CN102143186A - Access control method, device and system - Google Patents

Access control method, device and system Download PDF

Info

Publication number
CN102143186A
CN102143186A CN2011100812960A CN201110081296A CN102143186A CN 102143186 A CN102143186 A CN 102143186A CN 2011100812960 A CN2011100812960 A CN 2011100812960A CN 201110081296 A CN201110081296 A CN 201110081296A CN 102143186 A CN102143186 A CN 102143186A
Authority
CN
China
Prior art keywords
resource information
requested
decision
mentioned
policy
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2011100812960A
Other languages
Chinese (zh)
Other versions
CN102143186B (en
Inventor
张彬
李国辉
李岩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Innotitan Intelligent Equipment Technology Tianjin Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201110081296.0A priority Critical patent/CN102143186B/en
Publication of CN102143186A publication Critical patent/CN102143186A/en
Application granted granted Critical
Publication of CN102143186B publication Critical patent/CN102143186B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses an access control system, belonging to the field of network communication. In the system, a policy implementation point transmits a decision request to a policy decision point, wherein requested resource information in the decision request is described by using a subtree filter expression; the policy decision point matches the requested resource information described by using the subtree filter expression with resource information described by adopting an extensible markup language path XPATH expression in an access control policy, makes a decision based on a matching result to allow or refuel the access to the requested resource information, and returns the decision to the policy implementation point; and the policy implementation point allows or refuses the access to the requested resource information based on the decision returned by the policy decision point. The invention solves the problem that the access control cannot be carried out on the access request of the requested resource described by using the subtree filter expression in the prior art, and the invention also discloses an access control method and device.

