an access control policy identification attribute 5, the value of the access control policy inheritance attribute 5 is 0, the attribute value of the access control policy identification attribute 5 is an identifier list 5 of the access control policy contained in the access control policy identification attribute 5, and the list 5 is { ACP _1, ACP _2 and ACP _3 }.
The application entity 3 has a child node which is the application entity 4. The application entity 4 is provided with an access control policy inheritance attribute 4 and an access control policy identification attribute 4, the value of the access control policy inheritance attribute 4 is 1, the attribute value of the access control policy identification attribute 4 is an identifier list 4 of the access control policy contained in the access control policy identification attribute 4, and the list 4 is { ACP _1, ACP _2 and ACP _3 }.
If a suspected attacker A crawls the data of the Internet of things to acquire the data, all resources need to be protected temporarily in order to protect the data security, an access control strategy resource B for a user A is established, and the content of the access control strategy resource B is shielded whenever the resource acquisition request initiated by A. If an identifier ACP _4 regarding the access control policy resource B is added to the access control policy identification attribute 1 of the generic service entity 1, the list 1 is { ACP _1, ACP _2, ACP _3, ACP _4 }.
The access control policy identification attributes of the application entities 2, 3 and their descendant application entities 4 having the attribute value of 1 and having the access control policy inheritance attribute are all updated, and an access control policy ACP _4 related to a is added, that is, the list 2, the list 3 and the list 4 are all { ACP _1, ACP _2, ACP _3, ACP _4 }. The application entity 5 having the attribute value of 0 of the inheritance attribute of the access control policy does not update the identification attribute of the access control policy 5, and the list 5 remains unchanged and is { ACP _1, ACP _2, ACP _3 }. ACP _4 may also be added to list 5 manually or the like.
If the generic service entity 1 deletes the access control policy identifier ACP _3, the list 1 is ACP _1, ACP _ 2. The access control policy identification attributes of the application entities 2, 3 and their descendant application entities 4 having the attribute value of 1 and having the access control policy inheritance attribute are all updated, and the access control policy identifier ACP _3 is deleted, that is, the list 2, the list 3 and the list 4 are all { ACP _1, ACP _2}, while the list 5 remains unchanged and is { ACP _1, ACP _2, ACP _3 }.
In one embodiment, as shown in fig. 7, the present disclosure provides an access control policy configuration apparatus 80 for a first resource, including: an attribute determination module 81 and a control strategy configuration module 82. The attribute determination module 81 determines whether an access control policy inheritance attribute is set for the second resource when the second resource is created. The control policy configuration module 82 configures an access control policy for the second resource according to the determination result.
As shown in fig. 8, the control strategy configuration module 82 includes: an inheritance determination unit 821 and a policy setting unit 822. If the access control policy inheritance attribute is set, the inheritance determination unit 821 determines whether or not the second resource inherits the access control policy of the parent resource having a parent-child inheritance relationship with this second resource, based on the access control policy inheritance attribute. The policy setting unit 822 sets an access control policy of the second resource according to the judgment result.
In one embodiment, if the attribute value of the access control policy inheritance attribute is a first set value, the inheritance determination unit 822 determines that the second resource inherits the access control policy of the parent resource. The inheritance judging unit 822 determines that the second resource does not inherit the access control policy of the parent resource if the attribute value of the access control policy inheritance attribute is the second set value. If the attribute value of the access control policy inheritance attribute is the second set value, the policy setting unit 822 determines whether the second resource inherits the access control policy of the parent resource according to a preset setting rule.
When the attribute value is the first setting value, the policy setting unit 822 sets the second access control policy identification attribute of the second resource according to the first access control policy identification attribute of the parent resource. When the attribute value is the second set value, the policy setting unit 822 requests the application layer to formulate a second access control policy identification attribute. When the attribute value is the third setting value, the policy setting unit 822 sets a second access control policy identifier attribute according to the first access control policy identifier attribute of the parent resource, or requests the application layer to make the second access control policy identifier attribute.
The attribute determination module 81 determines whether a third access control policy identification attribute is set for the second resource when the second resource is created. If the third access control policy identification attribute is set, the policy setting unit 822 adds the third access control policy identification attribute to the second access control policy identification attribute.
As shown in FIG. 9, the control policy configuration module 82 also includes a policy update module 823. For a second resource for which the attribute value of the access control policy inheritance attribute is the first set value, if the access control policy identification information is newly added or deleted in the first access control policy identification attribute corresponding to this second resource, the policy update module 823 correspondingly newly adds or deletes the access control policy identification information in the second access control policy identification attribute of this second resource.
In an embodiment, the attribute determining module 81 receives a resource creating message for creating the second resource, where the resource creating message carries an attribute value, or the resource creating message carries an attribute value and a third access control policy identifier attribute. The policy setting unit 822 sets the second access control policy identification attribute and returns. The policy setting unit 822 configures an access control policy of the second resource based on a preset policy configuration rule if the access control policy inheritance attribute is not set.
In one embodiment, the present disclosure provides an access control policy configuration system comprising: a first resource and a second resource, the first resource comprising an access control policy configuration means as in any of the above embodiments. The first resource may be a common service entity CSE or the like and the second resource may be an application entity AE or the like.
In one embodiment, as shown in fig. 10, an access control policy configuration apparatus is provided, which may include a memory 111 and a processor 112, where the memory 111 is used to store instructions, the processor 112 is coupled to the memory 111, and the processor 112 is configured to execute an access control policy configuration method implementing any of the above embodiments based on the instructions stored in the memory 111. The resource allocation apparatus further includes a communication interface 113 for information interaction with other devices. Meanwhile, the device also comprises a bus 114, and the processor 112, the communication interface 113 and the memory 111 are communicated with each other through the bus 114.
The memory 111 may be a high-speed RAM memory, a non-volatile memory (non-volatile memory), or the like, and the memory 111 may be a memory array. The storage 111 may also be partitioned, and the blocks may be combined into virtual volumes according to certain rules. The processor 112 may be a central processing unit CPU, or an application specific integrated circuit asic, or one or more integrated circuits configured to implement the access control policy configuration method of the present disclosure.
In one embodiment, the present disclosure provides a computer-readable storage medium storing computer instructions that, when executed by a processor, implement an access control policy configuration method as in any one of the above embodiments.
The access control policy configuration method, device, system and storage medium provided in the embodiments above can determine whether to inherit the access policy authority of the parent resource according to the inheritance attribute of the access control policy, can efficiently set and change the access control policy of the child resource, and can configure and modify the access control policy according to the indication of the inheritance relationship by the user, thereby improving the efficiency of setting and changing the access control policy for the resource and perfecting the relevant standard of the existing access control policy.
The method and system of the present disclosure may be implemented in a number of ways. For example, the methods and systems of the present disclosure may be implemented by software, hardware, firmware, or any combination of software, hardware, and firmware. The above-described order for the steps of the method is for illustration only, and the steps of the method of the present disclosure are not limited to the order specifically described above unless specifically stated otherwise. Further, in some embodiments, the present disclosure may also be embodied as programs recorded in a recording medium, the programs including machine-readable instructions for implementing the methods according to the present disclosure. Thus, the present disclosure also covers a recording medium storing a program for executing the method according to the present disclosure.
The description of the present disclosure has been presented for purposes of illustration and description, and is not intended to be exhaustive or limited to the disclosure in the form disclosed. Many modifications and variations will be apparent to practitioners skilled in this art. The embodiment was chosen and described in order to best explain the principles of the disclosure and the practical application, and to enable others of ordinary skill in the art to understand the disclosure for various embodiments with various modifications as are suited to the particular use contemplated.