CN101771698A - Grid visit control method based on extendible markup language security policy - Google Patents

Abstract

The invention provides a grid visit control method based on an extendible markup language security policy, which aims at solving the problems of dynamics and span of different security domains in the grid calculation visit control process. The method comprises the following methods: limiting security domains on roles; defining the role inheriting relationship between different security domains; attaching the roles of the self domain to the roles of other domains through the authorized agency service to establish the role inheriting relationship between the domains; and giving corresponding resolutions for possibly meeting role inheriting relationship conflicts. The invention carries out the extension on the basis of a standard RBAC model, and gives a role visit control model based on the context through introducing two context mechanisms: main events and object events, the model can realize the dynamic authorization process, and formally describes the concrete realization process of the role state change caused by the main events and the permission state change caused by the object events, and at the same time, the analysis on the consistency in the state conversion process shows that the model maintains the consistency in the state conversion process.

Description

Grid visit control method based on extendible markup language security policy

Technical field

The present invention is a kind of security solution of Distributed Calculation.Be mainly used in the problem that solves access control under the grid environment, belong to the Distributed Calculation technical field of software security.

Background technology

Grid computing (Grid Computing) is meant by express network the hardware, software, the information resources that are dispersed in is everywhere connected to a huge integral body, thereby make people can utilize the resource that is scattered on the geography everywhere, finish various large-scale, the complicated calculating and the task of data processing.Compare with former collaborative work (Cooperativework), Distributed Calculation notions such as (Distributed Computing), the degree of integration of grid computing is higher, use is convenient, the utilization of resource is abundant more and effective.It indicates that modern information technologies use new a, higher level is arranged.

Safety problem is one of key issue of grid computing technology, and particularly along with the commercialized development of grid with popularize, the solution of safety problem is extremely urgent especially.Purpose of the present invention is exactly to introduce the method that solves the particularly access control aspect of security strategy in the grid computing.Research to grid computing safety at present also is in the starting stage, need carry out deep research.

Extend markup language (Extensible Markup Language, XML) as the technology of carrying out exchanges data and interoperability between a kind of heterogeneous platform, be exchanges data representation the most frequently used in the grid, the safety of XML language is the basis of gridding information exchange.The encryption of traditional technology such as SSL and TSL all is at whole file, under grid environment, safe handling granularity to the XML file no longer is whole file, might just carry out ciphering signature etc., thereby be necessary to use under the grid environment some security strategies based on the XML technology at partial information in the XML document.

Access control RBAC based on the role is current popular access control model, but the same with other traditional access control model what adopt is static the mandate, do not consider residing context environmental, being applied to the dynamic is the grid computing environment of notable feature, must cause certain defective.The present invention expands on based on role access control RBAC model based, User Activity role, system activity authority, User Activity authority, main body context, the contextual notion of object have been added, and realized to solve the access control of context-sensitive under the grid environment based on contextual access control by state matrix.

Summary of the invention

Technical problem; The objective of the invention is in order to solve dynamic involved in the grid computing access control process and the problem of crossing over different security domains.The role is carried out the qualification of security domain, defined the role succession relation between the different security domains, by the devolution service role in this territory and other territories role are associated and set up role succession relation between the territory, the role succession conflict of relationships that may run into has been provided corresponding solution.

Technical scheme: the present invention expands on the standard RBAC model basis, provided based on contextual role access control (Role based AccessControl by introducing main body incident and two kinds of context mechanism of object incident, RBAC) model, this model can based on contextual information be realized dynamic licensing process, formalized description the specific implementation process of the rights state that role state changes and the object incident the causes change that causes by the main body incident, simultaneously the consistency analysis in the state conversion process is shown that this model keeps consistency in state conversion process.

Provide the several notions in this model below:

Security domain (Security Domain): individuality, tissue, department and group etc. that the inside of adding grid environment has consistent security system.

GSI (Globus Security Infrastrue): Globus foundation for security framework.

PKI (Public Key Infrastructure): public-key infrastructure.

RBAC (Role Based Access Control): based on role's access control.

XACML (Extensible Access Control Markup Language): extensible access control markup language.

XML (Extensible Markup Language): extend markup language.