Description

Access control method, Apparatus and system
Technical field
The present invention relates to network communication field, particularly access control method, Apparatus and system.
Background technology
Access control is an indispensable security mechanism in the network management, is generally used for controlling the user to some item of information by predefined access control policy, as the visit of Internet resources such as server, catalogue, file.
Existing network management is based on NETCONF (Network Configuration, network configuration) agreement, access control based on the NETCONF agreement is to adopt XACML (eXtensible Access ControlMarkup Language, extendible access control SGML) standard to realize.XACML is a kind of open standard language based on XML (Extensible Markup Language, extend markup language).
Usually, access control policy is made up of one or more access control rule, and XACML comprises the abstract some kinds of attributes (Attribute) that are decomposed into of rule: main body (Subject), action (Action) and resource (Resource).Wherein, main body is represented the promoter of access request, and action is meant that this promoter wants the visit action of carrying out, and resource is exactly the information that is requested to visit.In addition, each rule also has an effect (Effect): show to allow or denied access.For example, access control rule is: allow the data of role A fetch interface 1, then the main information in this access control rule is " role A ", and action message is " reading ", and resource information is " data of interface 1 ", and effect information is " permission ".
Wherein, for resource, existing XACML standard provides and adopted XPATH (XML Path in access control policy, the extend markup language path) expression formula describe resource mechanism, provide in access request and to have adopted the XPATH expression formula to describe the mechanism that is requested resource, the mechanism of utilizing two XPATH expression formulas to realize access control respectively also is provided.
In realizing process of the present invention, the inventor finds that there is following problem at least in prior art:
Owing to also possess in the NETCONF agreement and a kind ofly adopt subtree to filter expression formula to describe the mechanism that is requested resource, but this mechanism can't realize describing the access request that the is requested resource control that conducts interviews to adopting subtree to filter expression formula.
Summary of the invention
In order to realize describing the access request that the is requested resource control that conducts interviews to adopting subtree to filter expression formula, the embodiment of the invention provides access control method, Apparatus and system.Described technical scheme is as follows:
A kind of access control method comprises: policy enforcement point receives network configuration protocol NETCONF access request, and this NETCONF access request is carried and adopted subtree to filter the resource information that is requested of expression formula description; Policy enforcement point offers policy decision point with the resource information that is requested of above-mentioned employing subtree filtration expression formula description, so that the resource information that is requested employing extend markup language path XPATH expression formula description in resource information and the access control policy that policy decision point can adopt subtree to filter the expression formula description be mated; The decision-making that policy enforcement point returns according to policy decision point allows the above-mentioned resource information that is requested accessed or refuse that above-mentioned to be requested resource information accessed.
A kind of access control apparatus comprises: first receiver module is used to receive network configuration protocol NETCONF access request, and this NETCONF access request is carried and adopted subtree to filter the resource information that is requested of expression formula description; First sending module is used for the resource information that is requested of above-mentioned employing subtree filtration expression formula description is offered policy decision point, so that the resource information that is requested employing extend markup language path XPATH expression formula description in resource information and the access control policy that policy decision point can adopt subtree to filter the expression formula description be mated; Decision module is used for the decision-making returned according to policy decision point and allows the above-mentioned resource information that is requested accessed or refuse that above-mentioned to be requested resource information accessed.
A kind of access control method comprises: policy decision point receives and adopts subtree to filter the resource information that is requested of expression formula description; Name a person for a particular job above-mentioned employing subtree of strategic decision-making is filtered the resource information that is requested to adopt extend markup language path XPATH expression formula to describe in resource information and the access control policy that expression formula describes and mated, and is accessed or refuse that above-mentioned to be requested resource information accessed according to the result of the coupling above-mentioned resource information that is requested of permission that makes decisions.
A kind of access control apparatus comprises: the 3rd receiver module, and the employing subtree that being used to receive policy enforcement point provides is filtered the resource information that is requested of expression formula description; Matching module, be used for that above-mentioned employing subtree is filtered the resource information that is requested that expression formula describes and mate with the resource information that access control policy adopts extend markup language path XPATH expression formula to describe, accessed or refuse that above-mentioned to be requested resource information accessed according to the result of the coupling above-mentioned resource information that is requested of permission that makes decisions.
A kind of access control system comprises: policy enforcement point sends decision requests to policy decision point, and the resource information that is requested in the described decision requests adopts subtree to filter the expression formula description; Name a person for a particular job above-mentioned employing subtree of strategic decision-making is filtered being requested that expression formula describes and is adopted the resource information of extend markup language path XPATH expression formula description to mate in resource information and the access control policy, making decisions according to the result of coupling allows the above-mentioned resource information that is requested accessed or refuse that above-mentioned to be requested resource information accessed, and decision-making is returned to policy enforcement point; The decision-making that policy enforcement point returns according to policy decision point allows the above-mentioned resource information that is requested accessed or refuse that above-mentioned to be requested resource information accessed.
The beneficial effect that the technical scheme that the embodiment of the invention provides is brought is: adopt the resource information of XPATH expression formula description to mate by subtree being filtered in resource information that expression formula describes and the access control policy, make allowing or the decision-making of denied access request according to matching result, thereby realized describing the control that conducts interviews of the access request of resource adopting subtree to filter expression formula.
Description of drawings
Fig. 1 is the schematic flow sheet of the access control method that provides of one embodiment of the invention;
Fig. 2 is the schematic flow sheet of the access control method that provides of another embodiment of the present invention;
Fig. 3 is an exemplary scenario schematic diagram of the embodiment of the invention;
Fig. 4 is the schematic flow sheet of the access control method that provides of further embodiment of this invention;
Fig. 5-the 8th, some structural representations of the access control apparatus that one embodiment of the invention provides;
