Cloud platform access control method

文档序号：190525 发布日期：2021-11-02 浏览：18次中文

阅读说明：本技术 一种云平台访问控制方法 (Cloud platform access control method ) 是由马达孙月月于 2021-06-17 设计创作，主要内容包括：本发明涉及一种云平台访问控制方法,包括：基于构建的知识库模型,根据结构化数据抽离知识,并存储至知识库中；建立推理规则,并基于逻辑转换进行复合规则约简,使规则库中的规则符合SWRL规则表示的原子规则；采用自定义规则的方式实现规则推理,采用三元组动态连接的方式实现动态授权；冲突检测及冗余检测；针对互为冲突对的两规则进行基于层级的规则冲突自动消解,针对互为冗余对的两规则进行基于层级的规则冗余自动消解。本发明通过结构化数据,形成知识库,通过基于本体和规则的推理实现动态权限授予,采用基于层级的规则冲突冗余检测与自动消解处理,实现适用于云平台的具有可扩展性、动态性、优化管理的访问控制机制。(The invention relates to a cloud platform access control method, which comprises the following steps: extracting knowledge according to the structured data based on the established knowledge base model, and storing the extracted knowledge in a knowledge base; establishing a reasoning rule, and carrying out compound rule reduction based on logic conversion to ensure that the rule in the rule base conforms to an atomic rule expressed by the SWRL rule; rule reasoning is realized by adopting a self-defined rule mode, and dynamic authorization is realized by adopting a triple dynamic connection mode; collision detection and redundancy detection; and performing automatic resolution of rule conflict based on hierarchy for the two rules of the conflict pair, and performing automatic resolution of rule redundancy based on hierarchy for the two rules of the redundancy pair. According to the invention, a knowledge base is formed through structured data, dynamic authority granting is realized through reasoning based on the body and the rules, and an access control mechanism which is suitable for a cloud platform and has expandability, dynamics and optimized management is realized by adopting rule conflict redundancy detection and automatic resolution processing based on the hierarchy.)

1. A cloud platform access control method is characterized by comprising the following steps:

1) knowledge extraction

Extracting knowledge according to the structured data based on the established knowledge base model, and storing the extracted knowledge in a knowledge base;

2) rule preprocessing

Establishing a reasoning rule, and carrying out compound rule reduction based on logic conversion to ensure that the rule in the rule base conforms to an atomic rule expressed by the SWRL rule;

3) rule-based dynamic authorization reasoning

Rule reasoning is realized by adopting a self-defined rule mode, and dynamic authorization is realized by adopting a triple dynamic connection mode;

4) rule optimization management

Performing conflict detection on the user-defined rule in the step 3) by adopting a conflict pair analysis method based on hierarchy inheritance to obtain a conflict detection result;

performing redundancy detection on the user-defined rule in the step 3) by adopting a redundancy pair analysis method based on hierarchy inheritance to obtain a redundancy detection result;

and if the two rules meet the redundant pair or the conflict pair in the rule detection result, performing similarity calculation based on attribute atoms, performing automatic resolution of rule conflict based on hierarchy for the two rules of the conflict pair according to the similarity calculation result, and performing automatic resolution of rule redundancy based on hierarchy for the two rules of the redundancy pair.

2. The cloud platform access control method according to claim 1, wherein the method for constructing the knowledge base model in step 1) comprises:

establishing a knowledge base in a top-down mode, performing access control concept analysis, defining an access control model class and establishing a class hierarchy system, completing class attribute definition and attribute hierarchy system establishment according to the characteristic analysis of the defined class, and filling an entity according to the defined class and the attribute; wherein the attributes include data attributes and object attributes.

3. The cloud platform access control method according to claim 2, wherein the step 1) includes:

storing the relation between the entities in a TDB database in a form of a triple;

and forming an access control entity relationship network by using the extracted knowledge, and acquiring the implicit semantic relationship among the multiple entities through the connectivity of the knowledge nodes.

4. The cloud platform access control method according to claim 3, wherein the formula of the rule reduction in step 2) is a union of A ∞ B ≤ (C) → F equivalent to A ≤ B ≤ (C1 ≤ C2) → F equivalent to A ≤ B ≤ C1 → F and A ≤ B ≤ C2 → F; wherein the union of C2 of C1 is the complement of C.

