[go: up one dir, main page]

CN109976914A - Method and apparatus for controlling resource access - Google Patents

Method and apparatus for controlling resource access Download PDF

Info

Publication number
CN109976914A
CN109976914A CN201910257142.9A CN201910257142A CN109976914A CN 109976914 A CN109976914 A CN 109976914A CN 201910257142 A CN201910257142 A CN 201910257142A CN 109976914 A CN109976914 A CN 109976914A
Authority
CN
China
Prior art keywords
information
identification information
access
resource
access request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910257142.9A
Other languages
Chinese (zh)
Inventor
江露
赵振华
查杨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Baidu Netcom Science and Technology Co Ltd
Original Assignee
Beijing Baidu Netcom Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Baidu Netcom Science and Technology Co Ltd filed Critical Beijing Baidu Netcom Science and Technology Co Ltd
Priority to CN201910257142.9A priority Critical patent/CN109976914A/en
Publication of CN109976914A publication Critical patent/CN109976914A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • G06F9/5027Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Automation & Control Theory (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

本申请实施例公开了用于控制资源访问的方法和装置。该方法的一具体实施方式包括:获取用户发送的访问请求,访问请求包括用户标识信息、资源标识信息;根据预先设置的资源标识信息与标签信息的关联关系,确定与访问请求包括的资源标识信息关联的标签信息;获取预先设置的与用户标识信息关联的至少一组访问控制信息中包括确定出的标签信息的访问控制信息;根据所获取的访问控制信息确定是否拒绝访问请求。该实施方式提供了一种基于标签信息的访问控制机制,提高了控制资源访问的效率。

The embodiments of the present application disclose a method and an apparatus for controlling resource access. A specific implementation of the method includes: acquiring an access request sent by a user, where the access request includes user identification information and resource identification information; and determining the resource identification information included in the access request according to a preset association relationship between the resource identification information and the label information associated tag information; acquire access control information including the determined tag information in at least one set of preset access control information associated with the user identification information; determine whether to deny the access request according to the acquired access control information. This embodiment provides an access control mechanism based on tag information, which improves the efficiency of resource access control.

Description

用于控制资源访问的方法和装置Method and apparatus for controlling resource access

技术领域technical field

本申请实施例涉及计算机技术领域,尤其涉及用于控制资源访问的方法和装置。The embodiments of the present application relate to the field of computer technologies, and in particular, to a method and apparatus for controlling resource access.

背景技术Background technique

随着大中小企业等用户群体的庞大及其业务的复杂,其对互联网主机应用的需求日益增加,用户在采用传统的服务器时,由于成本、运营商选择等诸多因素,不得不面对各种棘手的问题。云服务器由于具有集中化的远程管理平台、多级业务备份、快速的业务部署与配置、规模的弹性扩展能力等有点,能够有效地解决传统服务器的缺陷。With the huge number of user groups such as large and medium-sized enterprises and their complex services, their demand for Internet host applications is increasing. When users use traditional servers, due to many factors such as cost and operator selection, they have to face various Tough question. Due to its centralized remote management platform, multi-level business backup, fast business deployment and configuration, and elastic scalability of scale, cloud servers can effectively solve the shortcomings of traditional servers.

私有云环境下有两种租户模型:单租户、多租户。单租户场景下,所有公司的员工都是租户下的子用户,通过给每个子用户分配不同的角色和权限来控制子用户对资源的使用。由于整个私有云的资源都在一个租户中,资源数量较多。There are two tenant models in a private cloud environment: single-tenancy and multi-tenancy. In a single-tenant scenario, all employees of the company are sub-users under the tenant, and the use of resources by sub-users is controlled by assigning different roles and permissions to each sub-user. Since the resources of the entire private cloud are in one tenant, the number of resources is large.

发明内容SUMMARY OF THE INVENTION

本申请实施例提出了用于控制资源访问的方法和装置。The embodiments of the present application propose a method and apparatus for controlling resource access.

第一方面,本申请的一些实施例提供了一种用于控制资源访问的方法,该方法包括:获取用户发送的访问请求,访问请求包括用户标识信息、资源标识信息;根据预先设置的资源标识信息与标签信息的关联关系,确定与访问请求包括的资源标识信息关联的标签信息;获取预先设置的与用户标识信息关联的至少一组访问控制信息中包括确定出的标签信息的访问控制信息;根据所获取的访问控制信息确定是否拒绝访问请求。In a first aspect, some embodiments of the present application provide a method for controlling resource access, the method comprising: acquiring an access request sent by a user, where the access request includes user identification information and resource identification information; The association relationship between the information and the label information, determine the label information associated with the resource identification information included in the access request; obtain the access control information that includes the determined label information in at least one set of access control information associated with the user identification information that is preset; Determine whether to deny the access request according to the obtained access control information.

在一些实施例中,访问控制信息还包括第一操作标识信息;以及根据所获取的访问控制信息确定是否拒绝访问请求,包括:获取访问请求中包括的第二操作标识信息;根据第二操作标识信息与所获取的访问控制信息包括的第一操作标识信息是否匹配确定是否拒绝访问请求。In some embodiments, the access control information further includes first operation identification information; and determining whether to deny the access request according to the obtained access control information includes: obtaining second operation identification information included in the access request; according to the second operation identification Whether the information matches the first operation identification information included in the acquired access control information determines whether to deny the access request.

在一些实施例中,访问控制信息包括指示是否拒绝访问请求的指示信息;以及根据所获取的访问控制信息确定是否拒绝访问请求,包括:根据所获取的访问控制信息包括的指示信息确定是否拒绝访问请求。In some embodiments, the access control information includes indication information indicating whether to deny the access request; and determining whether to deny the access request according to the acquired access control information includes: determining whether to deny the access according to the indication information included in the acquired access control information ask.

在一些实施例中,资源标识信息包括以下至少一项:资源标识符、资源所属产品的信息、资源所在区域的信息。In some embodiments, the resource identification information includes at least one of the following: a resource identifier, information about a product to which the resource belongs, and information about a region where the resource is located.

在一些实施例中,获取预先设置的与用户标识信息关联的至少一组访问控制信息中包括确定出的标签信息的访问控制信息,包括:获取预先设置的与用户标识信息关联的至少一组访问控制信息中包括确定出的标签信息或访问请求包括的资源标识信息的访问控制信息。In some embodiments, acquiring at least one set of preset access control information associated with the user identification information includes the determined tag information in the access control information, comprising: acquiring at least one preset set of access control information associated with the user identification information The control information includes the determined tag information or the access control information of the resource identification information included in the access request.

在一些实施例中,获取用户发送的访问请求,包括:在权限验证的方法和/或处理请求地址映射的方法中通过预先定义的切面拦截用户发送的访问请求;在切面中通过反射机制获取访问请求中预先定义的字段。In some embodiments, acquiring the access request sent by the user includes: intercepting the access request sent by the user through a predefined aspect in the method for authorization verification and/or the method for processing request address mapping; acquiring the access request through a reflection mechanism in the aspect Predefined fields in the request.