Fig. 9-the 12nd, some structural representations of the access control apparatus that another embodiment of the present invention provides;
Figure 13-the 14th, some structural representations of the access control system that one embodiment of the invention provides.
Embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the invention is clearer, embodiment of the present invention is described further in detail below in conjunction with accompanying drawing.
Referring to Fig. 1, one embodiment of the present of invention provide a kind of access control method, and this method comprises:
101: (Policy Enforcement Point PEP) receives the NETCONF access request to policy enforcement point, and this NETCONF access request is carried and adopted subtree to filter the resource information that is requested of expression formula description;
102: the resource information that is requested that policy enforcement point filters the expression formula description with above-mentioned employing subtree offers policy decision point (Policy Decision Point, PDP), so that policy decision point can mate the resource information that is requested to adopt the XPATH expression formula to describe in resource information and the access control policy that adopts subtree to filter the expression formula description;
103: the decision-making that policy enforcement point returns according to policy decision point allows the above-mentioned resource information that is requested accessed or refuse that above-mentioned to be requested resource information accessed.
The said method that adopts present embodiment to provide, provide the resource information that is requested that adopts the description of subtree filtration expression formula to policy decision point by policy enforcement point, make policy decision point to adopt the resource information of XPATH expression formula description to mate with adopting subtree to filter in resource information that expression formula describes and the access control policy, and decision-making returned to policy enforcement point, thereby realized describing the control that conducts interviews of the access request of resource to adopting subtree to filter expression formula.
A kind of access control method that another embodiment of the present invention provides referring to Fig. 2, comprising:
201: policy decision point receives and adopts subtree to filter the resource information that is requested of expression formula description;
202: name a person for a particular job above-mentioned employing subtree of strategic decision-making is filtered the resource information that is requested to adopt the XPATH expression formula to describe in resource information and the access control policy that expression formula describes and mated, and is accessed or refuse that above-mentioned to be requested resource information accessed according to the result of the coupling above-mentioned resource information that is requested of permission that makes decisions.
The said method that adopts present embodiment to provide, adopt the resource information of XPATH expression formula description to mate by adopting subtree to filter in resource information that expression formula describes and the access control policy, making decisions according to matching result allows or denied access, thereby has realized describing the control that conducts interviews of the access request of resource to adopting subtree to filter expression formula.
Optionally, in the embodiments of the invention, that adopts that subtree filters that expression formula describes is requested resource information and can specifically be exemplified below:
Figure BDA0000053410470000041
Wherein, subtree is filtered expression formula and is encapsulated in<subtree〉in the element, the resource of expression visit promoter acquisition request is that name is that name is the interface node content of Ethernet0 under the interfaces node of Ethernet.
Optionally, in an exemplary scenario of the embodiment of the invention, as shown in Figure 3, can be that policy enforcement point sends decision requests to policy decision point, carry in the described decision requests and adopt subtree to filter the resource information that is requested of expression formula description.Name a person for a particular job described employing subtree of strategic decision-making is filtered the resource information that is requested that expression formula describes (Policy Administration Point is adopted the resource information of XPATH expression formula description to mate in the access control policy that PAP) provides in advance with the tactical management point.For example, policy decision point can obtain first result set according to the resource information that adopts the XPATH expression formula to describe in the access control policy; According to adopting subtree to filter the resource information that is requested of expression formula description, obtain second result set; More described first result set and second result set, if identical or described second result set is the subclass of described first result set, then think coupling, make and allow the accessed decision-making of described requested resource information, otherwise, think not match, make the accessed decision-making of the above-mentioned requested resource information of refusal.
In order to introduce embodiments of the invention in more detail, be example still with scene shown in Figure 3, introduce a kind of access control method that another embodiment of the present invention provides, referring to Fig. 4, specifically comprise:
401: policy enforcement point receives the NETCONF access request of sending from access requestor; Carry in this NETCONF access request and adopt subtree to filter the resource information that is requested of expression formula description;
402: policy enforcement point obtains the above-mentioned property value that is requested resource information according to the NETCONF access request that receives;
Optionally, policy enforcement point can be to policy information point (Policy Information Point, PIP) send the attribute query request, ask the above-mentioned property value (that is: filtering expression formula, the Query Result of policy information point according to above-mentioned subtree) that is requested resource information at least;
403: policy enforcement point generates decision requests, sends to policy decision point; Wherein, above-mentioned decision requests is carried the above-mentioned property value of resource information and the resource information that is requested that above-mentioned employing subtree is filtered the expression formula description of being requested at least;
404: policy decision point receives the decision requests that policy enforcement point sends, the resource information that adopts the XPATH expression formula to describe in the access control policy that provides in advance according to tactical management point, in the above-mentioned property value that is requested resource information, inquire about, obtain first result set, filter the resource information that is requested of expression formula description according to adopting subtree, in the above-mentioned property value that is requested resource information, inquire about, obtain second result set;
405: policy decision point compares above-mentioned first result set and second result set, if identical or second result set is the subclass of first result set, then carries out 406; Otherwise, carry out 407;
406: policy decision point is made and is allowed above-mentionedly to be requested the accessed decision-making of resource information, and returns to policy enforcement point;
407: policy decision point is made refusal and above-mentionedly is requested the accessed decision-making of resource information, and returns to policy enforcement point.
Optionally, the above-mentioned property value that is requested resource information is generally a result set, is equivalent to a rough matching range.The above-mentioned property value that is requested resource information can be encapsulated in content (content) element, and exemplary, the content element in the above-mentioned decision requests message can be expressed as follows:
The described scope of resource of this content element comprises: name is the interface node of Ethernet0 under the interfaces node, and value is 1500, and name is the interface node of Ethernet1 under the interfaces node, and value is 1200.