5. The cloud platform access control method according to claim 4, wherein the step 3) includes:

by dynamically adding the triples, the node connectivity between the main body and the dynamic attributes is dynamically increased, and the SPARQL query language is used for carrying out query traversal operation on the knowledge base, so that the dynamic authorization reasoning based on the rules is realized.

6. The cloud platform access control method according to claim 5, wherein the conflict pair analysis based on hierarchy inheritance in step 4) includes role hierarchy conflict, object hierarchy conflict, and authorized operation hierarchy conflict analysis; wherein the content of the first and second substances,

role level conflicts are defined as: role a2 inherits from role a1, with positive and negative authorization inheritance being achieved using forward inheritance; if the role A1 performs the operation C on the object B, the authority is affirmatively authorized; when the role A2 operates the object B at the operation C, the negative authorization is obtained; or, if the role a1 performs the operation C on the object B, the negative authorization is obtained; when the role A2 operates the object B for the operation C, the authority is affirmatively authorized; at the moment, the two rules generate conflict due to role inheritance;

the object level conflict is defined as: the object B2 is a sub-level of the object B1, and negative positive authorization inheritance and positive negative authorization inheritance are realized; if the role A carries out operation C on the object B1, negative authorization is obtained; when the role A operates the object B2 to C, the role A is authorized positively; at the moment, the two rules generate conflict due to the object level;

the authorization operation level conflict is defined as: the authorization operation C2 is a subordinate operation of the authorization operation C1, and the operation C2 performs deep processing on the object to realize negative-direction positive authorization inheritance and positive-direction negative authorization inheritance; if the role A carries out operation C1 on the object B, negative authorization is obtained; when the role A operates the object B at the operation C2, the role A is authorized positively; at the moment, the two rules generate conflict due to the operation level;

through analyzing the conflicts generated by the three levels, pairwise conflict pairs of < A, B, C > and < A1, B1, C1> are obtained.

7. The cloud platform access control method according to claim 6, wherein the rule redundancy detection and the general redundancy detection in step 4) include:

hierarchy-based positive grant redundancy pair definitions: given rule 1 as role a1 operating C1 on guest B1, a positive authorization is possessed; if rule 2 is rule A2, operation C2 is performed on object B2, then positive authorization is possessed; if and only if role a2 is a subordinate role of role a1, B2 is a superior object of B1, C2 is a superior operation of C1, < a, B, C > and < a1, B1, C1> are positive authorized redundant pairs;

tier-based negative grant redundancy pair definition: given rule 1 as role a1 operating C1 on guest B1, a negative authorization is in possession; if rule 2 is rule A2, operation C2 is performed on object B2, then negative authorization is possessed; if and only if role a2 is a subordinate role of role a1, B2 is a subordinate object of B1, C2 is a subordinate operation of C1, < a, B, C > and < a1, B1, C1> are negative authorized redundant pairs; the role, object and authorization operation of the two rules are the same, and are defined as general redundancy.

8. The cloud platform access control method according to claim 7, wherein the attribute atom-based similarity calculation in step 4) includes:

similarity calculation is carried out on attribute atoms in the two rules one by one, Jaccard coefficients are adopted for the calculation formula and the coefficients, and the size of the attribute atom value intersection area between the two rules is quantified through the similarity.

9. The cloud platform access control method according to claim 7, wherein the automatic resolution of the rule conflict in step 4) comprises:

for two rules of the conflict pairs < A, B, C >, < A1, B1, C1>, calculating a similarity value based on attribute atoms between the two rules, and if and only if the roles, objects and authorized operations in the two rules are conflict pairs and the similarity value is not 0, the two rules conflict; for two rules of conflict, the resolution principle is the one with higher resolution conflict probability; the conflict probability is quantitatively expressed by the similarity of the rule and the full conflict rule; the full conflict rule indicates that the rule applies to all cases, i.e., the value of each attribute atomic item is a full set of value ranges.

10. The cloud platform access control method according to claim 9, wherein the rule redundancy automatic resolution in step 4) comprises:

when the attribute atomic items of the two rules of the redundant pairs < A, B, C >, < A1, B1 and C1> are subsets of the attribute atomic items of the rules, and the constraint range of each attribute atomic item has the attribute atomic item of the subset, the rules are resolved;

and if the two rules meet the general redundancy condition, analyzing the attribute atomic items of the two rules, and if the attribute atomic items are the same and the similarity of the constraint range of the attribute atomic items is not 0, merging the constraint ranges of the same attribute atomic items with the similarity not 0 in the two rules.