在一些实施例中,预先定义的字段包括操作标识信息字段和资源标识符字段;以及在切面中通过反射机制获取访问请求中预先定义的字段,包括:响应于获取到操作标识信息字段指示请求的操作类型为创建类操作,将资源标识符字段的值设置为预设字符。In some embodiments, the predefined fields include an operation identification information field and a resource identifier field; and obtaining the predefined fields in the access request through a reflection mechanism in the aspect includes: in response to obtaining the operation identification information field indicating the request The operation type is a create class operation, and the value of the resource identifier field is set to a preset character.

第二方面,本申请的一些实施例提供了一种用于控制资源访问的装置,该装置包括:第一获取单元,被配置成获取用户发送的访问请求,访问请求包括用户标识信息、资源标识信息;第一确定单元,被配置成根据预先设置的资源标识信息与标签信息的关联关系,确定与访问请求包括的资源标识信息关联的标签信息;第二获取单元,被配置成获取预先设置的与用户标识信息关联的至少一组访问控制信息中包括确定出的标签信息的访问控制信息;第二确定单元,被配置成根据所获取的访问控制信息确定是否拒绝访问请求。In a second aspect, some embodiments of the present application provide an apparatus for controlling resource access, the apparatus includes: a first obtaining unit configured to obtain an access request sent by a user, where the access request includes user identification information, resource identification information; the first determining unit is configured to determine the label information associated with the resource identification information included in the access request according to the preset association relationship between the resource identification information and the label information; the second obtaining unit is configured to obtain the preset resource identification information. The at least one group of access control information associated with the user identification information includes the determined access control information of the tag information; the second determining unit is configured to determine whether to deny the access request according to the acquired access control information.

在一些实施例中,访问控制信息还包括第一操作标识信息;以及第二确定单元,包括:第一获取子单元,被配置成获取访问请求中包括的第二操作标识信息;第一确定子单元,被配置成根据第二操作标识信息与所获取的访问控制信息包括的第一操作标识信息是否匹配确定是否拒绝访问请求。In some embodiments, the access control information further includes first operation identification information; and a second determination unit, including: a first acquisition subunit configured to acquire the second operation identification information included in the access request; the first determination subunit The unit is configured to determine whether to reject the access request according to whether the second operation identification information matches with the first operation identification information included in the obtained access control information.

在一些实施例中,其中,访问控制信息包括指示是否拒绝访问请求的指示信息;以及第二确定单元,包括:第二确定子单元,被配置成根据所获取的访问控制信息包括的指示信息确定是否拒绝访问请求。In some embodiments, the access control information includes indication information indicating whether to deny the access request; and the second determination unit includes: a second determination subunit configured to determine according to the indication information included in the acquired access control information Whether to deny access requests.

在一些实施例中,资源标识信息包括以下至少一项:资源标识符、资源所属产品的信息、资源所在区域的信息。In some embodiments, the resource identification information includes at least one of the following: a resource identifier, information about a product to which the resource belongs, and information about a region where the resource is located.

在一些实施例中,第二获取单元,包括:第二获取子单元,被配置成获取预先设置的与用户标识信息关联的至少一组访问控制信息中包括确定出的标签信息或访问请求包括的资源标识信息的访问控制信息。In some embodiments, the second obtaining unit includes: a second obtaining subunit, configured to obtain at least one set of preset access control information associated with the user identification information, including the determined tag information or the information included in the access request. Access control information for resource identification information.

在一些实施例中,第一获取单元,包括:拦截子单元,被配置成在权限验证的装置和/或处理请求地址映射的方法中通过预先定义的切面拦截用户发送的访问请求;第三获取子单元,被配置成在切面中通过反射机制获取访问请求中预先定义的字段。In some embodiments, the first obtaining unit includes: an intercepting subunit, configured to intercept the access request sent by the user through a predefined aspect in the permission verification apparatus and/or the method for processing request address mapping; the third obtaining The subunit is configured to obtain the predefined fields in the access request through the reflection mechanism in the aspect.

在一些实施例中,预先定义的字段包括操作标识信息字段和资源标识符字段;以及第三获取子单元,进一步被配置成:响应于获取到操作标识信息字段指示请求的操作类型为创建类操作,将资源标识符字段的值设置为预设字符。In some embodiments, the predefined fields include an operation identification information field and a resource identifier field; and a third obtaining subunit is further configured to: in response to obtaining the operation identification information field, indicating that the requested operation type is a create class operation , set the value of the resource identifier field to the default character.

第三方面,本申请的一些实施例提供了一种设备,包括:一个或多个处理器;存储装置,其上存储有一个或多个程序,当上述一个或多个程序被上述一个或多个处理器执行,使得上述一个或多个处理器实现如第一方面上述的方法。In a third aspect, some embodiments of the present application provide a device, including: one or more processors; a storage device on which one or more programs are stored, when the one or more programs are stored by the one or more programs described above Execution by the plurality of processors causes the above-mentioned one or more processors to implement the method as described above in the first aspect.

第四方面,本申请的一些实施例提供了一种计算机可读介质,其上存储有计算机程序,该程序被处理器执行时实现如第一方面上述的方法。In a fourth aspect, some embodiments of the present application provide a computer-readable medium on which a computer program is stored, and when the program is executed by a processor, implements the method as described in the first aspect.

本申请实施例提供的用于控制资源访问的方法和装置,通过获取用户发送的访问请求,并根据预先设置的资源标识信息与标签信息的关联关系,确定与访问请求包括的资源标识信息关联的标签信息,而后获取预先设置的与用户标识信息关联的至少一组访问控制信息中包括确定出的标签信息的访问控制信息,最后根据所获取的访问控制信息确定是否拒绝访问请求,提供了一种基于标签信息的访问控制机制,提高了控制资源访问的效率。The method and device for controlling resource access provided by the embodiments of the present application determine the resource identification information associated with the resource identification information included in the access request by acquiring the access request sent by the user, and according to the preset association relationship between the resource identification information and the label information. Label information, then obtain the access control information including the determined label information in at least one set of access control information that is preset and associated with the user identification information, and finally determine whether to reject the access request according to the obtained access control information. The access control mechanism based on tag information improves the efficiency of controlling resource access.

附图说明Description of drawings

通过阅读参照以下附图所作的对非限制性实施例所作的详细描述,本申请的其它特征、目的和优点将会变得更明显:Other features, objects and advantages of the present application will become more apparent by reading the detailed description of non-limiting embodiments made with reference to the following drawings:

图1是本申请的一些可以应用于其中的示例性系统架构图;Fig. 1 is some exemplary system architecture diagrams in which the present application can be applied;

图2是根据本申请的用于控制资源访问的方法的一个实施例的流程图;FIG. 2 is a flowchart of one embodiment of a method for controlling resource access according to the present application;

图3是根据本申请的用于控制资源访问的方法的应用场景的一个示意图;3 is a schematic diagram of an application scenario of the method for controlling resource access according to the present application;

图4是根据本申请的用于控制资源访问的方法的又一个实施例的流程图;FIG. 4 is a flowchart of yet another embodiment of a method for controlling resource access according to the present application;

图5是根据本申请的用于控制资源访问的装置的一个实施例的结构示意图;5 is a schematic structural diagram of an embodiment of an apparatus for controlling resource access according to the present application;

图6是适于用来实现本申请的一些实施例的服务器或终端的计算机系统的结构示意图。FIG. 6 is a schematic structural diagram of a computer system suitable for implementing a server or terminal of some embodiments of the present application.