Optionally, in above-mentioned 404, policy decision point can be according to above-mentioned XPATH expression formula, in described content element, inquire about, if find the character string identical then its corresponding value is exactly first result set with name in the above-mentioned XPATH expression formula, as the name in the XPATH expression formula is Ethernet1, and then obtaining first result set is 1200; If do not find, then can return empty as first result set.
Similarly, policy decision point can filter expression formula according to above-mentioned subtree, in described content element, inquire about, filter the character string that name is identical in the expression formula with above-mentioned subtree then its corresponding value is exactly second result set if find, the name that filters in the expression formula as subtree is Ethernet0, and then obtaining second result set is 1500; If do not find, then can return empty as second result set.
In an embodiment of the present invention, the sequencing that obtains above-mentioned first result set and above-mentioned second result set can exchange, and perhaps carries out simultaneously in no particular order, and the embodiment of the invention is not done concrete qualification to this.
Optionally, in the embodiments of the invention, above-mentioned decision requests can also comprise main information and action message, policy decision point is except mating requested resource information, can also other attribute information in the access request be mated, for example, can be with main information in the access request and action message, respectively with access control policy in main information and action message mate.
Optionally, if main information, action message and resource information in the request and main information, action message and the resource information in the access control policy all can be mated, then can allow this requested resource information accessed; Do not match if having one in main information, action message and the resource information at least, then this requested resource information of refusal is accessed.
The said method that adopts embodiments of the invention to provide, comparison by first result set and second result set, make the decision-making of permission or denied access, thereby realized describing the control that conducts interviews of the access request of resource, and further improved efficiency of access control adopting subtree to filter expression formula.
Optionally, in an embodiment of the present invention,, can define new data type, Resource Properties identifier and adaptation function in order to realize describing the control that conducts interviews of the access request of resource to adopting subtree to filter expression formula.For example, the data type of resource information is that subtree is filtered expression formula, can specifically be expressed as:
Data-Types:xacml-Netconf:data-type:subtreeExpress;
This data type is used for representing that the subtree among the NETCONF filters expression formula.
Again for example, the Resource Properties identifier of resource information is a subtree, can specifically be expressed as:
xacml-Netconf:resource:subtree;
This Resource Properties identifier is used for indicating the attribute of resource, is used for specified resource by the appointment of subtree filtration expression formula.
Again for example, can define an XACML function, be used for the attribute information of access request and access control policy is mated, decide access request to allow or refuse, can specifically be expressed as by matching result:
xacml-Netconf:function:subtree-xpath-node-match;
This function comprises two parameters, wherein:
Resource information in first parametric description strategy, its data type is:
urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression;
Resource information in second parametric description access request, its data type is:
xacml-Netconf:data-type:subtreeExpress;
The value of returning is described matching result, success or failure, and its data type is:
http://www.w3.org/2001/XMLSchema#boolean
This function realizes that a subtree filter table reaches the coupling between formula and the XPATH expression formula.First parameter is the represented node of XPATH expression formula, is generally a set, and for convenient the description is called first result set, second parameter is that subtree is filtered the represented node of expression formula, also is a set usually, for convenient the description is called second result set.
When following two conditions satisfy one of them:
1) first result set is identical with second result set;
2) first result set is the subclass of second result set;
This function returns very (TRUE), and the match is successful in representative, otherwise return mistake (FALSE), and it fails to match in representative.
Two result sets are compared, can be meant the node in two result sets is compared, if the identifier of two nodes equates that it is equal then to be called two nodes, if the identifier of two nodes does not wait, then is called two nodes and does not wait.
Referring to Fig. 5, one embodiment of the present of invention provide a kind of access control apparatus, and this device comprises:
First receiver module 501 is used to receive the NETCONF access request, and this NETCONF access request is carried and adopted subtree to filter the resource information that is requested of expression formula description;
First sending module 502, the resource information that is requested employing XPATH expression formula description in resource information and the access control policy that policy decision point can adopt subtree to filter the expression formula description is used for the resource information that is requested of above-mentioned employing subtree filtration expression formula description is offered policy decision point, so that be mated;
Decision module 503 is used for the decision-making returned according to policy decision point and allows the above-mentioned resource information that is requested accessed or refuse that above-mentioned to be requested resource information accessed.
Optionally, as shown in Figure 6, said apparatus can also comprise:
Acquisition module 504 is used for obtaining the above-mentioned property value that is requested resource information according to the NETCONF access request that receives.
Optionally, as shown in Figure 7, above-mentioned first sending module 502 can comprise:
Generation unit 5021 is used to generate decision requests; Wherein, above-mentioned decision requests is carried the resource information that is requested that above-mentioned employing subtree is filtered the expression formula description at least;
Transmitting element 5022, the decision requests that is used for generating sends to policy decision point.
Optionally, as shown in Figure 8, above-mentioned decision module 503 can comprise:
The first decision unit 5031 is used for the decision-making returned when policy decision point and is requested resource information for permission is above-mentioned when accessed, allows the above-mentioned resource information that is requested accessed;
The second decision unit 5032 is used for the decision-making returned when policy decision point for refusing the above-mentioned resource information that is requested when accessed, refuses that above-mentioned to be requested resource information accessed.
The said apparatus that present embodiment provides can be carried out arbitrary method that the policy enforcement point in the embodiments of the invention is carried out, and detailed process sees the description among the method embodiment for details, repeats no more herein.
The said apparatus that adopts present embodiment to provide, adopt subtree to filter the resource information that is requested of expression formula description by providing to policy decision point, make policy decision point to adopt the resource information of XPATH expression formula description to mate with adopting subtree to filter in resource information that expression formula describes and the access control policy, and decision-making returned to policy enforcement point, thereby realized describing the control that conducts interviews of the access request of resource to adopting subtree to filter expression formula.
