+

WO2018145546A1 - Procédé d'authentification, dispositif, et support de stockage - Google Patents

Procédé d'authentification, dispositif, et support de stockage Download PDF

Info

Publication number
WO2018145546A1
WO2018145546A1 PCT/CN2018/071503 CN2018071503W WO2018145546A1 WO 2018145546 A1 WO2018145546 A1 WO 2018145546A1 CN 2018071503 W CN2018071503 W CN 2018071503W WO 2018145546 A1 WO2018145546 A1 WO 2018145546A1
Authority
WO
WIPO (PCT)
Prior art keywords
target
policy table
resource
access request
policy
Prior art date
Application number
PCT/CN2018/071503
Other languages
English (en)
Chinese (zh)
Inventor
袁哲
Original Assignee
腾讯科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 腾讯科技(深圳)有限公司 filed Critical 腾讯科技(深圳)有限公司
Publication of WO2018145546A1 publication Critical patent/WO2018145546A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/146Markers for unambiguous identification of a particular session, e.g. session cookie or URL-encoding
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources

Definitions

  • the present application relates to the field of information security technologies, and in particular, to an authentication method, apparatus, and storage medium.
  • cloud service authentication system users can access cloud resources through the cloud service management platform. However, not every user has the right to access the cloud resources.
  • the cloud service management platform needs to authenticate the user who sends the resource access request, and only the user who passes the authentication can access the cloud resource.
  • the embodiment of the present invention provides an authentication method, an apparatus, and a storage medium.
  • searching data related to a resource access request from a policy table classified according to a user identifier the search time of the resource access request related data is saved, thereby improving
  • the authentication efficiency of the resource access request avoids the waste of processing resources of the computing device caused by searching related data of the resource access request in the plurality of relation tables.
  • An embodiment of the present application provides an authentication method, which is applied to a computing device, including:
  • Target resource access request carries a target user identifier, a target access resource, and a target operation mode for accessing the resource to the target;
  • the target resource access request is authenticated by using the first policy table, and the authentication result of the target resource access request is output;
  • the first policy table is a relationship table including a user identifier, an accessible resource corresponding to the user identifier, and a corresponding relationship between the operable modes of the accessible resource, where the first policy table is Classified by the user identifier, each user identifier corresponds to at least one accessible resource, and each accessible resource corresponds to at least one operable manner.
  • An embodiment of the present application provides an authentication apparatus, including:
  • the processor executing the machine readable instructions to: receive a user terminal to transmit a target resource access request, where the target resource access request carries a target user identifier, a target access resource, and a target operation mode for accessing the resource to the target;
  • the target resource access request is authenticated by using the first policy table, and the authentication result of the target resource access request is output;
  • the first policy table is a relationship table including a user identifier, an accessible resource corresponding to the user identifier, and a corresponding relationship between the operable modes of the accessible resource, where the first policy table is Classified by the user identifier, each user identifier corresponds to at least one accessible resource, and each accessible resource corresponds to at least one operable manner.
  • Embodiments of the present application also provide a non-transitory computer readable storage medium in which machine readable instructions are stored, the machine readable instructions being executable by a processor to:
  • Target resource access request carries a target user identifier, a target access resource, and a target operation mode for accessing the resource by the target;
  • the target resource access request is authenticated by using the first policy table, and the authentication result of the target resource access request is output;
  • the first policy table is a relationship table including a user identifier, an accessible resource corresponding to the user identifier, and a corresponding relationship between the operable modes of the accessible resource, where the first policy table is Classified by the user identifier, each user identifier corresponds to at least one accessible resource, and each accessible resource corresponds to at least one operable manner.
  • FIG. 1A is a schematic diagram of an implementation environment of an authentication method provided by an embodiment of the present application.
  • FIG. 1B is a schematic flowchart of an authentication method provided by an embodiment of the present application.
  • FIG. 2 is a schematic flowchart of another authentication method provided by an embodiment of the present application.
  • FIG. 3 is a schematic flowchart of a step 205 according to an embodiment of the present application.
  • FIG. 4 is a schematic structural diagram of an authentication apparatus according to an embodiment of the present application.
  • FIG. 5 is a schematic structural diagram of another authentication apparatus according to an embodiment of the present disclosure.
  • FIG. 6 is a schematic structural diagram of a first authentication unit according to an embodiment of the present disclosure.
  • FIG. 7 is a schematic structural diagram of a policy table updating unit according to an embodiment of the present application.
  • FIG. 8 is a schematic structural diagram of another authentication apparatus according to an embodiment of the present application.
  • the relationship between the two is stored and managed separately.
  • the relationship table between the user ID and the user group, the relationship table of the user group and the policy group, the relationship table of the policy group and the accessible resource, the policy group, and the actionable relationship are saved. Tables, etc., can intuitively reflect the relationship between the two sets of data. However, in the authentication process, it is necessary to perform one-to-one matching from each relationship table.
  • the actionable mode confirm whether the user's operation is included. Therefore, the prior art solution needs to search multiple times from multiple relational tables to determine the authentication result, which reduces the authentication efficiency of the user access request, and wastes the processing resources of the authentication device.
  • the authentication method provided by the embodiment of the present application may be applied to a scenario for accessing a cloud service resource, for example, receiving a target cloud resource access request sent by a user terminal, where the target cloud resource access request carries a target user identifier, a target access cloud resource, and a target operation mode for accessing the cloud resource to the target; searching for a verification result of the target cloud resource access request in the cache table, where the cache table includes a preset time before receiving the target cloud resource access request An authentication result of the plurality of cloud resource access requests in the segment; when the authentication result of the target cloud resource access request does not exist in the cache table, the first policy table is used to check the target cloud resource access request And outputting the authentication result of the target cloud resource access request, where the first policy table is a user identifier, an accessible cloud resource corresponding to the user identifier, and the accessible cloud resource A relational table of correspondence between operable modes, since the first policy table is classified by user identifier and contains user tags And a relationship table between the accessible cloud resource corresponding
  • the authentication device in the embodiment of the present application may be a background device that authenticates a resource access request, and the authentication device may be a physical device that is separately set up, such as a computing device such as a server. Not limited.
  • the implementation environment of the authentication method provided by the embodiment of the present application may be as shown in FIG. 1A, wherein the server device 111 is integrated with the authentication device 1111 provided by any embodiment of the present application.
  • the server device 111 and the user terminal 112 are connected by a network 113.
  • the network 113 may be a wired network or a wireless network.
  • FIG. 1B is a schematic flowchart diagram of an authentication method according to an embodiment of the present application. As shown in FIG. 1B, the method in the embodiment of the present application may be performed by an authentication apparatus provided in any embodiment of the present application, and may include the following steps 101-103.
  • Step 101 Receive a target resource access request sent by a user terminal.
  • the authentication device receives the target resource access request sent by the user terminal.
  • the target resource access request carries a target user identifier, a target access resource, and a target operation mode for accessing the resource to the target.
  • the user can initiate a target resource access request by logging into the resource management platform.
  • the target user identifier is used to mark the user who performs the target operation mode on the target access resource.
  • the target access resource may be a file, data, or the like in the server, and the target operation mode may be a read instruction, a delete instruction, a write instruction, or the like.
  • the embodiment of the present application does not limit the manner in which the target operation mode is included.
  • Step 102 Search, in the cache table, whether an authentication result of the target resource access request exists.
  • the authentication device searches for a result of the authentication of the target resource access request in the cache table, where the authentication result includes the authentication pass and the authentication fail. If the authentication result is authenticated, the authentication device is configured to perform the target operation mode on the target access resource according to the target resource access request, and if the authentication result is that the authentication fails, the authentication device rejects The target resource access request.
  • the cache table includes an authentication result of multiple resource access requests within a preset time period before receiving the target resource access request.