具体实施方式Detailed ways

下面结合附图和实施例对本申请作进一步的详细说明。可以理解的是,此处所描述的具体实施例仅仅用于解释相关发明,而非对该发明的限定。另外还需要说明的是,为了便于描述,附图中仅示出了与有关发明相关的部分。The present application will be further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are only used to explain the related invention, but not to limit the invention. In addition, it should be noted that, for the convenience of description, only the parts related to the related invention are shown in the drawings.

需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。下面将参考附图并结合实施例来详细说明本申请。It should be noted that the embodiments in the present application and the features of the embodiments may be combined with each other in the case of no conflict. The present application will be described in detail below with reference to the accompanying drawings and in conjunction with the embodiments.

图1示出了可以应用本申请的用于控制资源访问的方法或用于控制资源访问的装置的实施例的示例性系统架构100。FIG. 1 illustrates an exemplary system architecture 100 to which embodiments of the method or apparatus for controlling resource access of the present application may be applied.

如图1所示,系统架构100可以包括终端设备101、102、103,网络104和服务器105。网络104用以在终端设备101、102、103和服务器105之间提供通信链路的介质。网络104可以包括各种连接类型,例如有线、无线通信链路或者光纤电缆等等。As shown in FIG. 1 , the system architecture 100 may include terminal devices 101 , 102 , and 103 , a network 104 and a server 105 . The network 104 is a medium used to provide a communication link between the terminal devices 101 , 102 , 103 and the server 105 . The network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.

用户可以使用终端设备101、102、103通过网络104与服务器105交互,以接收或发送消息等。终端设备101、102、103上可以安装有各种客户端应用,例如云服务类应用、数据管理类应用、图像处理类应用、电子商务类应用、搜索类应用等。The user can use the terminal devices 101, 102, 103 to interact with the server 105 through the network 104 to receive or send messages and the like. Various client applications may be installed on the terminal devices 101 , 102 and 103 , such as cloud service applications, data management applications, image processing applications, e-commerce applications, and search applications.

终端设备101、102、103可以是硬件,也可以是软件。当终端设备101、102、103为硬件时,可以是具有显示屏的各种电子设备,包括但不限于智能手机、平板电脑、膝上型便携计算机和台式计算机等等。当终端设备101、102、103为软件时,可以安装在上述所列举的电子设备中。其可以实现成多个软件或软件模块,也可以实现成单个软件或软件模块。在此不做具体限定。终端设备101、102、103可以获取用户通过其他设备发送的访问请求,访问请求包括用户标识信息、资源标识信息;根据预先设置的资源标识信息与标签信息的关联关系,确定与访问请求包括的资源标识信息关联的标签信息;获取预先设置的与用户标识信息关联的至少一组访问控制信息中包括确定出的标签信息的访问控制信息;根据所获取的访问控制信息确定是否拒绝访问请求。The terminal devices 101, 102, and 103 may be hardware or software. When the terminal devices 101, 102, and 103 are hardware, they can be various electronic devices with display screens, including but not limited to smart phones, tablet computers, laptop computers, desktop computers, and the like. When the terminal devices 101, 102, and 103 are software, they can be installed in the electronic devices listed above. It can be implemented as a plurality of software or software modules, and can also be implemented as a single software or software module. There is no specific limitation here. The terminal devices 101, 102, and 103 can obtain the access request sent by the user through other devices, and the access request includes the user identification information and the resource identification information; according to the preset association relationship between the resource identification information and the label information, determine the resources included in the access request. label information associated with the identification information; obtain access control information including the determined label information in at least one set of access control information associated with the user identification information preset; determine whether to deny the access request according to the obtained access control information.

服务器105可以是提供各种服务的服务器,例如对终端设备101、102、103上安装的应用提供支持的后台服务器,服务器105可以获取用户通过终端设备101、102、103发送的访问请求,访问请求包括用户标识信息、资源标识信息;根据预先设置的资源标识信息与标签信息的关联关系,确定与访问请求包括的资源标识信息关联的标签信息;获取预先设置的与用户标识信息关联的至少一组访问控制信息中包括确定出的标签信息的访问控制信息;根据所获取的访问控制信息确定是否拒绝访问请求。The server 105 can be a server that provides various services, such as a background server that provides support for applications installed on the terminal devices 101, 102, and 103. The server 105 can obtain the access requests sent by the users through the terminal devices 101, 102, and 103. Including user identification information and resource identification information; according to the preset association relationship between the resource identification information and the label information, determine the label information associated with the resource identification information included in the access request; obtain at least one preset set associated with the user identification information. The access control information includes the determined access control information of the label information; whether to deny the access request is determined according to the acquired access control information.

需要说明的是,本申请实施例所提供的用于控制资源访问的方法可以由服务器105执行,也可以由终端设备101、102、103执行,相应地,用于控制资源访问的装置可以设置于服务器105中,也可以设置于终端设备101、102、103中。It should be noted that the method for controlling resource access provided by the embodiments of the present application may be executed by the server 105, or may be executed by the terminal devices 101, 102, and 103. Correspondingly, the means for controlling resource access may be set in The server 105 may also be installed in the terminal devices 101 , 102 and 103 .

需要说明的是,服务器可以是硬件,也可以是软件。当服务器为硬件时,可以实现成多个服务器组成的分布式服务器集群,也可以实现成单个服务器。当服务器为软件时,可以实现成多个软件或软件模块(例如用来提供分布式服务),也可以实现成单个软件或软件模块。在此不做具体限定。It should be noted that the server may be hardware or software. When the server is hardware, it can be implemented as a distributed server cluster composed of multiple servers, or can be implemented as a single server. When the server is software, it can be implemented as a plurality of software or software modules (for example, for providing distributed services), or it can be implemented as a single software or software module. There is no specific limitation here.

应该理解,图1中的终端设备、网络和服务器的数目仅仅是示意性的。根据实现需要,可以具有任意数目的终端设备、网络和服务器。It should be understood that the numbers of terminal devices, networks and servers in FIG. 1 are merely illustrative. There can be any number of terminal devices, networks and servers according to implementation needs.

继续参考图2,示出了根据本申请的用于控制资源访问的方法的一个实施例的流程200。该用于控制资源访问的方法,包括以下步骤:Continuing to refer to FIG. 2, a flow 200 of one embodiment of a method for controlling resource access according to the present application is shown. The method for controlling resource access includes the following steps:

步骤201,获取用户发送的访问请求。Step 201: Obtain an access request sent by a user.