Referring to Fig. 9, another embodiment of the present invention provides a kind of access control apparatus, and this device comprises:
The 3rd receiver module 901, the employing subtree that being used to receive policy enforcement point provides is filtered the resource information that is requested of expression formula description;
Matching module 902, be used for that above-mentioned employing subtree is filtered the resource information that is requested that expression formula describes and mate with the resource information that access control policy adopts the XPATH expression formula to describe, accessed or refuse that above-mentioned to be requested resource information accessed according to the result of the coupling above-mentioned resource information that is requested of permission that makes decisions.
Optionally, as shown in figure 10, said apparatus can also comprise:
The 3rd sending module 903 is used for the above-mentioned decision-making of making according to matching result is sent to policy enforcement point.
Optionally, as shown in figure 11, above-mentioned the 3rd receiver module 901 can comprise:
First receiving element 9011 is used to receive the decision requests that policy enforcement point sends, and carries in the decision requests and adopts subtree to filter the resource information that is requested of expression formula description;
Above-mentioned matching module 902 can comprise:
First matching unit 9021 is used for the resource information according to the description of access control policy employing XPATH expression formula, obtains first result set; According to adopting subtree to filter the resource information that is requested of expression formula description, obtain second result set; More described first result set and second result;
The first matching result unit 9022, when first result set and identical or described second result set of second result set are the subclass of described first result set, be used to make the accessed decision-making of the described requested resource information of permission, otherwise, be used to make the accessed decision-making of the above-mentioned requested resource information of refusal.
Optionally, as shown in figure 12, above-mentioned the 3rd receiver module 901 can comprise:
Second receiving element 9012 is used to receive the decision requests that policy enforcement point sends, and carries the above-mentioned resource information that is requested that is requested the property value of resource information and adopts the description of subtree filtration expression formula in the decision requests;
Above-mentioned matching module 902 can comprise:
Second matching unit 9023 is used for the resource information that adopts the XPATH expression formula to describe according to access control policy, inquires about in the above-mentioned property value that is requested resource information, obtains first result set; According to adopting subtree to filter the resource information that is requested that expression formula describes, in the above-mentioned property value that is requested resource information, inquire about, obtain second result set; More described first result set and second result;
The second matching result unit 9024, when first result set and identical or described second result set of second result set are the subclass of described first result set, be used to make the accessed decision-making of the described requested resource information of permission, otherwise, be used to make the accessed decision-making of the above-mentioned requested resource information of refusal.
The said apparatus that present embodiment provides can be carried out arbitrary method that policy decision point is carried out in the embodiments of the invention, and detailed process sees the description among the method embodiment for details, repeats no more herein.
The said apparatus that adopts present embodiment to provide, adopt the resource information of XPATH expression formula description to mate by adopting subtree to filter in resource information that expression formula describes and the access control policy, make allowing or the decision-making of denied access according to matching result, thereby realized describing the control that conducts interviews of the access request of resource adopting subtree to filter expression formula.
Referring to Figure 13, the embodiment of the invention provides a kind of access control system, comprising:
Policy enforcement point 1301 is used for sending decision requests to policy decision point 1302, and the resource information that is requested in the described decision requests adopts subtree to filter the expression formula description; According to the decision-making that policy decision point 1302 returns, allow the above-mentioned resource information that is requested accessed or refuse that above-mentioned to be requested resource information accessed;
Policy decision point 1302, be used for the resource information that is requested resource information and the description of access control policy employing XPATH expression formula that above-mentioned employing subtree filtration expression formula is described is mated, making decisions according to the result of coupling allows the above-mentioned resource information that is requested accessed or refuse that above-mentioned to be requested resource information accessed, and decision-making is returned to policy enforcement point 1301.
Optionally, as shown in figure 14, said system also comprises:
Policy information point 1303, be used to receive the attribute query request that policy enforcement point 1301 sends, filter expression formula according to the subtree of carrying in the attribute query request, inquire about the above-mentioned property value that is requested resource information, and the above-mentioned property value that is requested resource information is returned to policy enforcement point;
Tactical management point 1304 is used for providing access control policy in advance to policy decision point 1302, and wherein, resource information adopts the XPATH expression formula to describe.
Above-mentioned policy enforcement point 1301 is further used for generating decision requests, sends to policy decision point 1302; Wherein, above-mentioned decision requests is carried the above-mentioned property value of resource information and the resource information that is requested that above-mentioned employing subtree is filtered the expression formula description of being requested at least;
The resource information that adopts the XPATH expression formula to describe in the access control policy that above-mentioned policy decision point 1302 is further used for providing in advance according to tactical management point 1304, in the above-mentioned property value that is requested resource information, inquire about, obtain first result set, filter the resource information that is requested of expression formula description according to adopting subtree, in the above-mentioned property value that is requested resource information, inquire about, obtain second result set; Above-mentioned first result set and second result set are compared, when first result set and identical or described second result set of second result set are the subclass of described first result set, make and allow the accessed decision-making of described requested resource information, otherwise, make the accessed decision-making of the above-mentioned requested resource information of refusal.。
The said system that present embodiment provides, adopt the resource information of XPATH expression formula description to mate by subtree being filtered in resource information that expression formula describes and the access control policy, make allowing or the decision-making of denied access request according to matching result, thereby realized describing the control that conducts interviews of the access request of resource adopting subtree to filter expression formula.
All or part of content in the technical scheme that above embodiment provides can realize that its software program is stored in the storage medium that can read by software programming, storage medium for example: the hard disk in the computer, CD or floppy disk.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, not all within principle of the present invention, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (20)