  • the preset time period is preset by the authentication device. For example, in a case where the resource access request is frequent, the authentication device may set a cache in the cache table to receive the target resource access request. The authentication result of all resource access requests in the hour; in the case where the resource access request is sparse, the authentication device may set all the resources in the cache table to buffer the time within the first 24 hours of receiving the target resource access request.
  • the time range of the authentication result cached by the cache table is not limited in the embodiment of the present application.
  • the cache table includes data of a user identifier, an accessible resource, an operable manner of the accessible resource, an authentication result, and the like of each of the plurality of resource access requests.
  • the target authentication result of the target resource access request is determined by comparing the target user identifier in the target resource access request, the target access resource, and the target operation mode of the target access resource with the data in the cache table.
  • Step 103 When the authentication result of the target resource access request does not exist in the cache table, use the first policy table to authenticate the target resource access request, and output the authentication of the target resource access request. result.
  • the authentication device uses the first policy table to authenticate the target resource access request, and outputs the target resource. Access the authentication result of the request.
  • the first policy table is a relationship table including a user identifier, an accessible resource corresponding to the user identifier, and a corresponding relationship between the operable modes of the accessible resource, where the first policy table is According to the user identifier, each user identifier corresponds to at least one accessible resource, and each accessible resource corresponds to at least one operable manner.
  • Table 1 is a policy table in a form, including a user identifier, an accessible resource, and an operable manner for the accessible resource.
  • Table 1 is classified according to the user identifier, so that when the target resource access request is authenticated, the accessible resource corresponding to the target user identifier and the operable mode can be quickly found from the user identifier in the first policy table, thereby improving the The efficiency of authentication of target resource access requests.
  • the authentication device when the authentication result of the target resource access request exists in the cache table, the authentication device outputs the authentication result found in the cache table.
  • the authentication device processes the target resource access request, that is, according to the target in the target resource access request.
  • the operation mode processes the target access resource, and after the processing is completed, the authentication device may output the processing result.
  • the cache table when receiving the target resource identifier that is sent by the user terminal, the target access resource, and the target operation mode of the target access resource, the cache table is used to find whether the target resource access request exists.
  • the target resource access request is authenticated by using the first policy table, and the authentication result of the target resource access request is output.
  • the first policy table is a relationship table that is classified by the user identifier and is a correspondence relationship between the user identifier, the accessible resource corresponding to the user identifier, and the operable mode of the accessible resource, so that the relationship can be in a relationship.
  • the data in the table for finding the target resource access request saves the time for finding the related data of the target resource access request, thereby improving the authentication efficiency of the resource access request and avoiding finding the target resource access request in multiple relational tables. Waste of processing resources of computing devices caused by related data.
  • FIG. 2 is a schematic flowchart diagram of another authentication method according to an embodiment of the present application. As shown in FIG. 2, the method in the embodiment of the present application may be performed by the authentication apparatus provided in any embodiment of the present application, and may include the following steps 201-207.
  • Step 201 Receive a target resource access request sent by the user terminal.
  • the authentication device receives the target resource access request sent by the user terminal.
  • the target resource access request carries a target user identifier, a target access resource, and a target operation mode for accessing the resource to the target.
  • the user can initiate a target resource access request by logging into the resource management platform.
  • the target user identifier is used to mark the user who performs the target operation mode on the target access resource.
  • the target access resource may be a file, data, or the like in the server, and the target operation mode may be a read instruction, a delete instruction, a write instruction, or the like.
  • the embodiment of the present application does not limit the manner in which the target operation mode is included.
  • Step 202 Search, in the cache table, whether an authentication result of the target resource access request exists.
  • the authentication device searches for a result of the authentication of the target resource access request in the cache table, where the authentication result includes the authentication pass and the authentication fail. If the authentication result is authenticated, the authentication device is configured to perform the target operation mode on the target access resource according to the target resource access request, and if the authentication result is that the authentication fails, the authentication device rejects The target resource access request.
  • the cache table includes an authentication result of multiple resource access requests within a preset time period before receiving the target resource access request.
  • the preset time period is preset by the authentication device. For example, in a case where the resource access request is frequent, the authentication device may set a cache in the cache table to receive the target resource access request. The authentication result of all resource access requests in the hour; in the case where the resource access request is sparse, the authentication device may set all the resources in the cache table to buffer the time within the first 24 hours of receiving the target resource access request.
  • the time range of the authentication result cached by the cache table is not limited in the embodiment of the present application.
  • the cache table includes data of a user identifier, an accessible resource, an operable manner of the accessible resource, an authentication result, and the like of each of the plurality of resource access requests.
  • the target authentication result of the target resource access request is determined by comparing the target user identifier in the target resource access request, the target access resource, and the target operation mode of the target access resource with the data in the cache table.
  • Step 203 When the authentication result of the target resource access request exists in the cache table, the authentication device outputs the authentication result found in the cache table.
  • Step 204 When the authentication result of the target resource access request does not exist in the cache table, check whether the current version number of the second policy table is higher than the current version number of the first policy table.
  • the authenticating device detects whether the current version number of the second policy table is higher than the current version number of the first policy table.
  • the first policy table is a relationship table including a user identifier, an accessible resource corresponding to the user identifier, and a corresponding relationship between the operable modes of the accessible resource, where the first policy table is According to the user identifier, each user identifier corresponds to at least one accessible resource, and each accessible resource corresponds to at least one operable manner.
  • the second policy table includes a relationship table between a user identifier and a user group, a relationship table between the user group and the policy identifier, a mapping table of the policy identifier and the accessible resource, and a mapping between the policy identifier and the operable mode. Tables and other relational tables.
  • the policy identifier in the second policy table is used to correspond to a resource group composed of a plurality of accessible resources, or the policy identifier is used to correspond to a permission group composed of multiple operable modes.
  • the current version number of the first policy table and the current version number of the second policy table may be represented by an update time.
  • the version number may indicate updated data, such as changed accessible resources, changed user identification, changed operational modes, and the like.
  • a changed user group identifier, a changed policy identifier, and the like may also be included.
  • the second policy table since the second policy table is distinguished by each policy identifier, when the user identifier or the accessible resource or the operable mode changes such as increase, decrease, etc., the second policy table may be updated first, because The second policy table includes a plurality of relation tables, and the data update can be completed by modifying one of the relationship tables, the update efficiency of the policy table can be improved, and the version number of the second policy table is updated after the second policy table is updated.
  • the first policy table is updated according to the second policy table to ensure the accuracy of the first policy table, and the version number of the first policy table is updated after the first policy table is updated.
  • Step 205 If the current version number of the second policy table is not higher than the current version number of the first policy table, use the first policy table to authenticate the target resource access request, and output the target. The authentication result of the resource access request.
  • the authentication device uses the first policy table to check the target resource access request. And output an authentication result of the target resource access request.
  • the first policy table is a relationship table classified according to the user identifier, and a relationship table includes multiple data, and the target resource access request is authenticated by using the first policy table, thereby improving the authentication efficiency and avoiding the cause.
  • the waste of processing resources of the computing device caused by finding related data of the target resource access request in the plurality of relation tables.
  • step 205 may include step 2051 to step 2055 .
  • Step 2051 Search for an accessible resource corresponding to the target user identifier and an operable manner for the accessible resource from the first policy table.