Grid visit control method based on extendible markup language security policy of the present invention specifically may further comprise the steps:

1). the strategy that is provided with of configure user-role at first, the role who sets in the territory has two kinds, visitor and keeper; In the strategy file＜rule daughter element in the element＜main body coupling＜property value value be default email address, the rule of coupling adopts the name discriminant function, be used as basis for estimation with mailbox suffix name, be equipped with administrator role to the user user who presets the mailbox suffix by name;

2). the strategy of configuration role-authority, the definition administrator role has the authority of reading and writing and execution to the resource node of this network segment of resource 10.10.138.*, to resource＜resource〉10.10.138.*＜/resource〉adopt the function of subnet coupling;

3). dispose resource-based dynamic access control strategy, resource in the grid is dynamically controlled user's visit according to strategy, such as time-based resource policy with based on the access control policy of resource dynamic performance;

4). the user proposes the access resources request to service;

5). examine user profile, according to user profile and the solicited message of user capture control request transducer handle through the grid authentication system authentication, be converted to the cannonical format of extendible access control SGML, user's information is classified as＜main body element, want request accessed resources to be classified as＜resource〉element, the visit type of action to resource is classified as＜moves element;

6). according to the extendible access control markup language request after the conversion, in the extraction subscription request message＜and resource〉element, check corresponding resource access control strategy, if this resource is in upstate, then carry out next step, otherwise return＜refuse information;

7). according in the extendible access control SGML request that receives＜main body comprise in the element＜authority, which kind of role inquiring user-Role Information storehouse belongs to judge this user, and mates corresponding role to the user;

8). inquire about role-authority information storehouse again according to the role who is assigned to, give the corresponding authority of this role assignments, as read, write the authority of operation;

9). with this role's authority and request＜action of user〉contrast, the authority that user's request action belongs to this role is then mated and is qualifiedly carried out next step, and then it fails to match outside user's authority then returns＜refuse for request action〉information;

10). all by then returning corresponding final access protocal to the user, the user can do the action of appointment by this agreement to above step to requested resource.

Beneficial effect: major advantage of the present invention has following several:

(1) content has simply just added the context driving and the role has been carried out the qualification of security domain in right assignment and role assignments from the RBAC that definition is expanded as can be seen, the content that all the other definition maintain the standard, thereby guaranteed certain compatibility, also made this model be easy to realize;

(2) many granularities are controlled contextual control and are divided role's dynamic assignment and authority dynamic assignment, thus the dynamic characteristic of adaptive mess better, thus realize cross-domain access control;

(3) definition itself that is easy to extended context is dynamic, state exchange control only need be provided on interface, can add flexibly various dynamic logics for example according to the control of cpu load, according to the control of time, according to the control of user capture number, according to the control in place and according to control of Link State or the like.

Description of drawings

Fig. 1 is the component of core RBAC.

Fig. 2 is the grid access control model in the security domain.

Fig. 3 is the schematic diagram of state machine RSM.

Fig. 4 is the schematic diagram of state machine PSM.

Fig. 5 grid access control basic flow sheet.

Fig. 6 is a system flow chart of the present invention.

Fig. 7 is a Model Design flow chart of the present invention.

Embodiment

One. architecture

Fig. 1 has provided core RBAC and has defined five the most basic elements of RBAC model: user, session, role, operation, object privilege (authority).

User (User) representative, but also can be a machine, agent or other any intelligent article.

Role (Role) represents a responsibilities, the responsibilities in organization's environment.This responsibility can more related semantemes about power and responsibility.

Authority (Permission) is a permission, to the permission of executable operations on one or more objects.

Operation (Operation) is the executable reflection (image) of program, is called and carries out by the user.Operation types depends on the type of realization system.Read and write during operation that for example file system is possible, carry out etc., Database Systems then are CRUD.

Object (Object) expression resource or object, any access control mechanisms all is the resource for protection system.Object may comprise file, catalogue, and database table, OK, and field or the like, disk space even, printer, cpu cycles etc. all are resources.

Fig. 2 has provided based on contextual RBAC model, wherein: (1). authentication and authorization service: be responsible for the authorization services in the security domain in the grid computing, this service be can manage and dispose and dynamically control according to strategy.(2). context agency (Context Agent): be assigned to the role and the authority place of appointment, the state transition that their use middleware services to monitor context and produce the Event triggered state machine by authentication and authorization service.(3). role state machine (Role State Machine): be used to safeguard role's transfering state of distributing to the user, it is driven by the context agency.(4). rights state machine (Role State Machine): be used for the current role's of maintenance customer authority transfering state, it is driven by the context agency also.

Two. method flow

The present invention selects wireless mesh to be used as the description background of our concrete case.Under the wireless mesh environment, we are divided into context two classes equally: main body context (for example: user locations, user time, local resource state, Link State etc.), object context (for example: present load, upstate, connectivity).Below we control is described to main body context and object contextual access respectively by example.