在本实施例中,用于控制资源访问的方法执行主体(例如图1所示的服务器或终端)可以首先获取用户发送的访问请求,访问请求包括用户标识信息、资源标识信息。用户标识信息可以包括任何可以标识用户的信息,例如用户ID,用户ID的生成规则可以根据实际需要进行设置。资源标识信息可以包括任何可以标识资源的信息,例如资源ID,资源ID的生成规则可以根据实际需要进行设置。In this embodiment, the method execution body for controlling resource access (for example, the server or terminal shown in FIG. 1 ) may first obtain an access request sent by a user, where the access request includes user identification information and resource identification information. The user identification information may include any information that can identify the user, such as a user ID, and the generation rule of the user ID may be set according to actual needs. The resource identification information can include any information that can identify a resource, such as a resource ID, and the resource ID generation rule can be set according to actual needs.

在本实施例的一些可选实现方式中,资源标识信息包括以下至少一项:资源标识符、资源所属产品的信息、资源所在区域的信息。资源标识符可以用于标识具体的资源,资源所属产品的信息可以包括指示资源哪个云产品的业务的信息,资源所在区域的信息可以包括资源所在区域(region)的名称或地址等。In some optional implementations of this embodiment, the resource identification information includes at least one of the following: a resource identifier, information about a product to which the resource belongs, and information about a region where the resource is located. The resource identifier may be used to identify a specific resource, the information of the product to which the resource belongs may include information indicating which cloud product the resource is in, and the information of the region where the resource is located may include the name or address of the region where the resource is located.

在本实施例的一些可选实现方式中,获取用户发送的访问请求,包括:在权限验证的方法和/或处理请求地址映射的方法中通过预先定义的切面拦截用户发送的访问请求;在切面中通过反射机制获取访问请求中预先定义的字段。上述执行主体可以通过定义方法级注解,例如@RequestMapping(权限验证)、@PermissionVertify(处理请求地址映射)和一个切面,在所有@RequestMapping和@PermissionVertify注解的方法上进行方法拦截。反射机制指的是程序在运行时能够获取自身的信息。例如在java中,只要给定类的名字,那么就可以通过反射机制来获得类的所有信息。在以上被拦截的操作接口的方法参数上可以加一个被配置成标识方法的参数注解,如果参数是一个对象,可以指定资源ID的字段名。以此,用户通过控制台或API(Application Programming Interface,应用程序编程接口)访问相应业务模块的时候,请求到达接口之后,会有一个切面拦截用户的访问请求,从访问请求中获取相关信息。In some optional implementations of this embodiment, acquiring the access request sent by the user includes: intercepting the access request sent by the user through a pre-defined aspect in the method for authorization verification and/or the method for processing request address mapping; Obtain the predefined fields in the access request through the reflection mechanism. The above execution body can perform method interception on all @RequestMapping and @PermissionVertify annotated methods by defining method-level annotations, such as @RequestMapping (permission verification), @PermissionVertify (processing request address mapping), and an aspect. The reflection mechanism refers to the fact that the program can obtain its own information at runtime. For example, in java, as long as the name of the class is given, all the information of the class can be obtained through the reflection mechanism. A parameter annotation configured to identify the method can be added to the method parameter of the above intercepted operation interface. If the parameter is an object, the field name of the resource ID can be specified. In this way, when the user accesses the corresponding business module through the console or API (Application Programming Interface), after the request reaches the interface, there will be an aspect to intercept the user's access request and obtain relevant information from the access request.

在本实施例的一些可选实现方式中,预先定义的字段包括操作标识信息字段和资源标识符字段;以及在切面中通过反射机制获取访问请求中预先定义的字段,包括:响应于获取到操作标识信息字段指示请求的操作类型为创建类操作,将资源标识符字段的值设置为预设字符。字符可以根据实际需要进行设置,例如可以使用“*”号。In some optional implementations of this embodiment, the predefined fields include an operation identification information field and a resource identifier field; and obtaining the predefined fields in the access request through a reflection mechanism in the aspect includes: in response to obtaining the operation The identification information field indicates that the requested operation type is a create class operation, and the value of the resource identifier field is set to a preset character. Characters can be set according to actual needs, for example, "*" can be used.

步骤202,根据预先设置的资源标识信息与标签信息的关联关系,确定与访问请求包括的资源标识信息关联的标签信息。Step 202: Determine the tag information associated with the resource identification information included in the access request according to the preset association relationship between the resource identification information and the tag information.

在本实施例中,上述执行主体可以根据预先设置的资源标识信息与标签信息的关联关系,确定与步骤201中获取的访问请求包括的资源标识信息关联的标签信息,标签信息可以是一个全局信息,不分区域,不分项目的全局概念,可以是一个键/值对表示的唯一标识,一个资源可以关联多个标签信息。资源标识信息与标签信息的关联关系可以是用户通过控制台建立的,通过标签信息进行权限管理,相对于单独对某个资源进行授权,可以达到批量授权的效果,很大程度减少用户的操作压力;在基于项目授权的场景下,通过标签信息进行权限管理,可以起到单纯项目管理无法达到的灵活性,如跨项目的资源访问权限控制,对于普通的基于角色的访问控制,可以更精细的实现资源的访问控制。In this embodiment, the above-mentioned execution body may determine the tag information associated with the resource identification information included in the access request obtained in step 201 according to the preset association relationship between the resource identification information and the tag information, and the tag information may be a global information , a global concept regardless of region or project, which can be a unique identifier represented by a key/value pair, and a resource can be associated with multiple tag information. The relationship between resource identification information and tag information can be established by the user through the console. Permission management is performed through the tag information. Compared with authorizing a resource alone, it can achieve the effect of batch authorization and greatly reduce the operating pressure of the user. ; In the scenario based on project authorization, permission management through tag information can achieve flexibility that cannot be achieved by simple project management, such as cross-project resource access permission control, and for ordinary role-based access control, it can be more refined. Implement access control for resources.

步骤203,获取预先设置的与用户标识信息关联的至少一组访问控制信息中包括确定出的标签信息的访问控制信息。Step 203: Acquire access control information including the determined tag information in at least one set of preset access control information associated with the user identification information.

在本实施例中,上述执行主体可以获取预先设置的与用户标识信息关联的至少一组访问控制信息中包括步骤202中确定出的标签信息的访问控制信息。用户可以通过IAM(Identity and Access Management,身份识别与访问管理)创建子用户,同时创建一个基于标签信息的访问控制策略,然后为用户关联一个或多个访问控制策略,一个访问控制策略可以包括一组访问控制信息。In this embodiment, the above-mentioned execution subject may acquire the access control information including the tag information determined in step 202 in at least one set of preset access control information associated with the user identification information. Users can create sub-users through IAM (Identity and Access Management), create an access control policy based on tag information, and then associate one or more access control policies for users. An access control policy can include an access control policy. Group access control information.