  • the authentication device searches, from the first policy table, an accessible resource corresponding to the target user identifier and an operable manner for the accessible resource.
  • Step 2052 Determine whether the target access resource exists in the accessible resource.
  • the authentication device searches for at least one accessible resource corresponding to the target user identifier to find whether the target access resource exists. If the target access resource exists in the accessible resource corresponding to the target user identifier, step 2053 is performed; if the target access resource does not exist in the accessible resource corresponding to the target user identifier, step 2055 is performed. .
  • Step 2053 If the target access resource exists in the accessible resource, determine whether the target operation mode exists in an operable manner of the target access resource.
  • the determining device determines that the target access resource exists in the accessible resource, and further determines whether the target operation mode exists in an operable manner of the target access resource, if the operable mode If the target operation mode exists, step 2054 is performed. If the target operation mode does not exist in the operable mode, step 2055 is performed.
  • step 2054 if the target operation mode exists in the operability mode of the target access resource, the authentication result of the target resource access request is determined to be authenticated, and the authentication of the target resource access request is output. result.
  • the authentication device determines that the authentication result of the target resource access request is authentication, and outputs the target resource. Access the authentication result of the request.
  • the authentication device processes the target resource access request, that is, according to the target in the target resource access request.
  • the operation mode processes the target access resource, and after the processing is completed, the authentication device may output the processing result.
  • Step 2055 Determine that the authentication result of the target resource access request is that the authentication fails.
  • the authentication device determines that the authentication result of the target resource access request is that the authentication fails, and outputs the authentication result, so that the user understands the authentication result.
  • Step 206 If the current version number of the second policy table is higher than the current version number of the first policy table, use the second policy table to authenticate the target resource access request, and output the The authentication result of the target resource access request.
  • the authentication device uses the second policy table to authenticate the target resource access request. And outputting an authentication result of the target resource access request.
  • the authentication device may complete the authentication by searching whether the data corresponding to the target resource access request exists in the plurality of relationship tables included in the second policy table.
  • Step 207 If the current version number of the second policy table is higher than the current version number of the first policy table, update the first policy table according to the second policy table.
  • the authentication device updates the first policy table according to the second policy table. Specifically, the current version number of the first policy table is compared with the historical version information of the second policy table, and the unupdated data of the first policy table is determined. And updating, according to the unupdated data, the first policy table, and changing a current version number of the first policy table to a current version number of the second policy table.
  • the second strategy table includes the following Table A, Table B, Table C, and Table D.
  • Table B Relationship table between user groups and resource identifiers
  • Table C Relationship table between resource IDs and accessible resources
  • RID-1 Resource identification Accessible resources RID-1 R-A, R-B RID-2 R-C RID-3 R-C; R-D
  • Table D Relationship Table between Resource Identification and Operational Mode
  • the first policy table corresponding to the current second policy table is Table E.
  • the authentication result needs to be determined through multiple relationship tables, and when the target resource access request is authenticated through the first policy table, only one relationship needs to be obtained.
  • the authentication result can be determined in the table, which greatly reduces the time for opening the relationship table, closing the relationship table, and searching for data, which can improve the authentication efficiency and avoid the related data of finding the target resource access request in multiple relation tables.
  • the waste of processing resources of the computing device Therefore, if the current version number of the second policy table is not higher than the current version number of the first policy table, the first policy table is used for authentication, and the current version number of the second policy table is higher than the first policy table. In the case of the current version number, the second policy table is used for authentication.
  • the second policy table intuitively reflects the relationship between the data
  • the user group and the user identifier included in the second policy table can be directly and quickly updated.
  • the relationship table, and the first policy table also needs to update the accessible resource and the operable mode of the newly added user identifier, so when there is new data to be updated, the second policy table is preferentially updated, so that the update efficiency is higher. And updating the version number of the second policy table after the second policy table is updated.
  • the first policy table after updating the second policy table, may be updated according to the updated content of the second policy table.
  • the method of preferentially updating the first policy table may be adopted, and after updating the first policy table, updating the second policy according to the updated first policy table. table.
  • the first policy table and the second policy table are updated in synchronization, which is not limited by the embodiment of the present application.
  • the target resource access request when receiving the target resource identifier that is sent by the user terminal, the target access resource, and the target operation mode of the target access resource, the target resource access request does not exist in the cache table. If the version number of the second policy table is not higher than the version number of the first policy table, the first policy table is used to authenticate the target resource access request, if the version number of the second policy table is higher than the first The version number of the policy table is used to authenticate the target resource access request by using the second policy table, and output the authentication result of the target resource access request.
  • the first policy table is a relationship table that is classified by the user identifier and is a correspondence relationship between the user identifier, the accessible resource corresponding to the user identifier, and the operable mode of the accessible resource, so that the first policy table can be in a relationship table.
  • the data related to the target resource access request is searched, which saves the time for finding the related data of the target resource access request, thereby improving the authentication efficiency of the resource access request and avoiding the related data of the target resource access request in multiple relational tables.
  • the resulting processing resources of the computing device are wasted.
  • the second policy table includes multiple relationship tables, the update can be completed relatively quickly. In the case that the second policy table stores the latest data and the first policy table is not updated, the target resource can be accessed through the second policy table. Request for authentication to ensure the accuracy of authentication.
  • FIG. 4 is a schematic structural diagram of an authentication apparatus according to an embodiment of the present application.
  • the authentication apparatus 1 of the embodiment of the present application may include: a request receiving unit 11, a result finding unit 12, and a first authentication unit 13.
  • the request receiving unit 11 is configured to receive a target resource access request sent by the user terminal, where the target resource access request carries a target user identifier, a target access resource, and a target operation mode for the target access resource.
  • the request receiving unit 11 receives a target resource access request sent by the user terminal.
  • the target resource access request carries a target user identifier, a target access resource, and a target operation mode for accessing the resource to the target.
  • the user can initiate a target resource access request by logging into the resource management platform.
  • the target user identifier is used to mark the user who performs the target operation mode on the target access resource.
  • the target access resource may be a file, data, or the like in the server, and the target operation mode may be a read instruction, a delete instruction, a write instruction, or the like.
  • the embodiment of the present application does not limit the manner in which the target operation mode is included.
  • the result finding unit 12 is configured to search, in the cache table, whether an authentication result of the target resource access request exists, where the cache table includes multiple resource accesses within a preset time period before receiving the target resource access request The requested authentication result.
  • the result searching unit 12 searches the cache table for the existence of the authentication result of the target resource access request, where the authentication result includes the authentication pass and the authentication fail. If the authentication result is authenticated, the authentication device 1 is allowed to perform a target operation mode on the target access resource according to the target resource access request, and if the authentication result is that the authentication fails, the authentication device is represented. 1 reject the target resource access request.
  • the cache table includes an authentication result of multiple resource access requests within a preset time period before receiving the target resource access request.
  • the preset time period is preset by the authentication device 1. For example, in a case where the resource access request is frequent, the authentication device 1 may set a time in the cache table to buffer the time when the target resource access request is received. The authentication result of all the resource access requests in the previous hour; in the case where the resource access request is sparse, the authentication device 1 may set the cache within the first 24 hours of the time when the cache resource is received.