(1) main body contextual access control

Example: under a wireless environment, when the user used the internal wireless safety chain to insert, distributing user role was that (authority is P1 to power user role, P2, P3), when the user uses the external wireless safety chain to insert, the role of distributing user domestic consumer (P1, P2).When the user uses outside non-safety chain to insert, distributing user visitor role (P1).

Table 4-1 and table 4-2 have provided the information explanation of role and incident in this case.Obviously we can be easy to these contents are described with a role state machine (RSM).Be the schematic diagram of a state machine shown in Fig. 4-9, wherein each node is represented a state, and an incident is represented on every limit.RS0 wherein represents illegal state, when RS0 is arrived in other diversification in role, represents that this role will be under an embargo in this time session.

Table 1 role-security table

The role	Status number	Authority
			The power user	??RS1	??P1，P2，P3
Domestic consumer	??RS2	??P1，P2
			The visitor	??RS3	??P1
Forbid the role	??RS0	Lack of competence

Table 2 event table

Incident	Case Number	Event description
			The internal security link	??SE1	Be used for inner advanced authorization
The external security link	??SE2	Be used for outside common mandate
			Outside dangerous link	??SE3	Be used for outside restriction mandate
Link disconnects	??SE4	Link occurs fault disconnects suddenly

We adopt the tactful descriptor of XML form to come wireless mesh visit is controlled, and are the Policy description example that user role shifts below.

<role's Zhuan Yi><strategy><main body sign>* * * *</main body sign><chu Shijiaose>The power user</Chu Shijiaose><shi Jian>Dangerous link</Shi Jian><final Jiao Se>The general user</final Jiao Se><//></role Zhuan Yi>

For the state variation under the main body event-driven, be at user agent, thereby only relate to the role-security transformation of a user user, its role transforming process is as follows:

TransSubRoles(role_1：ROLES，role_2：ROLES，event：SUB_EVENTS)

while((role_1，event，role_2)∈RER∧event.state＝＝activate)

session∈role_sessions(role_1)·session.state＝Execute

session.state＝Block

role_1.state＝enable

if((user role_2)

UA)

session.state＝Error

else·if(role_2

authorized_roles(session))

AddActiveRole(user，session，role_2)

role_2.state＝activate

TransSubPerms(role_1，role_2，session)

authorized_role′＝authorized_role\{role_2}∪{role_1}

activated_role′＝activated_role\{role_1}∪{role_2}

session.state＝Activate

Wherein, subfunction AddActiveRole (role_2) expression role_2 then will increase this role and be defined as not in the role set that is authorized to the time in this session for user:USERS, session:SESSIONS:

AddActiveRole(user：USERS，session：SESSIONS，role_2)

authorized_roles′(session)＝authorized_roles

\{session

authorized_roles(session)}

∪{session (session_roles(session)∪{role_2})}

authorized_prms′(session)＝authorized_prms?∪

{role_2

authorized_prms(role_2，session)}

And subfunction TransSubPerms (role_1, role_2, event) then be to carry out corresponding authority adjustment, the state that is about to authority that role_1 authorized and that be in activate is adjusted into enable, and with authority that role_2 authorized, state is that enable is adjusted into activate, adjusts authorized_prms collection and activated_prms collection at last respectively, specifically being defined as of this function:

TransSubPerms(role_1：ROLES，role_2：ROLES，session：SESSIONS)

prms∈activated_prms(role_1，session)

prms.state＝enable

prms′∈authorized_prms(role_2，session)

prms′.state＝activate

authorized_prms′＝authorized_prms\{role_2

(authorized_prms(role_2)}∪

{role_2

(authorized_prms(role_2)\{prms′}∪{prms}}

activated_prms′＝activated_prms\{role_1

(activated_prms(role_1)}∪

{role_1

(activated_prms(role_1)\{prms}∪{prms′}}

When incident cause that role state changes from state of activation to illegal state the time, promptly be equivalent to the role transforming from role_1 to role_0.Also can represent that mode realizes with this kind:

DropActiveRole(role_1：ROLES，event：EVENTS，session：SESSIONS)

while(role_1，event，role_0)∈RER ₀∧event.state＝activate

DropSubPerms(role_1，session)

role_1.state＝disable

activated_role′(session)＝activated_role\{role_1}

Subfunction DropSubPerms wherein (role_1, a state of the authority of authorizing and activating also changes illegal state into session) to represent this role:

DropSubPerms(role_1，session)

prms∈activated_prms(role_1，session)

prms.state＝disable

prms′∈authorized_prms(role_1，session)

prms′.state＝disable

authorized_prms′(session)＝authorized_prms\{prms′}

activated_prms′(session)＝activated_prms\{prms}

(2) object contextual access control

Example: only allow the user in the morning 8:00 to evening 8:00 certain resource is conducted interviews; Allow the user to be at the cpu load of resource＜resource to be conducted interviews at 80% o'clock, and＞80% allow to read resource; Readable the writing of resource can be carried out when having only session to use resource, and when having a plurality of sessions to use resource, resource then can not be write.