Technical Field

The invention relates to the technical field of communication, in particular to a cloud platform access control method.

Background

The cloud computing technology utilizes the characteristics of on-demand service, virtualized resources and the like, and becomes an indispensable foundation in academic circles and information construction of enterprises. While the cloud computing is continuously developed, the problems of illegal access to resources by unauthorized users and the like still exist, and the access control technology is a method for solving the problems. The traditional access control models such as RBAC, DAC, MAC and the like play an important role in the traditional platform, and the safety of the system can be guaranteed. However, since the cloud platform has the following characteristics: the resource attribute, the user attribute, the environment attribute and the like in the cloud platform dynamically change at any time, which can influence the access and the use of the data by the user, so a dynamic access control mechanism is needed; the access strategy in the cloud platform contains abundant attribute atomic items, the implied semantics are complex, the management cost is very high due to complete manual control, and therefore an extensible access control mechanism is needed; in the cloud platform, the number of subject, object and authorization operation levels is limited, the types of attribute values are more, and higher rule management cost is caused by detecting policy rule conflicts during operation, so that the policy rules need to be optimized and managed.

Based on the above characteristics, it is necessary to provide an access control mechanism applicable to a cloud platform.

Disclosure of Invention

The invention aims to provide a cloud platform access control method, which realizes an access control mechanism which is suitable for a cloud platform and has expandability, dynamics and optimized management through dynamic authorization reasoning based on an ontology and rules, rule conflict detection based on a hierarchy, redundancy resolution and other processing.

The invention provides a cloud platform access control method, which comprises the following steps:

1) knowledge extraction

Extracting knowledge according to the structured data based on the established knowledge base model, and storing the extracted knowledge in a knowledge base;

2) rule preprocessing

Establishing a reasoning rule, and carrying out compound rule reduction based on logic conversion to ensure that the rule in the rule base conforms to an atomic rule expressed by the SWRL rule;

3) rule-based dynamic authorization reasoning

Rule reasoning is realized by adopting a self-defined rule mode, and dynamic authorization is realized by adopting a triple dynamic connection mode;

4) rule optimization management

Performing conflict detection on the user-defined rule in the step 3) by adopting a conflict pair analysis method based on hierarchy inheritance to obtain a conflict detection result;

performing redundancy detection on the user-defined rule in the step 3) by adopting a redundancy pair analysis method based on hierarchy inheritance to obtain a redundancy detection result;

Further, the method for constructing the knowledge base model in the step 1) comprises the following steps:

Further, the step 1) comprises:

storing the relation between the entities in a TDB database in a form of a triple;

Further, the formula of the rule reduction in step 2) is a union of A.andgate B.andgate (C) → F equivalent to A.andgate B.andgate (C1. andgate C2) → F equivalent to A.andgate B.andgate C1 → F and A.andgate B.andgate C2 → F; wherein the union of C2 of C1 is the complement of C.

Further, the step 3) comprises:

Further, the conflict pair analysis based on hierarchy inheritance in the step 4) comprises role hierarchy conflict, object hierarchy conflict and authorized operation hierarchy conflict analysis; wherein the content of the first and second substances,

through analyzing the conflicts generated by the three levels, pairwise conflict pairs of < A, B, C > and < A1, B1, C1> are obtained.

Further, the regular redundancy detection and the general redundancy detection in step 4) include:

Further, the similarity calculation based on the attribute atoms in the step 4) includes:

Further, the automatic resolution of the rule conflict in the step 4) comprises:

Further, the rule redundancy automatic resolution in the step 4) comprises:

By means of the scheme, through the cloud platform access control method, in the access control mechanism, a knowledge base is formed through structured data, dynamic authority granting is achieved through reasoning based on the body and the rules, and the access control mechanism which is suitable for the cloud platform and has expandability, dynamics and optimized management is achieved by adopting rule conflict redundancy detection and automatic resolution processing based on the hierarchy.

The foregoing description is only an overview of the technical solutions of the present invention, and in order to make the technical solutions of the present invention more clearly understood and to implement them in accordance with the contents of the description, the following detailed description is given with reference to the preferred embodiments of the present invention and the accompanying drawings.