在本实施例的一些可选实现方式中,获取预先设置的与用户标识信息关联的至少一组访问控制信息中包括确定出的标签信息的访问控制信息,包括:获取预先设置的与用户标识信息关联的至少一组访问控制信息中包括确定出的标签信息或访问请求包括的资源标识信息的访问控制信息。在本实现方式中,同时通过标签信息与资源标识信息进行权限管理,进一步丰富了资源访问控制方法。In some optional implementation manners of this embodiment, acquiring the access control information including the determined tag information in at least one set of access control information that is preset and associated with the user identification information includes: acquiring preset information related to the user identification information. The associated at least one set of access control information includes the determined tag information or the access control information of the resource identification information included in the access request. In this implementation manner, the rights management is performed through the label information and the resource identification information at the same time, which further enriches the resource access control method.

步骤204,根据所获取的访问控制信息确定是否拒绝访问请求。Step 204: Determine whether to deny the access request according to the acquired access control information.

在本实施例中,上述执行主体可以根据步骤203中获取的访问控制信息确定是否拒绝访问请求。上述执行主体可以响应于获取到了预先设置的与用户标识信息关联的至少一组访问控制信息中包括确定出的标签信息的访问控制信息,拒绝或允许该访问请求,也可以响应于获取到的预先设置的与用户标识信息关联的至少一组访问控制信息中包括确定出的标签信息的访问控制信息为空,拒绝或允许该访问请求,具体的规则可以根据用户需要进行设置。IAM可以将是否拒绝访问请求的鉴权结果返回给业务端。In this embodiment, the above-mentioned execution subject may determine whether to deny the access request according to the access control information obtained in step 203 . The above-mentioned execution body may deny or allow the access request in response to acquiring at least one set of preset access control information associated with the user identification information that includes the determined tag information. The set at least one set of access control information associated with the user identification information includes the determined access control information of the label information is empty, the access request is denied or allowed, and specific rules can be set according to user needs. The IAM can return the authentication result of whether to deny the access request to the service end.

在本实施例的一些可选实现方式中,访问控制信息包括指示是否拒绝访问请求的指示信息;以及根据所获取的访问控制信息确定是否拒绝访问请求,包括:根据所获取的访问控制信息包括的指示信息确定是否拒绝访问请求。例如,访问控制信息中可以包括Allow(允许)或Deny(拒绝),用于指定符合此策略控制的资源是允许访问,还是不允许访问。In some optional implementation manners of this embodiment, the access control information includes indication information indicating whether to deny the access request; and determining whether to deny the access request according to the obtained access control information includes: according to the obtained access control information, including: Indicates whether to deny the access request. For example, the access control information can include Allow (allow) or Deny (deny), which is used to specify whether the resources that meet this policy control are allowed to access or not allowed to access.

继续参见图3,图3是根据本实施例的用于控制资源访问的方法的应用场景的一个示意图。在图3的应用场景中,服务器301获取用户通过设备302发送的访问请求303,访问请求303包括用户标识信息、资源标识信息,服务器301根据预先设置的资源标识信息与标签信息的关联关系,确定与访问请求303包括的资源标识信息关联的标签信息304,而后服务器301获取预先设置的与用户标识信息关联的至少一组访问控制信息中包括确定出的标签信息的访问控制信息305,最后根据所获取的访问控制信息305确定拒绝访问请求的结果306。Continue to refer to FIG. 3 , which is a schematic diagram of an application scenario of the method for controlling resource access according to this embodiment. In the application scenario of FIG. 3, the server 301 obtains the access request 303 sent by the user through the device 302, and the access request 303 includes the user identification information and the resource identification information. The tag information 304 associated with the resource identification information included in the access request 303, and then the server 301 acquires the access control information 305 that includes the determined tag information in at least one set of access control information preset and associated with the user identification information, and finally according to the The obtained access control information 305 determines the result 306 of denying the access request.

本申请的上述实施例提供的方法通过获取用户发送的访问请求,访问请求包括用户标识信息、资源标识信息;根据预先设置的资源标识信息与标签信息的关联关系,确定与访问请求包括的资源标识信息关联的标签信息;获取预先设置的与用户标识信息关联的至少一组访问控制信息中包括确定出的标签信息的访问控制信息;根据所获取的访问控制信息确定是否拒绝访问请求,提供了一种基于标签信息的访问控制机制,提高了控制资源访问的效率。The method provided by the above-mentioned embodiments of the present application obtains the access request sent by the user, and the access request includes the user identification information and the resource identification information; according to the preset association relationship between the resource identification information and the label information, the resource identification included in the access request is determined. tag information associated with the information; obtain access control information that includes the determined tag information in at least one set of access control information that is preset and associated with the user identification information; determine whether to deny the access request according to the acquired access control information, and provide a An access control mechanism based on tag information improves the efficiency of controlling resource access.

进一步参考图4,其示出了用于控制资源访问的方法的又一个实施例的流程400。该用于控制资源访问的方法的流程400,包括以下步骤:With further reference to Figure 4, a flow 400 of yet another embodiment of a method for controlling resource access is shown. The process 400 of the method for controlling resource access includes the following steps:

步骤401,获取用户发送的访问请求。Step 401: Obtain an access request sent by a user.

在本实施例中,用于控制资源访问的方法执行主体(例如图1所示的服务器或终端)可以首先获取用户发送的访问请求,访问请求包括用户标识信息、资源标识信息。In this embodiment, the method execution body for controlling resource access (for example, the server or terminal shown in FIG. 1 ) may first obtain an access request sent by a user, where the access request includes user identification information and resource identification information.

步骤402,根据预先设置的资源标识信息与标签信息的关联关系,确定与访问请求包括的资源标识信息关联的标签信息。Step 402 , according to the preset association relationship between the resource identification information and the label information, determine the label information associated with the resource identification information included in the access request.

在本实施例中,上述执行主体可以根据预先设置的资源标识信息与标签信息的关联关系,确定与步骤401中获取的访问请求包括的资源标识信息关联的标签信息。In this embodiment, the above-mentioned execution subject may determine the tag information associated with the resource identification information included in the access request obtained in step 401 according to the preset association relationship between the resource identification information and the tag information.

步骤403,获取预先设置的与用户标识信息关联的至少一组访问控制信息中包括确定出的标签信息的访问控制信息。Step 403: Acquire access control information including the determined tag information in at least one set of preset access control information associated with the user identification information.

在本实施例中,上述执行主体可以获取预先设置的与用户标识信息关联的至少一组访问控制信息中包括步骤402中确定出的标签信息的访问控制信息。In this embodiment, the above-mentioned execution subject may acquire the access control information including the tag information determined in step 402 in at least one set of preset access control information associated with the user identification information.

步骤404,获取访问请求中包括的第二操作标识信息。Step 404: Obtain the second operation identification information included in the access request.