1. an access control method is characterized in that, described method comprises:
Policy enforcement point receives network configuration protocol NETCONF access request, and this NETCONF access request is carried and adopted subtree to filter the resource information that is requested of expression formula description;
Policy enforcement point offers policy decision point with the resource information that is requested of above-mentioned employing subtree filtration expression formula description, so that the resource information that is requested employing extend markup language path XPATH expression formula description in resource information and the access control policy that policy decision point can adopt subtree to filter the expression formula description be mated;
The decision-making that policy enforcement point returns according to policy decision point allows the above-mentioned resource information that is requested accessed or refuse that above-mentioned to be requested resource information accessed.
2. method according to claim 1 is characterized in that, before resource information offered policy decision point, described method also comprised described policy enforcement point being requested of above-mentioned employing subtree being filtered expression formula describes:
Policy enforcement point obtains the above-mentioned property value that is requested resource information according to the NETCONF access request that receives.
3. method according to claim 2 is characterized in that, describedly obtains the above-mentioned property value that is requested resource information, comprising:
Policy enforcement point sends the attribute query request to policy information point, asks the above-mentioned property value that is requested resource information at least, receives the above-mentioned property value that is requested resource information that the policy information point returns.
4. according to claim 2 or 3 described methods, it is characterized in that after obtaining the above-mentioned property value that is requested resource information, described method also comprises:
Policy enforcement point generates decision requests; Wherein, above-mentioned decision requests is carried the resource information that is requested that above-mentioned employing subtree is filtered the expression formula description at least;
The resource information that is requested that described policy enforcement point filters the expression formula description with above-mentioned employing subtree offers policy decision point, and be specially: policy enforcement point sends to policy decision point with the decision requests of described generation.
5. according to each described method among the claim 1-4, it is characterized in that the decision-making that described policy enforcement point returns according to policy decision point allows the above-mentioned resource information that is requested accessed or refuse that above-mentioned to be requested resource information accessed, specifically comprises:
The decision-making of returning when policy decision point is for allowing the above-mentioned resource information that is requested when accessed, and policy enforcement point allows the above-mentioned resource information that is requested accessed;
The decision-making of returning when policy decision point is requested resource information when accessed for refusal is above-mentioned, the policy enforcement point refusal is above-mentioned, and to be requested resource information accessed.
6. an access control method is characterized in that, described method comprises:
Policy decision point receives and adopts subtree to filter the resource information that is requested of expression formula description;
Name a person for a particular job above-mentioned employing subtree of strategic decision-making is filtered the resource information that is requested to adopt extend markup language path XPATH expression formula to describe in resource information and the access control policy that expression formula describes and mated, and is accessed or refuse that above-mentioned to be requested resource information accessed according to the result of the coupling above-mentioned resource information that is requested of permission that makes decisions.
7. method as claimed in claim 6 is characterized in that, described method further comprises:
The strategic decision-making above-mentioned decision-making of making according to matching result of naming a person for a particular job sends to policy enforcement point.
8. method as claimed in claim 6 is characterized in that, described policy decision point receives and adopts subtree to filter the resource information that is requested of expression formula description, is specially:
Policy decision point receives the decision requests that policy enforcement point sends, and carries in the decision requests and adopts subtree to filter the resource information that is requested of expression formula description;
Name a person for a particular job above-mentioned employing subtree of described strategic decision-making is filtered being requested that expression formula describes and is adopted the resource information of extend markup language path XPATH expression formula description to mate in resource information and the access control policy, making decisions according to the result of coupling allows the above-mentioned resource information that is requested accessed or refuse that above-mentioned to be requested resource information accessed, is specially:
Resource information according to adopting the XPATH expression formula to describe in the access control policy obtains first result set; According to adopting subtree to filter the resource information that is requested of expression formula description, obtain second result set; More described first result set and second result, if identical or described second result set is the subclass of described first result set, then think coupling, make and allow the accessed decision-making of described requested resource information, otherwise, think not match, make the accessed decision-making of the above-mentioned requested resource information of refusal.
9. method as claimed in claim 6 is characterized in that, described policy decision point receives and adopts subtree to filter the resource information that is requested of expression formula description, is specially:
Described policy decision point is used to receive the decision requests that policy enforcement point sends, and carries the above-mentioned resource information that is requested that is requested the property value of resource information and adopts the description of subtree filtration expression formula in the decision requests;
Name a person for a particular job above-mentioned employing subtree of described strategic decision-making is filtered being requested that expression formula describes and is adopted the resource information of extend markup language path XPATH expression formula description to mate in resource information and the access control policy, making decisions according to the result of coupling allows the above-mentioned resource information that is requested accessed or refuse that above-mentioned to be requested resource information accessed, is specially:
According to the resource information that adopts the XPATH expression formula to describe in the access control policy, in the above-mentioned property value that is requested resource information, inquire about, obtain first result set; According to adopting subtree to filter the resource information that is requested that expression formula describes, in the above-mentioned property value that is requested resource information, inquire about, obtain second result set; More described first result set and second result, if identical or described second result set is the subclass of described first result set, then think coupling, make and allow the accessed decision-making of described requested resource information, otherwise, think not match, make the accessed decision-making of the above-mentioned requested resource information of refusal.
10. an access control apparatus is characterized in that, described device comprises:
First receiver module (501) is used to receive network configuration protocol NETCONF access request, and this NETCONF access request is carried and adopted subtree to filter the resource information that is requested of expression formula description;
First sending module (502), the resource information that is requested employing extend markup language path XPATH expression formula description in resource information and the access control policy that policy decision point can adopt subtree to filter the expression formula description is used for the resource information that is requested of above-mentioned employing subtree filtration expression formula description is offered policy decision point, so that be mated;
Decision module (503) is used for the decision-making returned according to policy decision point and allows the above-mentioned resource information that is requested accessed or refuse that above-mentioned to be requested resource information accessed.
11. device according to claim 10 is characterized in that, described device also comprises:
Acquisition module (504) is used for obtaining the above-mentioned property value that is requested resource information according to the NETCONF access request that receives.
12., it is characterized in that first sending module (502) comprising according to claim 10 or 11 described devices:
Generation unit (5021) is used to generate decision requests; Wherein, above-mentioned decision requests is carried the resource information that is requested that above-mentioned employing subtree is filtered the expression formula description at least;
Transmitting element (5022), the decision requests that is used for generating sends to policy decision point.
13., it is characterized in that decision module (503) comprising according to each described device among the claim 9-12:
The first decision unit (5031) is used for the decision-making returned when policy decision point and is requested resource information for permission is above-mentioned when accessed, allows the above-mentioned resource information that is requested accessed;
The second decision unit (5032) is used for the decision-making returned when policy decision point for refusing the above-mentioned resource information that is requested when accessed, refuses that above-mentioned to be requested resource information accessed.
14. an access control apparatus is characterized in that, described device comprises:
The 3rd receiver module (901), the employing subtree that being used to receive policy enforcement point provides is filtered the resource information that is requested of expression formula description;
Matching module (902), be used for that above-mentioned employing subtree is filtered the resource information that is requested that expression formula describes and mate with the resource information that access control policy adopts extend markup language path XPATH expression formula to describe, accessed or refuse that above-mentioned to be requested resource information accessed according to the result of the coupling above-mentioned resource information that is requested of permission that makes decisions.
15. device according to claim 14 is characterized in that, described device can also comprise:
The 3rd sending module (903) is used for the above-mentioned decision-making of making according to the result of coupling is sent to policy enforcement point.
16., it is characterized in that the 3rd receiver module (901) comprising according to claim 14 or 15 described devices:
First receiving element (9011) is used to receive the decision requests that policy enforcement point sends, and carries in the decision requests and adopts subtree to filter the resource information that is requested of expression formula description;
Matching module (902) comprising:
First matching unit (9021) is used for the resource information according to the description of access control policy employing XPATH expression formula, obtains first result set; According to adopting subtree to filter the resource information that is requested of expression formula description, obtain second result set; More described first result set and second result;
The first matching result unit (9022), when first result set and identical or described second result set of second result set are the subclass of described first result set, be used to make the accessed decision-making of the described requested resource information of permission, otherwise, be used to make the accessed decision-making of the above-mentioned requested resource information of refusal.
17., it is characterized in that the 3rd receiver module (901) comprising according to claim 14 or 15 described devices:
Second receiving element (9012) is used to receive the decision requests that policy enforcement point sends, and carries the above-mentioned resource information that is requested that is requested the property value of resource information and adopts the description of subtree filtration expression formula in the decision requests;
Above-mentioned matching module (902) can comprise:
Second matching unit (9023) is used for the resource information that adopts the XPATH expression formula to describe according to access control policy, inquires about in the above-mentioned property value that is requested resource information, obtains first result set; According to adopting subtree to filter the resource information that is requested that expression formula describes, in the above-mentioned property value that is requested resource information, inquire about, obtain second result set; More described first result set and second result;
The second matching result unit (9024), when first result set and identical or described second result set of second result set are the subclass of described first result set, be used to make the accessed decision-making of the described requested resource information of permission, otherwise, be used to make the accessed decision-making of the above-mentioned requested resource information of refusal.
18. an access control system is characterized in that, described system comprises:
Policy enforcement point (1301) is used for sending decision requests to policy decision point (1302), and the resource information that is requested in the described decision requests adopts subtree to filter the expression formula description; According to the decision-making that policy decision point (1302) returns, allow the above-mentioned resource information that is requested accessed or refuse that above-mentioned to be requested resource information accessed;
Policy decision point (1302), be used for the resource information that is requested resource information and the path XPATH expression formula description of access control policy employing extend markup language that above-mentioned employing subtree filtration expression formula is described is mated, making decisions according to the result of coupling allows the above-mentioned resource information that is requested accessed or refuse that above-mentioned to be requested resource information accessed, and decision-making is returned to policy enforcement point (1301).
19. system according to claim 18 is characterized in that, described system also comprises:
Policy information point (1303), be used to receive the attribute query request that policy enforcement point (1301) sends, filter expression formula according to the subtree of carrying in the attribute query request, inquire about the above-mentioned property value that is requested resource information, and the above-mentioned property value that is requested resource information is returned to policy enforcement point;
Tactical management point (1304) is used for providing access control policy in advance to policy decision point (1302), and wherein, resource information adopts the XPATH expression formula to describe.
20. system according to claim 19 is characterized in that,
Policy enforcement point (1301) is further used for generating decision requests, sends to policy decision point (1302); Wherein, above-mentioned decision requests is carried the above-mentioned property value of resource information and the resource information that is requested that above-mentioned employing subtree is filtered the expression formula description of being requested at least;
The resource information that adopts the XPATH expression formula to describe in the access control policy that above-mentioned policy decision point (1302) is further used for providing in advance according to tactical management point (1304), in the above-mentioned property value that is requested resource information, inquire about, obtain first result set, filter the resource information that is requested of expression formula description according to adopting subtree, in the above-mentioned property value that is requested resource information, inquire about, obtain second result set; Above-mentioned first result set and second result set are compared, when first result set and identical or described second result set of second result set are the subclass of described first result set, make and allow the accessed decision-making of described requested resource information, otherwise, make the accessed decision-making of the above-mentioned requested resource information of refusal.
CN201110081296.0A 2011-04-01 2011-04-01 Access control method, device and system Active CN102143186B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201110081296.0A CN102143186B (en) 2011-04-01 2011-04-01 Access control method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110081296.0A CN102143186B (en) 2011-04-01 2011-04-01 Access control method, device and system