Drawings

FIG. 1 is an architectural diagram of the present invention;

FIG. 2 is a knowledge base modeling model of the present invention.

Detailed Description

The following detailed description of embodiments of the present invention is provided in connection with the accompanying drawings and examples. The following examples are intended to illustrate the invention but are not intended to limit the scope of the invention.

Referring to fig. 1, the present embodiment provides a cloud platform access control method (mechanism), including:

1) knowledge extraction

Extracting knowledge according to the structured data based on the established knowledge base model, and storing the extracted knowledge in a knowledge base;

2) rule preprocessing

Establishing a reasoning rule, and carrying out compound rule reduction based on logic conversion to ensure that the rule in the rule base conforms to an atomic rule expressed by the SWRL rule;

3) rule-based dynamic authorization reasoning

Rule reasoning is realized by adopting a self-defined rule mode, and dynamic authorization is realized by adopting a triple dynamic connection mode;

4) rule optimization management

Performing conflict detection on the user-defined rule in the step 3) by adopting a conflict pair analysis method based on hierarchy inheritance to obtain a conflict detection result (whether conflict exists or not);

performing redundancy detection on the user-defined rule in the step 3) by adopting a redundancy pair analysis method based on hierarchy inheritance, wherein the redundancy detection comprises rule redundancy detection and general redundancy detection to obtain a redundancy detection result (whether redundancy is available or not);

In the access control mechanism, a knowledge base is formed through structured data, dynamic authority granting is realized through reasoning based on an ontology and rules, and processing such as rule conflict redundancy detection and automatic resolution based on a hierarchy is adopted, so that the access control mechanism which is suitable for a cloud platform and has expandability, dynamics and optimized management is realized.

The knowledge base in this embodiment is a structured, highly generalized, easily described, easily used, and extensible knowledge node group in knowledge engineering, and is an interconnected knowledge slice set that is stored, organized, managed, and used in a computer memory by using a certain knowledge representation manner (or a plurality of knowledge representation manners) for a certain (or some) domain problem to solve the problem. Here a set of knowledge slices about a priori knowledge of access control.

In this embodiment, the dynamic permission grant performs inference learning based on the ontology and the rule on the knowledge, uses the data in the knowledge base as the prior knowledge, uses the ontology and the rule as the basis of inference, and outputs the dynamic permission of the subject for the dynamic operation of the object.

In this embodiment, the collision redundancy automatic detection is as follows: and (3) reducing the composite rules in the rule base, using positive and negative inheritance among layers as prior facts, using the similarity of attribute atoms among the rules as a quantization criterion, and outputting whether the rules are in conflict or redundant.

In this embodiment, the conflict redundancy automatic resolution method includes: for two rules with conflict or redundancy, the similarity of rule attribute atoms is used as a quantization criterion, the constraint condition set relation of the rule attribute atoms is used as a processing basis, and the rule after conflict or redundancy resolution is output.

The present invention is described in further detail below.

The mechanism comprises: the method comprises the steps of constructing an ontology model, achieving dynamic authority granting by adopting a knowledge reasoning method, achieving rule conflict detection and redundancy resolution by adopting policy optimization management, and aiming at expanding access control policies required by the characteristics of dynamic attribute change, multiple attributes of rules, multiple element hierarchies, implicit semantics of rules and the like in a cloud platform and eliminating the limitation of achieving resource authorization control and control by using a traditional access control model.

As shown in fig. 1, the method comprises the steps of:

(1) and modeling a knowledge base. And finally, according to the characteristic analysis of the defined class, completing the attribute definition of the class and the system establishment of the attribute hierarchy, wherein the attribute comprises a data attribute and an object attribute, and finally filling an entity according to the defined class and the attribute. In the access control ontology model, a subject, a role, a tenant, an object and dynamic attributes are used as classes, a subject name, a role name, a tenant name, a subject age, an object name, a geographic position, an IP address, a system state, an object level and the like are used as data attributes, and attributes with dynamic change characteristics such as the geographic position, the IP address, the system state and the object level are defined as the data attributes of the dynamic attribute class. In addition, the relationship between a subject and a subject, a subject and a role, a role and a tenant, a tenant and an object, an object and an object, and the like is defined as an object attribute, and a specific subject, role, tenant, and the like are modeled as an instance model.

