Embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the invention is clearer, embodiment of the present invention is described further in detail below in conjunction with accompanying drawing.
Referring to Fig. 1, one embodiment of the present of invention provide a kind of access control method, and this method comprises:
101: (Policy Enforcement Point PEP) receives the NETCONF access request to policy enforcement point, and this NETCONF access request is carried and adopted subtree to filter the resource information that is requested of expression formula description;
102: the resource information that is requested that policy enforcement point filters the expression formula description with above-mentioned employing subtree offers policy decision point (Policy Decision Point, PDP), so that policy decision point can mate the resource information that is requested to adopt the XPATH expression formula to describe in resource information and the access control policy that adopts subtree to filter the expression formula description;
103: the decision-making that policy enforcement point returns according to policy decision point allows the above-mentioned resource information that is requested accessed or refuse that above-mentioned to be requested resource information accessed.
The said method that adopts present embodiment to provide, provide the resource information that is requested that adopts the description of subtree filtration expression formula to policy decision point by policy enforcement point, make policy decision point to adopt the resource information of XPATH expression formula description to mate with adopting subtree to filter in resource information that expression formula describes and the access control policy, and decision-making returned to policy enforcement point, thereby realized describing the control that conducts interviews of the access request of resource to adopting subtree to filter expression formula.
A kind of access control method that another embodiment of the present invention provides referring to Fig. 2, comprising:
201: policy decision point receives and adopts subtree to filter the resource information that is requested of expression formula description;
202: name a person for a particular job above-mentioned employing subtree of strategic decision-making is filtered the resource information that is requested to adopt the XPATH expression formula to describe in resource information and the access control policy that expression formula describes and mated, and is accessed or refuse that above-mentioned to be requested resource information accessed according to the result of the coupling above-mentioned resource information that is requested of permission that makes decisions.
The said method that adopts present embodiment to provide, adopt the resource information of XPATH expression formula description to mate by adopting subtree to filter in resource information that expression formula describes and the access control policy, making decisions according to matching result allows or denied access, thereby has realized describing the control that conducts interviews of the access request of resource to adopting subtree to filter expression formula.
Optionally, in the embodiments of the invention, that adopts that subtree filters that expression formula describes is requested resource information and can specifically be exemplified below:
Wherein, subtree is filtered expression formula and is encapsulated in<subtree〉in the element, the resource of expression visit promoter acquisition request is that name is that name is the interface node content of Ethernet0 under the interfaces node of Ethernet.
Optionally, in an exemplary scenario of the embodiment of the invention, as shown in Figure 3, can be that policy enforcement point sends decision requests to policy decision point, carry in the described decision requests and adopt subtree to filter the resource information that is requested of expression formula description.Name a person for a particular job described employing subtree of strategic decision-making is filtered the resource information that is requested that expression formula describes (Policy Administration Point is adopted the resource information of XPATH expression formula description to mate in the access control policy that PAP) provides in advance with the tactical management point.For example, policy decision point can obtain first result set according to the resource information that adopts the XPATH expression formula to describe in the access control policy; According to adopting subtree to filter the resource information that is requested of expression formula description, obtain second result set; More described first result set and second result set, if identical or described second result set is the subclass of described first result set, then think coupling, make and allow the accessed decision-making of described requested resource information, otherwise, think not match, make the accessed decision-making of the above-mentioned requested resource information of refusal.
In order to introduce embodiments of the invention in more detail, be example still with scene shown in Figure 3, introduce a kind of access control method that another embodiment of the present invention provides, referring to Fig. 4, specifically comprise:
401: policy enforcement point receives the NETCONF access request of sending from access requestor; Carry in this NETCONF access request and adopt subtree to filter the resource information that is requested of expression formula description;
402: policy enforcement point obtains the above-mentioned property value that is requested resource information according to the NETCONF access request that receives;
Optionally, policy enforcement point can be to policy information point (Policy Information Point, PIP) send the attribute query request, ask the above-mentioned property value (that is: filtering expression formula, the Query Result of policy information point according to above-mentioned subtree) that is requested resource information at least;
403: policy enforcement point generates decision requests, sends to policy decision point; Wherein, above-mentioned decision requests is carried the above-mentioned property value of resource information and the resource information that is requested that above-mentioned employing subtree is filtered the expression formula description of being requested at least;
404: policy decision point receives the decision requests that policy enforcement point sends, the resource information that adopts the XPATH expression formula to describe in the access control policy that provides in advance according to tactical management point, in the above-mentioned property value that is requested resource information, inquire about, obtain first result set, filter the resource information that is requested of expression formula description according to adopting subtree, in the above-mentioned property value that is requested resource information, inquire about, obtain second result set;
405: policy decision point compares above-mentioned first result set and second result set, if identical or second result set is the subclass of first result set, then carries out 406; Otherwise, carry out 407;
406: policy decision point is made and is allowed above-mentionedly to be requested the accessed decision-making of resource information, and returns to policy enforcement point;
407: policy decision point is made refusal and above-mentionedly is requested the accessed decision-making of resource information, and returns to policy enforcement point.