Publications (2)

Publication Number Publication Date
CN102143186A true CN102143186A (en) 2011-08-03
CN102143186B CN102143186B (en) 2014-05-07

Family

ID=44410408

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110081296.0A Active CN102143186B (en) 2011-04-01 2011-04-01 Access control method, device and system

Country Status (1)

Country Link
CN (1) CN102143186B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104079588A (en) * 2014-07-22 2014-10-01 福建星网锐捷网络有限公司 Installation method and network device for filtration table entry
CN104811465A (en) * 2014-01-27 2015-07-29 电信科学技术研究院 Decision method for access control and equipment
WO2015131717A1 (en) * 2014-10-09 2015-09-11 中兴通讯股份有限公司 Method and device for managing access control list of network device
CN106034112A (en) * 2015-03-12 2016-10-19 电信科学技术研究院 Access control, policy obtaining, attribute obtaining methods and correlated device
CN107623662A (en) * 2016-07-15 2018-01-23 阿里巴巴集团控股有限公司 The control method of access, device and system
CN116132198A (en) * 2023-04-07 2023-05-16 杭州海康威视数字技术股份有限公司 Internet of things privacy behavior sensing method and device based on lightweight context semantics

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
L. SEITZ等: "《NETCONF access control profile for XACML》", 5 July 2007 *
R. ENNS, ED.等: "《NETCONF Configuration Protocol》", 28 February 2006 *
YEXIANG LIU等: "fast authorization of XACML access control system on NETCONF platform", 《2010 INTERNATIONAL CONFERENCE ON ADVANCED INTELLIGENCE AND AWARENSS(AIAI2010) INTERNET》 *