(2) And (5) extracting knowledge. The method comprises the steps of extracting knowledge contained in a data source to form a knowledge meta-base, and storing the knowledge. In order to reduce the cost of migrating the access control mechanism of the patent by most enterprises, the knowledge source in the patent is structured data, and the acquired data is converted into a triple knowledge element library according to the ontology semantic mapping rule. In order to improve the characteristics of data storage speed, operability, concurrency and the like, the mechanism adopts TDB as a knowledge storage database. And forming an access control entity relationship network by using the extracted knowledge, and acquiring the implicit semantic relationship among the multiple entities through the connectivity of the knowledge nodes.

(3) Compound rule reduction based on logical transformation. The composite rule comprises various complex logic combinations, such as AND, OR and NOT, and has higher detection difficulty and higher detection cost when performing rule reasoning, rule conflict detection and rule redundancy detection. Thus, the access control mechanism of this patent performs a composite based on logical transitions.

(4) The reduction formula is that A.n.B.n.NOT (C) → F is equivalent to A.n.B.n (C1. u.C 2) → F is equivalent to the union of A.n.B.n.C 1 → F and A.n.B.n.C 2 → F. Wherein the union of C2 of C1 is the complement of C.

(5) Rule-based dynamic authorization reasoning. And 2, storing the relation between the entities in the TDB database in a triple mode. And for the rule-based dynamic authorization inference in the knowledge base, the rule inference is realized by adopting a self-defined rule mode, and the dynamic authorization is realized by adopting a triple dynamic connection mode. In the access control mechanism, elements such as a subject, a role, a tenant, an object and the like exist, and dynamic attributes of all authorization systems are induced to be attribute elements. Because the data attributes and the object attributes among the subject, the role, the tenant and the object do not have dynamic property, when an authorization request occurs, only a dynamic attribute element instance is generated according to the authorization request, the data attributes are filled, and the subject-attribute triples are dynamically connected. In addition, the access control rule needs to be customized, and if the tenant domain where the main body is located is still in the lease time and the role allocated by the main body is a student, the main body can have the resource reading permission in every Tuesday period of 22:00-8: 00. At this time, the knowledge base already has dynamic attribute data of the position where the request occurs and triples between the main body and the attributes, so that the connectivity between the main body node and the resource node can be deduced according to the self-defined rule, and the dynamic authorization reasoning judgment based on the rule is realized.

(6) Hierarchy-based rule conflict detection. In the step 3, conflict detection is carried out on the self-defined rule so as to optimize the management of the access control strategy. The implementation method adopts conflict pair analysis based on hierarchy inheritance. The rules reduced in step 4 have the attributes of each rule being atomic items, and can be subjected to conflict pair analysis based on the hierarchy, and the access control mechanism of the patent researches conflicts caused by the following three hierarchies: role level conflicts, object level conflicts, authorized operation level conflicts. Role-level conflicts are defined as follows: role a2 inherits from role a1, and positive authorization inheritance and negative authorization inheritance can be implemented using forward inheritance. If role a1 performs operation C on object B, positive authorization is obtained. Role a2 is negatively authorized to perform operation C on object B. Or if role a1 performs operation C on object B, negative authorization is obtained. Role a2 is positively authorized to perform operation C on object B. At this time, the two rules conflict due to role inheritance. The object level conflict is defined as follows: guest B2 is a sublayer level of guest B1, with guest B2 requiring finer granularity.

(7) And access control can realize negative positive authorization inheritance and positive negative authorization inheritance. If role a performs operation C on object B1, negative authorization is obtained. Role a is positively authorized to perform operation C on object B2. At this point the two rules conflict at the object level. Authorization operation level conflicts are defined as follows: the authorization operation C2 is a subordinate operation of the authorization operation C1, and the operation C2 can perform deep processing on the object, and can implement negative positive authorization inheritance and positive negative authorization inheritance. If role a performs operation C1 on object B, negative authorization is obtained. Role a is positively authorized to perform operation C2 on object B. At this point the two rules conflict due to the operation level. The above only analyzes the conflict caused by single-level inheritance, and the multi-level inheritance conflict can be derived through single-level inheritance conflict derivation. Through the research on the conflicts generated by the three levels, pairwise conflict pairs of < A, B, C > and < A1, B1, C1> can be obtained.