Optionally, the above-mentioned property value that is requested resource information is generally a result set, is equivalent to a rough matching range.The above-mentioned property value that is requested resource information can be encapsulated in content (content) element, and exemplary, the content element in the above-mentioned decision requests message can be expressed as follows:
The described scope of resource of this content element comprises: name is the interface node of Ethernet0 under the interfaces node, and value is 1500, and name is the interface node of Ethernet1 under the interfaces node, and value is 1200.
Optionally, in above-mentioned 404, policy decision point can be according to above-mentioned XPATH expression formula, in described content element, inquire about, if find the character string identical then its corresponding value is exactly first result set with name in the above-mentioned XPATH expression formula, as the name in the XPATH expression formula is Ethernet1, and then obtaining first result set is 1200; If do not find, then can return empty as first result set.
Similarly, policy decision point can filter expression formula according to above-mentioned subtree, in described content element, inquire about, filter the character string that name is identical in the expression formula with above-mentioned subtree then its corresponding value is exactly second result set if find, the name that filters in the expression formula as subtree is Ethernet0, and then obtaining second result set is 1500; If do not find, then can return empty as second result set.
In an embodiment of the present invention, the sequencing that obtains above-mentioned first result set and above-mentioned second result set can exchange, and perhaps carries out simultaneously in no particular order, and the embodiment of the invention is not done concrete qualification to this.
Optionally, in the embodiments of the invention, above-mentioned decision requests can also comprise main information and action message, policy decision point is except mating requested resource information, can also other attribute information in the access request be mated, for example, can be with main information in the access request and action message, respectively with access control policy in main information and action message mate.
Optionally, if main information, action message and resource information in the request and main information, action message and the resource information in the access control policy all can be mated, then can allow this requested resource information accessed; Do not match if having one in main information, action message and the resource information at least, then this requested resource information of refusal is accessed.
The said method that adopts embodiments of the invention to provide, comparison by first result set and second result set, make the decision-making of permission or denied access, thereby realized describing the control that conducts interviews of the access request of resource, and further improved efficiency of access control adopting subtree to filter expression formula.
Optionally, in an embodiment of the present invention,, can define new data type, Resource Properties identifier and adaptation function in order to realize describing the control that conducts interviews of the access request of resource to adopting subtree to filter expression formula.For example, the data type of resource information is that subtree is filtered expression formula, can specifically be expressed as:
Data-Types:xacml-Netconf:data-type:subtreeExpress;
This data type is used for representing that the subtree among the NETCONF filters expression formula.
Again for example, the Resource Properties identifier of resource information is a subtree, can specifically be expressed as:
xacml-Netconf:resource:subtree;
This Resource Properties identifier is used for indicating the attribute of resource, is used for specified resource by the appointment of subtree filtration expression formula.
Again for example, can define an XACML function, be used for the attribute information of access request and access control policy is mated, decide access request to allow or refuse, can specifically be expressed as by matching result:
xacml-Netconf:function:subtree-xpath-node-match;
This function comprises two parameters, wherein:
Resource information in first parametric description strategy, its data type is:
urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression;
Resource information in second parametric description access request, its data type is:
xacml-Netconf:data-type:subtreeExpress;
The value of returning is described matching result, success or failure, and its data type is:
http://www.w3.org/2001/XMLSchema#boolean
This function realizes that a subtree filter table reaches the coupling between formula and the XPATH expression formula.First parameter is the represented node of XPATH expression formula, is generally a set, and for convenient the description is called first result set, second parameter is that subtree is filtered the represented node of expression formula, also is a set usually, for convenient the description is called second result set.