  • the time range of the authentication result cached by the cache table is not limited in the embodiment of the present application.
  • the cache table includes data of a user identifier, an accessible resource, an operable manner of the accessible resource, an authentication result, and the like of each of the plurality of resource access requests. Determining whether there is an authentication result of the target resource access request by comparing the target user identifier in the target resource access request, the target access resource, and the target operation mode of the target access resource with the data in the cache table. .
  • the first authentication unit 13 is configured to: when the authentication result of the target resource access request does not exist in the cache table, use the first policy table to authenticate the target resource access request, and output the target The authentication result of the resource access request.
  • the first authentication unit 13 uses the first policy table to authenticate the target resource access request, and outputs the The authentication result of the target resource access request.
  • the first policy table is a relationship table including a user identifier, an accessible resource corresponding to the user identifier, and a corresponding relationship between the operable modes of the accessible resource, where the first policy table is Classified by the user identifier, each user identifier corresponds to at least one accessible resource, and each accessible resource corresponds to at least one operable manner.
  • the authentication apparatus 1 when the authentication result of the target resource access request exists in the cache table, the authentication apparatus 1 outputs the authentication result found in the cache table.
  • the authentication apparatus 1 processes the target resource access request, that is, according to the target resource access request.
  • the target operation mode processes the target access resource, and after the processing is completed, the authentication apparatus 1 can output the processing result.
  • the cache table when receiving the target resource identifier that is sent by the user terminal, the target access resource, and the target operation mode of the target access resource, the cache table is used to find whether the target resource access request exists.
  • the target resource access request is authenticated by using the first policy table, and the authentication result of the target resource access request is output.
  • the first policy table is a relationship table that is classified by the user identifier and is a correspondence relationship between the user identifier, the accessible resource corresponding to the user identifier, and the operable mode of the accessible resource, so that the relationship can be in a relationship.
  • the data in the table for finding the target resource access request saves the time for finding the related data of the target resource access request, thereby improving the authentication efficiency of the resource access request and avoiding finding the target resource access request in multiple relational tables. Waste of processing resources of computing devices caused by related data.
  • FIG. 5 is another schematic structural diagram of an authentication apparatus according to an embodiment of the present application.
  • the authentication apparatus 1 of the embodiment of the present application may include: a request receiving unit 11, a result finding unit 12, a first authentication unit 13, a version number detecting unit 14, a second authentication unit 15, and Policy table update unit 16.
  • the request receiving unit 11 is configured to receive a target resource access request sent by the user terminal, where the target resource access request carries a target user identifier, a target access resource, and a target operation mode for the target access resource.
  • the request receiving unit 11 receives a target resource access request sent by the user terminal.
  • the target resource access request carries a target user identifier, a target access resource, and a target operation mode for accessing the resource to the target.
  • the user can initiate a target resource access request by logging into the resource management platform.
  • the target user identifier is used to mark the user who performs the target operation mode on the target access resource.
  • the target access resource may be a file, data, or the like in the server, and the target operation mode may be a read instruction, a delete instruction, a write instruction, or the like.
  • the embodiment of the present application does not limit the manner in which the target operation mode is included.
  • the result finding unit 12 is configured to search, in the cache table, whether an authentication result of the target resource access request exists, where the cache table includes multiple resource accesses within a preset time period before receiving the target resource access request The requested authentication result.
  • the result searching unit 12 searches the cache table for the existence of the authentication result of the target resource access request, where the authentication result includes the authentication pass and the authentication fail, and if the authentication result is the authentication pass Indicates that the authentication device 1 allows the target operation mode to be performed on the target access resource according to the target resource access request. If the authentication result is that the authentication fails, the authentication device 1 rejects the target resource access request. .
  • the cache table includes an authentication result of multiple resource access requests within a preset time period before receiving the target resource access request.
  • the preset time period is preset by the authentication device 1. For example, in a case where the resource access request is frequent, the authentication device 1 may set a time in the cache table to buffer the time when the target resource access request is received. The authentication result of all the resource access requests in the previous hour; in the case where the resource access request is sparse, the authentication device 1 may set the cache within the first 24 hours of the time when the cache resource is received.
  • the time range of the authentication result cached by the cache table is not limited in the embodiment of the present application.
  • the cache table includes data of a user identifier, an accessible resource, an operable manner of the accessible resource, an authentication result, and the like of each of the plurality of resource access requests.
  • the target authentication result of the target resource access request is determined by comparing the target user identifier in the target resource access request, the target access resource, and the target operation mode of the target access resource with the data in the cache table.
  • the version number detecting unit 14 is configured to detect, when the authentication result of the target resource access request does not exist in the cache table, whether the current version number of the second policy table is higher than a current version number of the first policy table. .
  • the version number detecting unit 14 detects whether the current version number of the second policy table is higher than the current version number of the first policy table. .
  • the first policy table is a relationship table including a user identifier, an accessible resource corresponding to the user identifier, and a corresponding relationship between the operable modes of the accessible resource, where the first policy table is Classified by the user identifier, each user identifier corresponds to at least one accessible resource, and each accessible resource corresponds to at least one operable manner.
  • the second policy table includes a relationship table between a user identifier and a user group, a relationship table between the user group and the policy identifier, a mapping table of the policy identifier and the accessible resource, and a mapping between the policy identifier and the operable mode. Tables and other relational tables.
  • the policy identifier in the second policy table is used to correspond to a resource group composed of a plurality of accessible resources, or the policy identifier is used to correspond to a permission group composed of multiple operable modes.
  • the current version number of the first policy table and the current version number of the second policy table may be represented by an update time.
  • the version number may indicate updated data, such as changed accessible resources, changed user identification, changed operational modes, and the like.
  • a changed user group identifier, a changed policy identifier, and the like may also be included.
  • the second policy table since the second policy table is distinguished by each policy identifier, when the user identifier or the accessible resource or the operable mode changes such as increase, decrease, etc., the second policy table may be updated first, because The second policy table includes a plurality of relation tables, and the data update can be completed by modifying one of the relationship tables, the update efficiency of the policy table can be improved, and the version number of the second policy table is updated after the second policy table is updated.
  • the first policy table is updated according to the second policy table to ensure the accuracy of the first policy table, and after the first policy table is updated, the version number of the first policy table is updated.
  • the first authentication unit 13 is configured to adopt the first policy if the version number detecting unit 14 detects that the current version number of the second policy table is not higher than the current version number of the first policy table.
  • the table authenticates the target resource access request and outputs an authentication result of the target resource access request.
  • FIG. 6 is a schematic structural diagram of a first authentication unit 13 according to an embodiment of the present application.
  • the first authentication unit 13 includes a data search sub-unit 131 and a first The judgment sub-unit 132, the second judgment sub-unit 133, and the result determination sub-unit 134.
  • the data search sub-unit 131 is configured to search, from the first policy table, an accessible resource corresponding to the target user identifier and an operable manner for the accessible resource.
  • the data search sub-unit 131 searches the first policy table for an accessible resource corresponding to the target user identifier and an operable manner for the accessible resource.
  • the first determining sub-unit 132 is configured to determine whether the target access resource exists in the accessible resource.
  • the first determining sub-unit 132 searches for at least one accessible resource corresponding to the target user identifier to find whether the target access resource exists. If the target access resource exists in the accessible resource corresponding to the target user identifier, the second determining sub-unit 133 is executed.