在本实施例中,上述执行主体可以获取访问请求中包括的第二操作标识信息。操作标识信息可以指示操作类型,作为示例,可以包括重启虚拟机(RebootVM)、创建虚拟机(CreateVM)、获取虚拟机列表(ListVM)。In this embodiment, the above-mentioned execution subject may acquire the second operation identification information included in the access request. The operation identification information may indicate an operation type, and as examples, may include restarting a virtual machine (RebootVM), creating a virtual machine (CreateVM), and obtaining a list of virtual machines (ListVM).

步骤405,根据第二操作标识信息与所获取的访问控制信息包括的第一操作标识信息是否匹配确定是否拒绝访问请求。Step 405: Determine whether to reject the access request according to whether the second operation identification information matches the first operation identification information included in the obtained access control information.

在本实施例中,上述执行主体可以根据步骤404中获取的第二操作标识信息与所获取的访问控制信息包括的第一操作标识信息是否匹配确定是否拒绝访问请求。第二操作标识信息与第一操作标识信息是否匹配可以包括第二操作标识信息与第一操作标识信息指示的操作类型是否相符,例如,指示的操作类型均为重启虚拟机,则匹配。In this embodiment, the above-mentioned execution subject may determine whether to reject the access request according to whether the second operation identification information obtained in step 404 matches the first operation identification information included in the obtained access control information. Whether the second operation identification information matches the first operation identification information may include whether the second operation identification information matches the operation type indicated by the first operation identification information, for example, if the indicated operation type is restarting the virtual machine, it matches.

在本实施例中,步骤401、步骤402、步骤403的操作与步骤201、步骤202、步骤203的操作基本相同,在此不再赘述。In this embodiment, the operations of step 401 , step 402 , and step 403 are basically the same as those of step 201 , step 202 , and step 203 , which will not be repeated here.

从图4中可以看出,与图2对应的实施例相比,本实施例中的用于控制资源访问的方法的流程400中在确定是否拒绝访问请求时,进一步对访问请求中包括的操作标识信息与访问控制信息包括的操作标识信息进行了匹配,由此,本实施例描述的方案中对资源访问的控制更加精准。As can be seen from FIG. 4 , compared with the embodiment corresponding to FIG. 2 , in the process 400 of the method for controlling resource access in this embodiment, when determining whether to deny the access request, the operations included in the access request are further processed. The identification information is matched with the operation identification information included in the access control information, so that the resource access control in the solution described in this embodiment is more precise.

进一步参考图5,作为对上述各图所示方法的实现,本申请提供了一种用于控制资源访问的装置的一个实施例,该装置实施例与图2所示的方法实施例相对应,该装置具体可以应用于各种电子设备中。Further referring to FIG. 5 , as an implementation of the methods shown in the above figures, the present application provides an embodiment of an apparatus for controlling resource access, and the apparatus embodiment corresponds to the method embodiment shown in FIG. 2 , Specifically, the device can be applied to various electronic devices.

如图5所示,本实施例的用于控制资源访问的装置500包括:第一获取单元501、第一确定单元502、第二获取单元503和第二确定单元504。其中,第一获取单元,被配置成获取用户发送的访问请求,访问请求包括用户标识信息、资源标识信息;第一确定单元,被配置成根据预先设置的资源标识信息与标签信息的关联关系,确定与访问请求包括的资源标识信息关联的标签信息;第二获取单元,被配置成获取预先设置的与用户标识信息关联的至少一组访问控制信息中包括确定出的标签信息的访问控制信息;第二确定单元,被配置成根据所获取的访问控制信息确定是否拒绝访问请求。As shown in FIG. 5 , the apparatus 500 for controlling resource access in this embodiment includes: a first obtaining unit 501 , a first determining unit 502 , a second obtaining unit 503 and a second determining unit 504 . Wherein, the first obtaining unit is configured to obtain the access request sent by the user, and the access request includes user identification information and resource identification information; determining the tag information associated with the resource identification information included in the access request; the second acquiring unit is configured to acquire the access control information that includes the determined tag information in at least one set of preset access control information associated with the user identification information; The second determination unit is configured to determine whether to deny the access request according to the acquired access control information.

在本实施例中,用于控制资源访问的装置500的第一获取单元501、第一确定单元502、第二获取单元503和第二确定单元504的具体处理可以参考图2对应实施例中的步骤201、步骤202、步骤203和步骤204。In this embodiment, for specific processing of the first obtaining unit 501 , the first determining unit 502 , the second obtaining unit 503 and the second determining unit 504 of the apparatus 500 for controlling resource access, reference may be made to the corresponding embodiments in FIG. 2 . Step 201 , Step 202 , Step 203 and Step 204 .

在本实施例的一些可选实现方式中,访问控制信息还包括第一操作标识信息;以及第二确定单元,包括:第一获取子单元,被配置成获取访问请求中包括的第二操作标识信息;第一确定子单元,被配置成根据第二操作标识信息与所获取的访问控制信息包括的第一操作标识信息是否匹配确定是否拒绝访问请求。In some optional implementations of this embodiment, the access control information further includes first operation identification information; and a second determining unit includes: a first obtaining subunit configured to obtain the second operation identification included in the access request information; a first determination subunit configured to determine whether to reject the access request according to whether the second operation identification information matches the first operation identification information included in the obtained access control information.

在本实施例的一些可选实现方式中,其中,访问控制信息包括指示是否拒绝访问请求的指示信息;以及第二确定单元,包括:第二确定子单元,被配置成根据所获取的访问控制信息包括的指示信息确定是否拒绝访问请求。In some optional implementation manners of this embodiment, the access control information includes indication information indicating whether to deny the access request; and the second determination unit includes: a second determination subunit configured to be configured according to the acquired access control The information includes indication information to determine whether to deny the access request.

在本实施例的一些可选实现方式中,资源标识信息包括以下至少一项:资源标识符、资源所属产品的信息、资源所在区域的信息。In some optional implementations of this embodiment, the resource identification information includes at least one of the following: a resource identifier, information about a product to which the resource belongs, and information about a region where the resource is located.

在本实施例的一些可选实现方式中,第二获取单元,包括:第二获取子单元,被配置成获取预先设置的与用户标识信息关联的至少一组访问控制信息中包括确定出的标签信息或访问请求包括的资源标识信息的访问控制信息。In some optional implementations of this embodiment, the second obtaining unit includes: a second obtaining subunit, configured to obtain a preset at least one set of access control information associated with the user identification information including the determined tag Information or access control information for resource identification information included in an access request.

在本实施例的一些可选实现方式中,第一获取单元,包括:拦截子单元,被配置成在权限验证的装置和/或处理请求地址映射的方法中通过预先定义的切面拦截用户发送的访问请求;第三获取子单元,被配置成在切面中通过反射机制获取访问请求中预先定义的字段。In some optional implementations of this embodiment, the first obtaining unit includes: an intercepting subunit, configured to intercept the data sent by the user through a predefined aspect in the permission verification apparatus and/or the method for processing request address mapping. The access request; the third obtaining subunit is configured to obtain the pre-defined fields in the access request through the reflection mechanism in the aspect.