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104811465A (en) * 2014-01-27 2015-07-29 电信科学技术研究院 Decision method for access control and equipment
CN104811465B (en) * 2014-01-27 2018-06-01 电信科学技术研究院 The decision-making technique and equipment of a kind of access control
CN104079588A (en) * 2014-07-22 2014-10-01 福建星网锐捷网络有限公司 Installation method and network device for filtration table entry
CN104079588B (en) * 2014-07-22 2017-05-24 福建星网锐捷网络有限公司 Installation method and network device for filtration table entry
WO2015131717A1 (en) * 2014-10-09 2015-09-11 中兴通讯股份有限公司 Method and device for managing access control list of network device
CN105577399A (en) * 2014-10-09 2016-05-11 中兴通讯股份有限公司 Network device access control list management method and network device access control list management device
CN106034112A (en) * 2015-03-12 2016-10-19 电信科学技术研究院 Access control, policy obtaining, attribute obtaining methods and correlated device
CN106034112B (en) * 2015-03-12 2019-05-10 电信科学技术研究院 Access control, strategy acquisition, attribute acquisition methods and relevant apparatus
CN107623662A (en) * 2016-07-15 2018-01-23 阿里巴巴集团控股有限公司 The control method of access, device and system
CN116132198A (en) * 2023-04-07 2023-05-16 杭州海康威视数字技术股份有限公司 Internet of things privacy behavior sensing method and device based on lightweight context semantics
CN116132198B (en) * 2023-04-07 2023-07-25 杭州海康威视数字技术股份有限公司 Internet of things privacy behavior sensing method and device based on lightweight context semantics

Also Published As

Publication number Publication date
CN102143186B (en) 2014-05-07

Similar Documents

Publication Publication Date Title
CN102143186B (en) Access control method, device and system
CN104937895B (en) The method and apparatus for controlling access in a wireless communication system
Bonino et al. Almanac: Internet of things for smart cities
US8918726B2 (en) Method and apparatus for implementing shared editing of document
KR102048648B1 (en) Restful Operations on Semantic IoT
US20180288098A1 (en) Access control policy synchronization for service layer
US8056114B2 (en) Implementing access control policies across dissimilar access control platforms
EP2405607B1 (en) Privilege management system and method based on object
US20160217013A1 (en) Method and system for generating a virtual device resource accessible by an application
US20140172728A1 (en) Trusted Information Exchange Based On Trust Agreements
US20100023491A1 (en) Method and apparatus for network storage access rights management
US20170111476A1 (en) Dynamic Application Programming Interface Builder
US20100043050A1 (en) Federating policies from multiple policy providers
US10348816B2 (en) Dynamic proxy server
de Melo Silva et al. Design and Evaluation of a Services Interface for the Internet of Things
CN112236990A (en) Service layer based method for enabling efficient analysis of IOT data
US20070162980A1 (en) SYSTEM AND METHOD FOR PROVIDING CONTENT SECURITY IN UPnP SYSTEMS
US20070162450A1 (en) Query object permissions establishment system and methods
CN104348853A (en) Electric power system service registration management method and system
US11171924B2 (en) Customized web services gateway
WO2012159231A1 (en) Access control method and access control server
EP3054646B1 (en) Policy separation
Demchenko et al. Using SAML and XACML for complex resource provisioning in grid based applications
Hilia et al. Semantic based authorization framework for multi-domain collaborative cloud environments
JP2004110806A (en) Information filtering device, information filtering method, method execution program and program storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20211208

Address after: 256599 Room 203, foreign trade service center, new material industrial park, Boxing County Economic Development Zone, Binzhou City, Shandong Province

Patentee after: Boxing Ruifeng New Material Co.,Ltd.

Address before: 215010 room 704, building 5, No. 556, Changjiang Road, high tech Zone, Suzhou, Jiangsu

Patentee before: SUZHOU YUDESHUI ELECTRICAL TECHNOLOGY Co.,Ltd.

Effective date of registration: 20211208

Address after: 215010 room 704, building 5, No. 556, Changjiang Road, high tech Zone, Suzhou, Jiangsu

Patentee after: SUZHOU YUDESHUI ELECTRICAL TECHNOLOGY Co.,Ltd.

Address before: 518129 headquarters building of Bantian HUAWEI base, Longgang District, Guangdong, Shenzhen

Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd.

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20220421

Address after: 300000 Building 1, block g, No. 6, Huafeng Road, Huaming high tech Industrial Zone, Dongli District, Tianjin

Patentee after: USTC TIANGONG INTELLIGENT EQUIPMENT TECHNOLOGY (TIANJIN) CO.,LTD.

Address before: 256599 Room 203, foreign trade service center, new material industrial park, Boxing County Economic Development Zone, Binzhou City, Shandong Province

Patentee before: Boxing Ruifeng New Material Co.,Ltd.

EE01 Entry into force of recordation of patent licensing contract
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20110803

Assignee: Yifei Xinghe (Tianjin) Intelligent Technology Co.,Ltd.

Assignor: USTC TIANGONG INTELLIGENT EQUIPMENT TECHNOLOGY (TIANJIN) CO.,LTD.

Contract record no.: X2024980003514

Denomination of invention: Access control methods, devices, and systems

Granted publication date: 20140507

License type: Common License

Record date: 20240326

Application publication date: 20110803

Assignee: TIANJIN SUNCITY TESTING CO.,LTD.

Assignor: USTC TIANGONG INTELLIGENT EQUIPMENT TECHNOLOGY (TIANJIN) CO.,LTD.

Contract record no.: X2024980003505

Denomination of invention: Access control methods, devices, and systems

Granted publication date: 20140507

License type: Common License

Record date: 20240326

Application publication date: 20110803

Assignee: Youwalker thermal technology (Tianjin) Co.,Ltd.

Assignor: USTC TIANGONG INTELLIGENT EQUIPMENT TECHNOLOGY (TIANJIN) CO.,LTD.

Contract record no.: X2024980003504

Denomination of invention: Access control methods, devices, and systems

Granted publication date: 20140507

License type: Common License

Record date: 20240326