  • the second determining sub-unit 133 is configured to determine, if the first access sub-unit 132 determines that the target access resource exists in the accessible resource, determine whether the target exists in an operable manner of the target access resource Operation method.
  • the second determining sub-unit 133 determines whether the operating mode of the target access resource exists.
  • the target operation mode if the target operation mode exists in the operable mode, the result determination sub-unit 134 is executed.
  • a result determining sub-unit 134 configured to determine, when the second determining sub-unit 133 determines that the target operating mode exists in an operable manner of accessing the target resource, determining an authentication result of the target resource access request The right passes, and outputs the authentication result of the target resource access request.
  • the result determining sub-unit 134 determines that the authentication result of the target resource access request is an authentication pass, and outputs the The authentication result of the target resource access request.
  • the authentication apparatus 1 processes the target resource access request, that is, according to the target resource access request.
  • the target operation mode processes the target access resource, and after the processing is completed, the authentication apparatus 1 can output the processing result.
  • the second authentication unit 15 is configured to adopt the second policy table if the version number detecting unit 14 detects that the current version number of the second policy table is higher than the current version number of the first policy table. And authenticating the target resource access request, and outputting an authentication result of the target resource access request.
  • the second authentication unit 15 uses the second policy table to access the target resource. The authentication is performed, and the authentication result of the target resource access request is output.
  • the second authentication unit 15 may perform the authentication by searching whether the data corresponding to the target resource access request exists in the plurality of relationship tables included in the second policy table.
  • the policy table updating unit 16 is configured to: if the version number detecting unit 14 detects that the current version number of the second policy table is higher than the current version number of the first policy table, according to the second policy table, Update the first policy table.
  • FIG. 7 is a schematic structural diagram of a policy table updating unit 16 according to an embodiment of the present application.
  • the policy table updating unit 16 includes an update data determining subunit 161 and a policy table update. Subunit 162.
  • the update data determining subunit 161 is configured to compare the first policy table if the version number detecting unit 14 detects that the current version number of the second policy table is higher than the current version number of the first policy table.
  • the current version number and the historical version information of the second policy table determine the unupdated data of the first policy table.
  • the policy table update sub-unit 162 is configured to update the first policy table according to the unupdated data, and change a current version number of the first policy table to a current version number of the second policy table. .
  • the target resource access request when receiving the target resource identifier that is sent by the user terminal, the target access resource, and the target operation mode of the target access resource, the target resource access request does not exist in the cache table. If the version number of the second policy table is not higher than the version number of the first policy table, the first policy table is used to authenticate the target resource access request, if the version number of the second policy table is higher than the first The version number of the policy table is used to authenticate the target resource access request by using the second policy table, and output the authentication result of the target resource access request.
  • the first policy table is a relationship table that is classified by the user identifier and is a correspondence relationship between the user identifier, the accessible resource corresponding to the user identifier, and the operable mode of the accessible resource, so that the first policy table can be in a relationship table.
  • the data related to the target resource access request is searched, which saves the time for finding the related data of the target resource access request, thereby improving the authentication efficiency of the resource access request and avoiding the related data of the target resource access request in multiple relational tables.
  • the resulting processing resources of the computing device are wasted.
  • the second policy table includes multiple relationship tables, the update can be completed relatively quickly. In the case that the second policy table stores the latest data and the first policy table is not updated, the target resource can be accessed through the second policy table. Request for authentication to ensure the accuracy of authentication.
  • FIG. 8 is a schematic structural diagram of another authentication apparatus according to an embodiment of the present application.
  • the authentication apparatus 1000 may include at least one processor 1001, such as a CPU (Central Processing Unit), at least one network interface 1004, a memory 1005, and at least one communication bus 1002.
  • the network interface 1004 can optionally include a standard wired interface, a wireless interface (such as a WI-FI interface).
  • the memory 1005 may be a high speed RAM memory or a non-volatile memory such as at least one disk memory. According to an embodiment of the present application, the memory 1005 may also be at least one storage device located away from the processor 1001. Among them, the communication bus 1002 is used to implement connection communication between these components.
  • the authentication device 1000 includes a user interface 1003, wherein the user interface 1003 may include a display 10031 and a keyboard 10032.
  • the user interface 1003 may include a display 10031 and a keyboard 10032.
  • an operating system 10051, a network communication module 10052, a user interface module 10053, and machine readable instructions, such as an authentication application 10054, may be included in the memory 1005 as a computer storage medium.
  • the user interface 1003 is mainly used to receive a user-initiated target resource access request and the like; and the processor 1001 can be used to invoke an authentication application stored in the memory 1005, and specifically execute the following: operating:
  • Target resource access request carries a target user identifier, a target access resource, and a target operation mode for accessing the resource by the target;
  • the target resource access request is authenticated by using the first policy table, and the authentication result of the target resource access request is output;
  • the first policy table is a relationship table including a user identifier, an accessible resource corresponding to the user identifier, and a corresponding relationship between the operable modes of the accessible resource, where the first policy table is Classified by the user identifier, each user identifier corresponds to at least one accessible resource, and each accessible resource corresponds to at least one operable manner.
  • the processor 1001 performs the following operations before performing the authentication on the target resource access request by using the first policy table, and outputting the authentication result of the target resource access request:
  • the target resource access request is authenticated by using the first policy table, and the target resource is output Access the authentication result of the request;
  • the second policy table includes a plurality of relationship tables, where the relationship table includes a relationship between the user identifier and the user group, a relationship table between the user group and the policy identifier, a mapping table of the policy identifier and the accessible resource, and a policy.
  • a mapping table of identification and actionable methods is included in the relationship table.
  • the processor 1001 further performs the following operations:
  • the target resource access request is authenticated by using the second policy table, and the target resource access is output The requested authentication result.
  • the processor 1001 further performs the following operations:
  • the processor 1001 performs updating the first policy table according to the second policy table, and specifically performs the following operations:
  • the processor 1001 performs the authentication of the target resource access request by using the first policy table, and outputs the authentication result of the target resource access request, and specifically performs the following operations:
  • the target access resource exists in the accessible resource, determining whether the target operation mode exists in an operable manner of accessing the resource to the target;
  • the authentication result of the target resource access request is determined to be authenticated, and the authentication result of the target resource access request is output.
  • the cache table when receiving the target resource identifier that is sent by the user terminal, the target access resource, and the target operation mode of the target access resource, the cache table is used to find whether the target resource access request exists.
  • the target resource access request is authenticated by using the first policy table, and the authentication result of the target resource access request is output.
  • the first policy table is a relationship table that is classified by the user identifier and is a correspondence relationship between the user identifier, the accessible resource corresponding to the user identifier, and the operable mode of the accessible resource, so that the relationship can be in a relationship.
  • the data in the table for finding the target resource access request saves the time for finding the related data of the target resource access request, thereby improving the authentication efficiency of the resource access request and avoiding finding the target resource access request in multiple relational tables. Waste of processing resources of computing devices caused by related data.
  • the module or unit in the embodiment of the present application may be implemented by a general-purpose integrated circuit, such as a CPU, or by an ASIC (Application Specific Integrated Circuit).
  • a general-purpose integrated circuit such as a CPU
  • ASIC Application Specific Integrated Circuit
  • the modules or units in the terminal device in this embodiment of the present application may be combined, divided, and deleted according to actual needs.
  • the storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