在本实施例的一些可选实现方式中,预先定义的字段包括操作标识信息字段和资源标识符字段;以及第三获取子单元,进一步被配置成:响应于获取到操作标识信息字段指示请求的操作类型为创建类操作,将资源标识符字段的值设置为预设字符。In some optional implementations of this embodiment, the predefined fields include an operation identification information field and a resource identifier field; and a third obtaining subunit is further configured to: in response to obtaining the operation identification information field indicating that the requested The operation type is a create class operation, and the value of the resource identifier field is set to a preset character.

本申请的上述实施例提供的装置,通过获取用户发送的访问请求,访问请求包括用户标识信息、资源标识信息;根据预先设置的资源标识信息与标签信息的关联关系,确定与访问请求包括的资源标识信息关联的标签信息;获取预先设置的与用户标识信息关联的至少一组访问控制信息中包括确定出的标签信息的访问控制信息;根据所获取的访问控制信息确定是否拒绝访问请求,提供了一种基于标签信息的访问控制机制,提高了控制资源访问的效率。The device provided by the above-mentioned embodiments of the present application acquires the access request sent by the user, where the access request includes the user identification information and the resource identification information; according to the preset association relationship between the resource identification information and the label information, the resources included in the access request are determined. Label information associated with identification information; obtain access control information that includes the determined label information in at least one set of access control information that is preset and associated with the user identification information; determine whether to deny the access request according to the obtained access control information, and provide An access control mechanism based on tag information improves the efficiency of controlling resource access.

下面参考图6,其示出了适于用来实现本申请实施例的服务器或终端的计算机系统600的结构示意图。图6示出的服务器或终端仅仅是一个示例,不应对本申请实施例的功能和使用范围带来任何限制。Referring to FIG. 6 below, it shows a schematic structural diagram of a computer system 600 suitable for implementing the server or terminal of the embodiment of the present application. The server or terminal shown in FIG. 6 is only an example, and should not impose any limitations on the functions and scope of use of the embodiments of the present application.

如图6所示,计算机系统600包括中央处理单元(CPU)601,其可以根据存储在只读存储器(ROM)602中的程序或者从存储部分608加载到随机访问存储器(RAM)603中的程序而执行各种适当的动作和处理。在RAM 603中,还存储有系统600操作所需的各种程序和数据。CPU 601、ROM 602以及RAM 603通过总线604彼此相连。输入/输出(I/O)接口605也连接至总线604。As shown in FIG. 6, a computer system 600 includes a central processing unit (CPU) 601, which can be loaded into a random access memory (RAM) 603 according to a program stored in a read only memory (ROM) 602 or a program from a storage section 608 Instead, various appropriate actions and processes are performed. In the RAM 603, various programs and data necessary for the operation of the system 600 are also stored. The CPU 601 , the ROM 602 , and the RAM 603 are connected to each other through a bus 604 . An input/output (I/O) interface 605 is also connected to bus 604 .

以下部件可以连接至I/O接口605:包括诸如键盘、鼠标等的输入部分606;包括诸如阴极射线管(CRT)、液晶显示器(LCD)等以及扬声器等的输出部分607;包括硬盘等的存储部分608;以及包括诸如LAN卡、调制解调器等的网络接口卡的通信部分609。通信部分609经由诸如因特网的网络执行通信处理。驱动器610也根据需要连接至I/O接口605。可拆卸介质611,诸如磁盘、光盘、磁光盘、半导体存储器等等,根据需要安装在驱动器610上,以便于从其上读出的计算机程序根据需要被安装入存储部分608。The following components can be connected to the I/O interface 605: an input section 606 including a keyboard, a mouse, etc.; an output section 607 including a cathode ray tube (CRT), a liquid crystal display (LCD), etc., and a speaker, etc.; storage including a hard disk, etc. part 608; and a communication part 609 including a network interface card such as a LAN card, a modem, and the like. The communication section 609 performs communication processing via a network such as the Internet. A drive 610 is also connected to the I/O interface 605 as needed. A removable medium 611, such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, etc., is mounted on the drive 610 as needed so that a computer program read therefrom is installed into the storage section 608 as needed.

特别地,根据本公开的实施例,上文参考流程图描述的过程可以被实现为计算机软件程序。例如,本公开的实施例包括一种计算机程序产品,其包括承载在计算机可读介质上的计算机程序,该计算机程序包含用于执行流程图所示的方法的程序代码。在这样的实施例中,该计算机程序可以通过通信部分609从网络上被下载和安装,和/或从可拆卸介质611被安装。在该计算机程序被中央处理单元(CPU)601执行时,执行本申请的方法中限定的上述功能。需要说明的是,本申请所述的计算机可读介质可以是计算机可读信号介质或者计算机可读介质或者是上述两者的任意组合。计算机可读介质例如可以是——但不限于——电、磁、光、电磁、红外线、或半导体的系统、装置或器件,或者任意以上的组合。计算机可读介质的更具体的例子可以包括但不限于:具有一个或多个导线的电连接、便携式计算机磁盘、硬盘、随机访问存储器(RAM)、只读存储器(ROM)、可擦式可编程只读存储器(EPROM或闪存)、光纤、便携式紧凑磁盘只读存储器(CD-ROM)、光存储器件、磁存储器件、或者上述的任意合适的组合。在本申请中,计算机可读介质可以是任何包含或存储程序的有形介质,该程序可以被指令执行系统、装置或者器件使用或者与其结合使用。而在本申请中,计算机可读的信号介质可以包括在基带中或者作为载波一部分传播的数据信号,其中承载了计算机可读的程序代码。这种传播的数据信号可以采用多种形式,包括但不限于电磁信号、光信号或上述的任意合适的组合。计算机可读的信号介质还可以是计算机可读介质以外的任何计算机可读介质,该计算机可读介质可以发送、传播或者传输用于由指令执行系统、装置或者器件使用或者与其结合使用的程序。计算机可读介质上包含的程序代码可以用任何适当的介质传输,包括但不限于:无线、电线、光缆、RF等等,或者上述的任意合适的组合。In particular, according to embodiments of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program carried on a computer-readable medium, the computer program containing program code for performing the method illustrated in the flowchart. In such an embodiment, the computer program may be downloaded and installed from the network via the communication portion 609 and/or installed from the removable medium 611 . When the computer program is executed by the central processing unit (CPU) 601, the above-described functions defined in the method of the present application are performed. It should be noted that the computer-readable medium described in this application may be a computer-readable signal medium or a computer-readable medium, or any combination of the above two. The computer readable medium can be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus or device, or a combination of any of the above. More specific examples of computer readable media may include, but are not limited to, electrical connections having one or more wires, portable computer disks, hard disks, random access memory (RAM), read only memory (ROM), erasable programmable Read only memory (EPROM or flash memory), fiber optics, portable compact disk read only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the foregoing. In this application, a computer-readable medium may be any tangible medium that contains or stores a program that can be used by or in conjunction with an instruction execution system, apparatus, or device. In this application, however, a computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, carrying computer-readable program code therein. Such propagated data signals may take a variety of forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the foregoing. A computer-readable signal medium can also be any computer-readable medium other than a computer-readable medium that can transmit, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any suitable medium including, but not limited to, wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.