(8) Level-based regular redundancy detection and general redundancy detection. In the step 4, redundancy detection is carried out on the user-defined rule so as to optimize the management of the access control strategy. The implementation method adopts redundancy pair analysis based on hierarchy inheritance. Similar to the conflict analysis based on hierarchy inheritance in step 5, the step still performs redundant analysis from three dimensions of role, object and authorization operation, and the inheritance authorization directions of the three dimensions are stated in step 5, and are not described herein again. In this step, a positive authorization redundancy pair definition based on hierarchy is given: given rule 1 as role a1 operating C1 on object B1, a positive authorization is possessed. If rule 2 exists that role a2 performs operation C2 on object B2, then positive authorization is present. If and only if role a2 is a subordinate role of role a1, B2 is a superior object of B1, C2 is a superior operation of C1, and < a, B, C > and < a1, B1, C1> are positive authorized redundant pairs. Tier-based negative grant redundancy pair definition: given rule 1 as role a1 operating C1 on guest B1, it has negative authorization. If rule 2 exists that role a2 performs operation C2 on object B2, then it has negative authorization. If and only if role a2 is a subordinate role of role a1, B2 is a subordinate object of B1, C2 is a subordinate operation of C1, and < a, B, C > and < a1, B1, C1> are negative-authorized redundant pairs. There is a special case where the role, object, and authorization operations of the two rules are the same, defined as general redundancy. Redundant pair of two rules by operating above

(9) After analysis, calculation is needed according to the similarity based on the attribute atoms.

(10) Similarity calculation based on attribute atoms. Similarity calculation based on attribute atoms aims at performing similarity calculation on attribute atoms in two rules one by one, a calculation formula and a coefficient adopt Jaccard coefficients, and the size of an attribute atom value intersection region between the two rules is quantified through the similarity.

(11) And automatically resolving rule conflicts based on the hierarchy. And (3) calculating similarity values based on attribute atoms between the two rules according to the two rules of the pairs < A, B, C >, < A1, B1 and C1> which conflict with each other. And if and only if the roles, the objects and the authorized operations in the two rules are conflict pairs and the similarity value is not 0, the two rules conflict. For the two rules of conflict, the resolution principle is the one with higher resolution conflict probability. The conflict probability is quantitatively expressed by the similarity of the rule and the full conflict rule. Here, a full conflict rule indicates that the rule applies to all cases, i.e., the value of each attribute atomic item is a full set of value ranges.

(12) And automatically resolving rule redundancy based on the hierarchy. In this step, a judgment is required based on similarity calculation of attribute atoms, in two rules of redundant pairs < A, B, C >, < A1, B1, C1>, an attribute atom item of the former rule needs to be a subset of an attribute atom item of the latter rule, and the latter is a subset of the former for a constraint range of each attribute atom item. At this point, the latter rule may be resolved. And if the two rules meet the general redundancy condition, analyzing the attribute atomic items of the two rules, and if the attribute atomic items are the same and the similarity of the constraint range of the attribute atomic items is not 0, merging the constraint ranges of the same attribute atomic items with the similarity not 0 in the two rules.

This patent is towards access control mechanism overall structure of cloud platform mainly comprises four bibliographic categories: (1) a knowledge extraction layer: the system is mainly responsible for collecting various data, analyzing the collected data, and extracting and storing knowledge into a knowledge base according to the established knowledge ontology model. (2) A regular pre-processing layer: the method is mainly responsible for establishing reasoning rules and carrying out reduction processing on the compound rules, and ensures that the rules in the rule base are atomic rules which can be expressed by SWRL rules. (3) And (3) an inference layer: the inference layer mainly utilizes the SWRL rule in the rule base to infer the authorization operation between the subject and the object. (4) And a rule optimization management layer: the method is mainly responsible for optimizing the rules in the rule base, including conflict detection and redundancy detection, and resolving or combining the detected results. This layer uses the similarity of attribute atoms as a quantization index.