Les modes de réalisation de la présente invention concernent un procédé d'authentification, un dispositif, et un support de stockage. Le procédé comprend les étapes suivantes consistant à : recevoir une demande d'accès à une ressource cible, envoyée par un terminal utilisateur et contenant un identificateur d'utilisateur cible, une ressource d'accès cible, et un mode de fonctionnement cible pour la ressource d'accès cible ; rechercher s'il existe un résultat d'authentification de la demande d'accès à une ressource cible dans une table-cache ; et lorsqu'il n'existe aucun résultat d'authentification de la demande d'accès à une ressource cible dans la table-cache, utiliser une première table de politiques pour authentifier la demande d'accès à une ressource cible, et délivrer en sortie le résultat d'authentification de la demande d'accès à une ressource cible, la première table de politiques étant une table de relations comprenant les relations correspondantes entre l'identificateur d'utilisateur, des ressources accessibles correspondant à l'identificateur d'utilisateur, et les modes de fonctionnement des ressources accessibles, et la classification de la première table de politiques étant exécutée à l'aide de l'identificateur d'utilisateur.
PCT/CN2018/071503 2017-02-07 2018-01-05 Procédé d'authentification, dispositif, et support de stockage WO2018145546A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710067325.5A CN106790262B (zh) 2017-02-07 2017-02-07 一种鉴权方法及装置
CN201710067325.5 2017-02-07