Table 4-3 and table 4-4 have provided the information explanation of rights state and incident in this example.We can describe these situations with rights state machine (PSM) equally.Be the schematic diagram of rights state machine shown in Fig. 4-10, wherein each node is represented a state, and an incident is represented on every limit, and PS0 represents the illegal state of this authority.

Table 3 rights state table

Authority	Status number
		Resource is readable to be write and can carry out (P1, P2, P3)	??PS1
Resource is readable to be carried out (P1, P2)	??PS2
		Resource readable (P1)	??PS3

Authority	Status number
		The inaccessible resource	??PS0

Table 4 event table

Incident	Case Number	Event description
			??8:00-20:00	??OE1	Allow resource access
All the other times	??OE2	Resource access is forbidden
			When having a plurality of sessions to use resource	??OE3	Resource is readable to be carried out
When having only a session to use resource	??OE4	Readable the writing of resource can be carried out
			The resource cpu load went up to 80% o'clock	??OE5	Resource is readable
Fell under the resource cpu load 80% o'clock	??OE6	Recover original resource access authority

We still adopt the tactful descriptor of XML form to come wireless mesh visit is controlled, and are an example of the strategy that shifts of authority below.

<authority shifts><strategy><object sign>* * * *</object sign><chu Shiquanxian>Addressable CPU</Chu Shiquanxian><shi Jian>Cpu load goes up to 80%</Shi Jian><final Quan Xian>Inaccessible CPU</final Quan Xian><//></authority shifts>

If exist certain or some incidents authority can be realized forbidding and allows between conversion then for authority from forbidding permission, we are called based on the authority activation of state machine and from allowing to forbid that we are called the passivation of authority.

For the state variation under the object event-driven, because at same system, thereby be related to all sessions of using this authority, the rights state that is caused by the object incident is converted to:

TransObjPerms(prms_1：PERMS，prms_2：PERMS，event：OBJ_EVENTS)

while((prms_1，event，prms_2)∈PEP∧event.state＝＝activate)

session∈(avail_perms_session(prms_1)·session.state＝Execute

session.state＝Block

if(prms_2∈authorized_prms(session))

prms_1.state＝enable

prms_2.state＝activate

TransObjRoles(prms_1，prms_2，session)

authorized_prms′(session)＝authorized_prms\{prms_2}∪{prms_1}

activated_prms′(session)＝activaed_prms\{prms_1}∪{prms_2}

session.state＝activate

else·session.state＝Error

Subfunction TransObjRoles (prms_1 wherein, prms_2, session) be to carry out corresponding role state adjustment, be about to authorize the role state prms_1 authority and that be in state activate and be adjusted into enable, be adjusted into activate and will authorize the role state prms_2 authority and that be in state enable, adjust authorized_roles collection and activated_roles collection at last respectively, specifically being defined as of this function (considering the role succession relation):

TransObjRoles(prms_1，prms_2，session)

role∈activated_roles(session)∧(role

prms_1)∈PA

prms：PERMS·(role

prms)∈PA∧prms.state！＝activate

role.state＝enable

if(

role′：ROLES·

prms∈activated_prms(role)∧(role′

prms)∈PA)

role′.state＝activate

role′∈authorized_roles(session)∧(role′ prms_2)∈PA

role′.state＝activate

authorized_roles′＝authorized_roles\{session

(authorized_roles(session)}∪

{session

(authorized_roles(session)\{role′}∪{role}}

activated_roles′＝activateed_roles\{session

(activated_roles(session)}∪

{session

(activated_roles(session)\{role}∪{role′}}

When authority is cancelled, promptly transfer to the PS0 state equally, corresponding conversion process is:

DropActivePerms(prms_1：PERMS，event：EVENTS，session：SESSIONS)

while((prms_1，event，prms_0)∈PEP ₀∧event.state＝＝activate)

DropObjRoles(prms_1，session)

prms_1.state＝disable

activated_prms′(session)＝activated_prms\{prms_1}

And the state of authorizing and activate the role of this authority accordingly also changes illegal state into.