When following two conditions satisfy one of them:
1) first result set is identical with second result set;
2) first result set is the subclass of second result set;
This function returns very (TRUE), and the match is successful in representative, otherwise return mistake (FALSE), and it fails to match in representative.
Two result sets are compared, can be meant the node in two result sets is compared, if the identifier of two nodes equates that it is equal then to be called two nodes, if the identifier of two nodes does not wait, then is called two nodes and does not wait.
Referring to Fig. 5, one embodiment of the present of invention provide a kind of access control apparatus, and this device comprises:
First receiver module 501 is used to receive the NETCONF access request, and this NETCONF access request is carried and adopted subtree to filter the resource information that is requested of expression formula description;
First sending module 502, the resource information that is requested employing XPATH expression formula description in resource information and the access control policy that policy decision point can adopt subtree to filter the expression formula description is used for the resource information that is requested of above-mentioned employing subtree filtration expression formula description is offered policy decision point, so that be mated;
Decision module 503 is used for the decision-making returned according to policy decision point and allows the above-mentioned resource information that is requested accessed or refuse that above-mentioned to be requested resource information accessed.
Optionally, as shown in Figure 6, said apparatus can also comprise:
Acquisition module 504 is used for obtaining the above-mentioned property value that is requested resource information according to the NETCONF access request that receives.
Optionally, as shown in Figure 7, above-mentioned first sending module 502 can comprise:
Generation unit 5021 is used to generate decision requests; Wherein, above-mentioned decision requests is carried the resource information that is requested that above-mentioned employing subtree is filtered the expression formula description at least;
Transmitting element 5022, the decision requests that is used for generating sends to policy decision point.
Optionally, as shown in Figure 8, above-mentioned decision module 503 can comprise:
The first decision unit 5031 is used for the decision-making returned when policy decision point and is requested resource information for permission is above-mentioned when accessed, allows the above-mentioned resource information that is requested accessed;
The second decision unit 5032 is used for the decision-making returned when policy decision point for refusing the above-mentioned resource information that is requested when accessed, refuses that above-mentioned to be requested resource information accessed.
The said apparatus that present embodiment provides can be carried out arbitrary method that the policy enforcement point in the embodiments of the invention is carried out, and detailed process sees the description among the method embodiment for details, repeats no more herein.
The said apparatus that adopts present embodiment to provide, adopt subtree to filter the resource information that is requested of expression formula description by providing to policy decision point, make policy decision point to adopt the resource information of XPATH expression formula description to mate with adopting subtree to filter in resource information that expression formula describes and the access control policy, and decision-making returned to policy enforcement point, thereby realized describing the control that conducts interviews of the access request of resource to adopting subtree to filter expression formula.
Referring to Fig. 9, another embodiment of the present invention provides a kind of access control apparatus, and this device comprises:
The 3rd receiver module 901, the employing subtree that being used to receive policy enforcement point provides is filtered the resource information that is requested of expression formula description;
Matching module 902, be used for that above-mentioned employing subtree is filtered the resource information that is requested that expression formula describes and mate with the resource information that access control policy adopts the XPATH expression formula to describe, accessed or refuse that above-mentioned to be requested resource information accessed according to the result of the coupling above-mentioned resource information that is requested of permission that makes decisions.
Optionally, as shown in figure 10, said apparatus can also comprise:
The 3rd sending module 903 is used for the above-mentioned decision-making of making according to matching result is sent to policy enforcement point.
Optionally, as shown in figure 11, above-mentioned the 3rd receiver module 901 can comprise:
First receiving element 9011 is used to receive the decision requests that policy enforcement point sends, and carries in the decision requests and adopts subtree to filter the resource information that is requested of expression formula description;
Above-mentioned matching module 902 can comprise:
First matching unit 9021 is used for the resource information according to the description of access control policy employing XPATH expression formula, obtains first result set; According to adopting subtree to filter the resource information that is requested of expression formula description, obtain second result set; More described first result set and second result;
The first matching result unit 9022, when first result set and identical or described second result set of second result set are the subclass of described first result set, be used to make the accessed decision-making of the described requested resource information of permission, otherwise, be used to make the accessed decision-making of the above-mentioned requested resource information of refusal.