In this embodiment, the data processing flow is as follows:

the method comprises the following steps: the method comprises the steps of constructing a knowledge base model by using an OWL technology, conveniently reasoning the knowledge base by using the knowledge base model, and modeling the knowledge base for a subject, a role, a tenant, an object, a dynamic attribute and an authorized operation, wherein the subject has an object attribute, and userHasRole and userHasAttr respectively refer to the role distributed by the subject and the dynamic attribute of the subject. The role has an object attribute roleHasTenant, which refers to a tenant domain to which the role belongs, and further has object attributes rolePrior and rolnext, which represent upper and lower roles, respectively. The tenant has an object attribute tentterres, which refers to an object leased by the current tenant domain, and the tenant has a data attribute tenttime, which refers to the time for the tenant domain to lease the object. The objects have object attributes respiror and resNext, which respectively represent an upper object and a lower object. The object has data attributes resName and resType, which respectively represent an object name and an object type. The dynamic attributes have data attributes POI _ long, POI _ lati, sysStatus, useRAGE, sysTime, sysWeek, representing geolocation longitude, geolocation latitude, system status, object age, system time, week, respectively. The authorization operation has a data attribute actionName that represents the name of the authorization operation. Having object attributes actPrior, actNext, representing upper and lower level authorizations, respectively.

Step two: knowledge is abstracted based on the structured data. The structured data adopts a data table form, User, Role, Tenant, Resource, Attribute and Action database tables are established, structures of a subject, a Role, a Tenant, an object, dynamic attributes and authorization operations are respectively defined, and the data are stored. And establishing a user _ to _ role table, and storing the connection relation between the main body and the role. And establishing a role _ to _ content table, and storing the connection relation between the role and the tenant domain. And establishing a tent _ to _ res table, and storing the connection relation between the tenant and the object. And establishing a user _ to _ attr table, storing the relation between the main body and the dynamic attribute, wherein the table is a null table, only defines the structure use, and the connectivity between the main body node and the dynamic attribute node is realized by dynamically connecting and removing the triple. The information of each table is filled, and three databases are converted into RDF type data by using a tool.

Step three: construct inference rules and perform composite rule reduction based on logical transformation, using SWRL language description for the reduced rules, for example 1: User (. Example 2-Provisioning that the principal already has the lease right for the resource and is a student, who may have the right to write the private file resource on every tuesday other than 10:00-12: 00. The conversion by logic is two reduced rules: (1) the principal already has the lease right for the resource and is a student who can have the right to write the private file resource at 0:00-10:00 every tuesday. (2) The principal already has the right to rent the resource and is a student who can have the right to write the private file resource at 12:00-24:00 every tuesday. The SWRL rules are described as follows:

rule 3-1:

User(？u)^userHasRole(？u,？r)^roleName(？r,‘Student’)^userHasTenResource(？u,？re)^resName(？re,‘PrivateFile’)^userHasAttr(？u,？attr)^sysTime(？attr,？systime)^swrlb:lessThan(？systime,？1000)^swrlb:greaterThan(？systime,？0000)^week(？attr,‘Tuesday’)^Action(？act)^actionName(？act,‘WRITE’)->permit(？u,？re)。

rule 3-2:

User(？u)^userHasRole(？u,？r)^roleName(？r,‘Student’)^userHasTenResource(？u,？re)^resName(？re,‘PrivateFile’)^userHasAttr(？u,？attr)^sysTime(？attr,？systime)^swrlb:lessThan(？systime,？2400)^swrlb:greaterThan(？systime,？1200)^week(？attr,‘Tuesday’)^Action(？act)^actionName(？act,‘WRITE’)->permit(？u,？re)。

step four: by dynamically adding the triples, the node connectivity between the main body and the dynamic attributes is dynamically increased, and the SPARQL query language is used for carrying out query traversal operation on the knowledge base, so that dynamic authorization reasoning based on rules can be realized. As with the dynamically added triplet example: user/1: user HasAttr:/attr/1>, < i/attr/1: sysstime 0900>, < i/attr/1: week 'Tuesday' >, at this time, inference authorization can be carried out according to a knowledge base and rules, inference can meet the rules 3-2, and writing of resources is allowed.

Step five: to optimally manage the rule base, conflict detection needs to be performed on the rules in the rule base. Three rules are given here, illustrated from three dimensions of role, object, and authorization operations, respectively, as follows:

rule 5-1:

user (. This rule states that the principal already has the right to lease a resource and is a principal, who is denied a request to write a private file resource at 1:00-10:00 every tuesday. Since the student is a subordinate role of the student and the role hierarchy has positive authorization inheritance, an authorization conflict is generated with rule 3-1 due to the role hierarchy. The conflict pair is < Student, private File, < WRITE >, < Undergraduates, private File, WRITE >.