DropObjRoles(prms_1，session)

role∈authorized_roles(session)∧(role

prms_1)∈PA∧

(

rms：PERMS·(role prms)∈PA∧prms.state

{activate，enable})

role.state＝disable

authorized_role′(session)＝authorized_role\{role}

activated_role′(session)＝activated_role\{role}

At this, we have considered to inherit the change of role state, and when the pairing authority of role that activates all be enable, the role who then needs to transfer under this authority by the activation authority of inheriting was activated.

The execution flow process of a complete utilization extend markup language realization grid access control as shown in Figure 7.

1). the strategy that is provided with of configure user-role at first, the role who sets in the territory has two kinds, visitor and keeper; In the strategy file＜rule daughter element in the element＜main body coupling＜property value value be default email address, the rule of coupling adopts the name discriminant function, be used as basis for estimation with mailbox suffix name, be equipped with administrator role to the user user who presets the mailbox suffix by name;

2). the strategy of configuration role-authority, the definition administrator role has the authority of reading and writing and execution to the resource node of this network segment of resource 10.10.138.*, to resource＜resource〉10.10.138.*＜/resource〉adopt the function of subnet coupling;

3). dispose resource-based dynamic access control strategy, resource in the grid is dynamically controlled user's visit according to strategy, such as time-based resource policy with based on the access control policy of resource dynamic performance;

4). the user proposes the access resources request to service;

5). examine user profile, according to user profile and the solicited message of user capture control request transducer handle through the grid authentication system authentication, be converted to the cannonical format of extendible access control SGML, user's information is classified as＜main body element, want request accessed resources to be classified as＜resource〉element, the visit type of action to resource is classified as＜moves element;

6). according to the extendible access control markup language request after the conversion, in the extraction subscription request message＜and resource〉element, check corresponding resource access control strategy, if this resource is in upstate, then carry out next step, otherwise return＜refuse information;

7). according to extendible anti-ask in the control mark language request＜main body that receives〉comprise in the element＜authority 〉, which kind of role inquiring user-Role Information storehouse belongs to judge this user, and mates corresponding role to the user;

8). inquire about role-authority information storehouse again according to the role who is assigned to, give the corresponding authority of this role assignments, as read, write the authority of operation;

9). with this role's authority and request＜action of user〉contrast, the authority that user's request action belongs to this role is then mated and is qualifiedly carried out next step, and then it fails to match outside user's authority then returns＜refuse for request action〉information;

10). all by then returning corresponding final access protocal to the user, the user can do the action of appointment by this agreement to above step to requested resource.

Claims (1)

1. grid visit control method based on extendible markup language security policy is characterized in that this method specifically may further comprise the steps:

1). the strategy that is provided with of configure user-role at first, the role who sets in the territory has two kinds, visitor and keeper; In the strategy file＜rule daughter element in the element＜main body coupling＜property value value be default email address, the rule of coupling adopts the name discriminant function, be used as basis for estimation with mailbox suffix name, be equipped with administrator role to the user user who presets the mailbox suffix by name;

2). the strategy of configuration role-authority, the definition administrator role has the authority of reading and writing and execution to the resource node of this network segment of resource 10.10.138.*, to resource＜resource〉10.10.138.*＜/resource〉adopt the function of subnet coupling;

3). dispose resource-based dynamic access control strategy, resource in the grid is dynamically controlled user's visit according to strategy, such as time-based resource policy with based on the access control policy of resource dynamic performance;

4). the user proposes the access resources request to service;

5). examine user profile, according to user profile and the solicited message of user capture control request transducer handle through the grid authentication system authentication, be converted to the cannonical format of extendible access control SGML, user's information is classified as＜main body element, want request accessed resources to be classified as＜resource〉element, the visit type of action to resource is classified as＜moves element;

6). according to the extendible anti-control mark language format request of asking after the conversion, in the extraction subscription request message＜and resource〉element, check the anti-control strategy of asking of corresponding resource, be in upstate as if this resource, then carry out next step, otherwise return＜refuse information;

7). according in the extendible access control SGML request that receives＜main body comprise in the element＜authority, which kind of role inquiring user-Role Information storehouse belongs to judge this user, and mates corresponding role to the user;

8). inquire about role-authority information storehouse again according to the role who is assigned to, give the corresponding authority of this role assignments, as read, write the authority of operation;

9). with this role's authority and request＜action of user〉contrast, the authority that user's request action belongs to this role is then mated and is qualifiedly carried out next step, and then it fails to match outside user's authority then returns＜refuse for request action〉information;

10). all by then returning corresponding final access protocal to the user, the user can do the action of appointment by this agreement to above step to requested resource.

Images