Publications (1)

Publication Number Publication Date
WO2018145546A1 true WO2018145546A1 (fr) 2018-08-16

Family

ID=58956278

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/071503 WO2018145546A1 (fr) 2017-02-07 2018-01-05 Procédé d'authentification, dispositif, et support de stockage

Country Status (2)

Country Link
CN (1) CN106790262B (fr)
WO (1) WO2018145546A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112752300A (zh) * 2020-12-29 2021-05-04 锐捷网络股份有限公司 本地分流的实现方法及装置

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106790262B (zh) * 2017-02-07 2022-02-11 腾讯科技(深圳)有限公司 一种鉴权方法及装置
CN107172057A (zh) * 2017-06-01 2017-09-15 浙江数链科技有限公司 鉴权实现方法和装置
CN109495432B (zh) * 2017-09-13 2021-05-25 腾讯科技(深圳)有限公司 一种匿名账户的鉴权方法及服务器
CN110197075B (zh) * 2018-04-11 2023-03-17 腾讯科技(深圳)有限公司 资源访问方法、装置、计算设备以及存储介质
CN110224974B (zh) * 2019-04-26 2022-08-30 平安科技(深圳)有限公司 基于第三方接入的接口鉴权方法及相关设备
CN112651001B (zh) * 2020-12-30 2025-02-11 中国平安财产保险股份有限公司 访问请求的鉴权方法、装置、设备及可读存储介质
CN112995165B (zh) * 2021-02-10 2023-04-14 北京金山云网络技术有限公司 资源访问的鉴权方法及装置、存储介质、电子设备
CN115278672B (zh) * 2022-07-28 2024-12-27 中国电信股份有限公司 鉴权认证方法、装置、电子设备和介质