Rule 5-2:

is User (. This rule states that the principal already has the right to rent the resource, and that it is a student, who is denied a request to write a common file resource at 0:00-10:00 every tuesday. Since the common file is an upper-layer object of the private file and the object layer has negative positive authorization inheritance, the rule and the rule 3-1 generate authorization conflict due to the object layer. The conflict pair is < Student, private file, WRITE >, < Student, plain file, WRITE >.

Rule 5-3:

is User (. The rule indicates that the principal already has the right to rent the resource and that students are denied a read request for the private file resource at 0:00-10:00 every tuesday. Since the read request is an upper-level authorization operation of the write request, and the authorization operation level has negative-going positive authorization inheritance, this rule and rule 3-1 generate authorization conflicts due to the authorization operation level. The conflict pair is < Student, private File, WRITE >, < Student, private File, READ >.

Step six: similarity calculation based on attribute atoms

To optimally manage the rule base, conflict detection needs to be performed on the rules in the rule base. Three rules are given here, illustrated from three dimensions of role, object, authorization operation, respectively, and an example of general redundancy is given as follows:

rule 6-1:

user (. This rule states that the principal already has the right to lease a resource and is a principal, who is denied a request to write a private file resource at 1:00-10:00 every tuesday. Since the student is a subordinate role of the student and the role hierarchy has positive authorization inheritance, authorization redundancy is created with rule 3-1 due to the role hierarchy. The redundant pair is < Student, private File, < WRITE >, < Undergardates, < private File, WRITE >.

Rule 6-2:

is User (. This rule states that the principal already has the right to rent the resource, and that it is a student, who is denied a request to write a common file resource at 0:00-10:00 every tuesday. Since the common file is an upper-layer object of the private file and the object layer has negative positive authorization inheritance, the rule 3-1 generates authorization redundancy due to the object layer. The redundant pair is < Student, private file, WRITE >, < Student, plain file, WRITE >.

Rule 6-3:

is User (. This rule states that the principal already has the right to lease a resource and is a student, who is denied a read request for a file resource at 0:00-10:00 every tuesday. Since the read request is an upper-level authorization operation of the write request, and the authorization operation level has negative-going positive authorization inheritance, this rule and rule 3-1 create authorization redundancy due to the authorization operation level. The redundant pair is < Student, private File, WRITE >, < Student, private File, READ >.

Rule 6-4:

is User (. The role, object and authorization operation of the rule are the same as those of the rule 3-1, and the general redundancy is met.

Step seven: similarity calculation based on attribute atoms

If both rules satisfy redundant pairs or conflict pairs, similarity calculations based on attribute atoms may be performed. In this step, the quantization is performed by taking rule 3-1 and rule 5-1 as examples. And the rule 3-1 and the rule 5-1 generate conflict pairs due to role hierarchy, and in the step, the attributes of the two rules are divided into atomic items for similarity calculation. The result after the resolution is as follows: sysTime and week, respectively calculating the similarity of the two attributes, wherein the calculation formula is as follows:

step eight: hierarchy-based automatic resolution of rule conflicts

And (3) aiming at two conflicting rules, such as a rule 3-1 and a rule 5-1, automatically resolving the conflicting rules, wherein the resolving principle is the rule with higher probability of resolving the conflict. The value range of the attribute element term in the full conflict rule of the two rules should be { 0000-. The calculation result of the similarity between the rule 3-1 and the full conflict rule is 0.059, and the calculation result of the similarity between the rule 5-1 and the full conflict rule is 0.053, so that the rule 3-1 is resolved.

Step nine: hierarchy-based automatic resolution of rule redundancy

Two rules for hierarchical redundancy, such as rule 3-1 and rule 6-1, are subject to automatic resolution processing. The former attribute atom sysTime constraint is 0000-. Both the former and latter attribute atoms week 'tuesday' are constraints. The latter rule can be resolved. Two rules for general redundancy, such as rule 3-1 and rule 6-1, are automatically merged. The former attribute atom sysTime constraint is 0000-. The constraints of the former and latter attribute atoms week are both 'Tuesday'. The two attribute atom sysTime constraints can be merged into 0000-.

The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, it should be noted that, for those skilled in the art, many modifications and variations can be made without departing from the technical principle of the present invention, and these modifications and variations should also be regarded as the protection scope of the present invention.

15页详细技术资料下载

Cloud platform access control method

相关技术

网友询问留言