Optionally, as shown in figure 12, above-mentioned the 3rd receiver module 901 can comprise:
Second receiving element 9012 is used to receive the decision requests that policy enforcement point sends, and carries the above-mentioned resource information that is requested that is requested the property value of resource information and adopts the description of subtree filtration expression formula in the decision requests;
Above-mentioned matching module 902 can comprise:
Second matching unit 9023 is used for the resource information that adopts the XPATH expression formula to describe according to access control policy, inquires about in the above-mentioned property value that is requested resource information, obtains first result set; According to adopting subtree to filter the resource information that is requested that expression formula describes, in the above-mentioned property value that is requested resource information, inquire about, obtain second result set; More described first result set and second result;
The second matching result unit 9024, when first result set and identical or described second result set of second result set are the subclass of described first result set, be used to make the accessed decision-making of the described requested resource information of permission, otherwise, be used to make the accessed decision-making of the above-mentioned requested resource information of refusal.
The said apparatus that present embodiment provides can be carried out arbitrary method that policy decision point is carried out in the embodiments of the invention, and detailed process sees the description among the method embodiment for details, repeats no more herein.
The said apparatus that adopts present embodiment to provide, adopt the resource information of XPATH expression formula description to mate by adopting subtree to filter in resource information that expression formula describes and the access control policy, make allowing or the decision-making of denied access according to matching result, thereby realized describing the control that conducts interviews of the access request of resource adopting subtree to filter expression formula.
Referring to Figure 13, the embodiment of the invention provides a kind of access control system, comprising:
Policy enforcement point 1301 is used for sending decision requests to policy decision point 1302, and the resource information that is requested in the described decision requests adopts subtree to filter the expression formula description; According to the decision-making that policy decision point 1302 returns, allow the above-mentioned resource information that is requested accessed or refuse that above-mentioned to be requested resource information accessed;
Policy decision point 1302, be used for the resource information that is requested resource information and the description of access control policy employing XPATH expression formula that above-mentioned employing subtree filtration expression formula is described is mated, making decisions according to the result of coupling allows the above-mentioned resource information that is requested accessed or refuse that above-mentioned to be requested resource information accessed, and decision-making is returned to policy enforcement point 1301.
Optionally, as shown in figure 14, said system also comprises:
Policy information point 1303, be used to receive the attribute query request that policy enforcement point 1301 sends, filter expression formula according to the subtree of carrying in the attribute query request, inquire about the above-mentioned property value that is requested resource information, and the above-mentioned property value that is requested resource information is returned to policy enforcement point;
Tactical management point 1304 is used for providing access control policy in advance to policy decision point 1302, and wherein, resource information adopts the XPATH expression formula to describe.
Above-mentioned policy enforcement point 1301 is further used for generating decision requests, sends to policy decision point 1302; Wherein, above-mentioned decision requests is carried the above-mentioned property value of resource information and the resource information that is requested that above-mentioned employing subtree is filtered the expression formula description of being requested at least;
The resource information that adopts the XPATH expression formula to describe in the access control policy that above-mentioned policy decision point 1302 is further used for providing in advance according to tactical management point 1304, in the above-mentioned property value that is requested resource information, inquire about, obtain first result set, filter the resource information that is requested of expression formula description according to adopting subtree, in the above-mentioned property value that is requested resource information, inquire about, obtain second result set; Above-mentioned first result set and second result set are compared, when first result set and identical or described second result set of second result set are the subclass of described first result set, make and allow the accessed decision-making of described requested resource information, otherwise, make the accessed decision-making of the above-mentioned requested resource information of refusal.。
The said system that present embodiment provides, adopt the resource information of XPATH expression formula description to mate by subtree being filtered in resource information that expression formula describes and the access control policy, make allowing or the decision-making of denied access request according to matching result, thereby realized describing the control that conducts interviews of the access request of resource adopting subtree to filter expression formula.
All or part of content in the technical scheme that above embodiment provides can realize that its software program is stored in the storage medium that can read by software programming, storage medium for example: the hard disk in the computer, CD or floppy disk.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, not all within principle of the present invention, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.