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070160198A1 (en) * 2005-11-18 2007-07-12 Security First Corporation Secure data parser method and system
WO2009094890A1 (fr) * 2008-01-29 2009-08-06 Huawei Technologies Co., Ltd. Procédé de programmation d'un service et système associé, appareil de programmation de services
CN103067911A (zh) * 2012-12-17 2013-04-24 中国联合网络通信集团有限公司 控制硬件模块使用的方法和设备
CN103888409A (zh) * 2012-12-19 2014-06-25 中国电信股份有限公司 分布式统一认证方法及系统
CN104484617A (zh) * 2014-12-05 2015-04-01 中国航空工业集团公司第六三一研究所 一种基于多策略融合的数据库访问控制方法
CN105357190A (zh) * 2015-10-26 2016-02-24 网宿科技股份有限公司 访问请求鉴权的方法及系统
CN106790262A (zh) * 2017-02-07 2017-05-31 腾讯科技(深圳)有限公司 一种鉴权方法及装置

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6715082B1 (en) * 1999-01-14 2004-03-30 Cisco Technology, Inc. Security server token caching
US7120691B2 (en) * 2002-03-15 2006-10-10 International Business Machines Corporation Secured and access controlled peer-to-peer resource sharing method and apparatus
CN102523490A (zh) * 2011-12-02 2012-06-27 深圳市同洲视讯传媒有限公司 一种订购产品的鉴权方法、鉴权装置及鉴权系统
CN104363211A (zh) * 2014-10-31 2015-02-18 北京思特奇信息技术股份有限公司 一种权限管理方法及系统
CN105306448A (zh) * 2015-09-22 2016-02-03 深圳前海华视移动互联有限公司 访问外网数据的方法、车载多媒体终端及其内核Netfilter模块
CN105245554B (zh) * 2015-11-24 2018-04-10 无锡江南计算技术研究所 一种云环境下的动态属性访问控制方法
CN105978774B (zh) * 2016-07-14 2019-06-07 杭州迪普科技股份有限公司 一种接入认证的方法和装置
CN106254528B (zh) * 2016-09-14 2019-12-06 北京佰才邦技术有限公司 一种资源下载方法和缓存设备

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070160198A1 (en) * 2005-11-18 2007-07-12 Security First Corporation Secure data parser method and system
WO2009094890A1 (fr) * 2008-01-29 2009-08-06 Huawei Technologies Co., Ltd. Procédé de programmation d'un service et système associé, appareil de programmation de services
CN103067911A (zh) * 2012-12-17 2013-04-24 中国联合网络通信集团有限公司 控制硬件模块使用的方法和设备
CN103888409A (zh) * 2012-12-19 2014-06-25 中国电信股份有限公司 分布式统一认证方法及系统
CN104484617A (zh) * 2014-12-05 2015-04-01 中国航空工业集团公司第六三一研究所 一种基于多策略融合的数据库访问控制方法
CN105357190A (zh) * 2015-10-26 2016-02-24 网宿科技股份有限公司 访问请求鉴权的方法及系统
CN106790262A (zh) * 2017-02-07 2017-05-31 腾讯科技(深圳)有限公司 一种鉴权方法及装置

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112752300A (zh) * 2020-12-29 2021-05-04 锐捷网络股份有限公司 本地分流的实现方法及装置
CN112752300B (zh) * 2020-12-29 2022-09-20 锐捷网络股份有限公司 本地分流的实现方法及装置

Also Published As

Publication number Publication date
CN106790262A (zh) 2017-05-31
CN106790262B (zh) 2022-02-11

Similar Documents

Publication Publication Date Title
WO2018145546A1 (fr) Procédé d'authentification, dispositif, et support de stockage
US10757106B2 (en) Resource access control method and device
US10878218B2 (en) Device fingerprinting, tracking, and management
US10229208B2 (en) Optimization of query execution
WO2018149292A1 (fr) Appareil et procédé de regroupement d'objets
US8413130B2 (en) System and method for self policing of authorized configuration by end points
JP6435398B2 (ja) 端末識別子を促進する方法及びシステム
US20140101117A1 (en) Methods and systems for managing records in an on-demand system
WO2015197008A1 (fr) Procédé et terminal d'authentification biométrique
US20250037132A1 (en) Trust platform
US20180077157A1 (en) Method and system for identifying user information in social network
JP3874593B2 (ja) コンピュータ識別装置
WO2017101761A1 (fr) Procédé de chargement d'un programme de commande, et serveur
CN110197075B (zh) 资源访问方法、装置、计算设备以及存储介质
BR112014018207B1 (pt) Método implementado por um roteador e dispositivo para adquirir informação de recurso
CN107515879B (zh) 用于文档检索的方法和电子设备
US10063564B2 (en) Identity authentication using multiple devices
US12019730B2 (en) Systems and methods for identifying computing devices
US20170257382A1 (en) Maintaining dynamic configuration information of a multi-host off-cluster service on a cluster
US10394816B2 (en) Detecting product lines within product search queries
WO2022143758A1 (fr) Procédé et appareil de désensibilisation de données et système de stockage
WO2021051569A1 (fr) Procédé et appareil d'isolation de données, dispositif informatique et support de stockage
WO2019052328A1 (fr) Procédé d'authentification pour compte anonyme, et serveur
CN107357632A (zh) 一种命令行解析方法及装置
US20210144123A1 (en) Serialization of firewall rules with user, device, and application correlation

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18751940

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18751940

Country of ref document: EP

Kind code of ref document: A1

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载