可以以一种或多种程序设计语言或其组合来编写用于执行本申请的操作的计算机程序代码,所述程序设计语言包括面向对象的程序设计语言—诸如Java、Smalltalk、C++,还包括常规的过程式程序设计语言—诸如C语言或类似的程序设计语言。程序代码可以完全地在用户计算机上执行、部分地在用户计算机上执行、作为一个独立的软件包执行、部分在用户计算机上部分在远程计算机上执行、或者完全在远程计算机或服务器上执行。在涉及远程计算机的情形中,远程计算机可以通过任意种类的网络——包括局域网(LAN)或广域网(WAN)—连接到用户计算机,或者,可以连接到外部计算机(例如利用因特网服务提供商来通过因特网连接)。Computer program code for performing the operations of the present application may be written in one or more programming languages, including object-oriented programming languages—such as Java, Smalltalk, C++, but also conventional procedural programming language—such as C or a similar programming language. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer, or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a local area network (LAN) or a wide area network (WAN), or may be connected to an external computer (eg, using an Internet service provider through Internet connection).

附图中的流程图和框图,图示了按照本申请各种实施例的系统、方法和计算机程序产品的可能实现的体系架构、功能和操作。在这点上,流程图或框图中的每个方框可以代表一个模块、程序段、或代码的一部分,该模块、程序段、或代码的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。也应当注意,在有些作为替换的实现中,方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如,两个接连地表示的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。也要注意的是,框图和/或流程图中的每个方框、以及框图和/或流程图中的方框的组合,可以用执行规定的功能或操作的专用的基于硬件的系统来实现,或者可以用专用硬件与计算机指令的组合来实现。The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code that contains one or more logical functions for implementing the specified functions executable instructions. It should also be noted that, in some alternative implementations, the functions noted in the blocks may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It is also noted that each block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented in dedicated hardware-based systems that perform the specified functions or operations , or can be implemented in a combination of dedicated hardware and computer instructions.

描述于本申请实施例中所涉及到的单元可以通过软件的方式实现,也可以通过硬件的方式来实现。所描述的单元也可以设置在处理器中,例如,可以描述为:一种处理器包括第一获取单元、第一确定单元、第二获取单元和第二确定单元。其中,这些单元的名称在某种情况下并不构成对该单元本身的限定,例如,第一获取单元还可以被描述为“被配置成获取用户发送的访问请求的单元”。The units involved in the embodiments of the present application may be implemented in a software manner, and may also be implemented in a hardware manner. The described unit may also be provided in the processor, for example, it may be described as: a processor includes a first obtaining unit, a first determining unit, a second obtaining unit and a second determining unit. Wherein, the names of these units do not constitute a limitation on the unit itself in some cases, for example, the first obtaining unit may also be described as "a unit configured to obtain an access request sent by a user".

作为另一方面,本申请还提供了一种计算机可读介质,该计算机可读介质可以是上述实施例中描述的装置中所包含的;也可以是单独存在,而未装配入该装置中。上述计算机可读介质承载有一个或者多个程序,当上述一个或者多个程序被该装置执行时,使得该装置:获取用户发送的访问请求,访问请求包括用户标识信息、资源标识信息;根据预先设置的资源标识信息与标签信息的关联关系,确定与访问请求包括的资源标识信息关联的标签信息;获取预先设置的与用户标识信息关联的至少一组访问控制信息中包括确定出的标签信息的访问控制信息;根据所获取的访问控制信息确定是否拒绝访问请求。As another aspect, the present application also provides a computer-readable medium, which may be included in the apparatus described in the above-mentioned embodiments, or may exist independently without being assembled into the apparatus. The above-mentioned computer-readable medium carries one or more programs, and when the above-mentioned one or more programs are executed by the device, the device is made to: obtain an access request sent by a user, and the access request includes user identification information and resource identification information; The association relationship between the set resource identification information and the label information, determine the label information associated with the resource identification information included in the access request; obtain at least one set of preset access control information associated with the user identification information that includes the determined label information. Access control information; determine whether to deny the access request according to the obtained access control information.

以上描述仅为本申请的较佳实施例以及对所运用技术原理的说明。本领域技术人员应当理解,本申请中所涉及的发明范围,并不限于上述技术特征的特定组合而成的技术方案,同时也应涵盖在不脱离上述发明构思的情况下,由上述技术特征或其等同特征进行任意组合而形成的其它技术方案。例如上述特征与本申请中公开的(但不限于)具有类似功能的技术特征进行互相替换而形成的技术方案。The above description is only a preferred embodiment of the present application and an illustration of the applied technical principles. Those skilled in the art should understand that the scope of the invention involved in this application is not limited to the technical solution formed by the specific combination of the above technical features, and should also cover the above technical features or Other technical solutions formed by any combination of its equivalent features. For example, a technical solution is formed by replacing the above-mentioned features with the technical features disclosed in this application (but not limited to) with similar functions.

Claims (16)

1. a kind of method for controlling resource access, comprising:
The access request that user sends is obtained, the access request includes user identity information, resource identification information;
According to the incidence relation of pre-set resource identification information and label information, the determining money for including with the access request The associated label information of source identification information;
Obtaining in the associated at least one set of access control information of the pre-set and user identity information includes determining The access control information of label information;
Determine whether to refuse the access request according to acquired access control information.
2. according to the method described in claim 1, wherein, the access control information further includes the first operation identification information;With And
The access control information according to acquired in determines whether to refuse the access request, comprising:
Obtain the second operation identification information for including in the access request;
Whether the first operation identification information for including according to second operation identification information and acquired access control information Matching determines whether to refuse the access request.
3. according to the method described in claim 1, wherein, the access control information includes indicating whether that refusing the access asks The instruction information asked;And
The access control information according to acquired in determines whether to refuse the access request, comprising:
Determine whether to refuse the access request according to the instruction information that acquired access control information includes.
4. according to the method described in claim 1, wherein, the resource identification information includes at least one of the following:
Information, the information of resource region of the affiliated product of resource identifier, resource.
5. according to the method described in claim 1, wherein, the acquisition is pre-set associated with the user identity information It include the access control information for the label information determined at least one set of access control information, comprising:
Obtaining in the associated at least one set of access control information of the pre-set and user identity information includes determining The access control information for the resource identification information that label information or the access request include.
6. method according to any one of claims 1-5, wherein the access request for obtaining user and sending, comprising:
User's hair is intercepted by section predetermined in the method for Authority Verification and/or the method for processing request address mapping The access request sent;
Field predetermined in the access request is obtained by reflection mechanism in the section.
7. according to the method described in claim 6, wherein, the field predetermined includes operation identification information field and money Source identifier field;And
It is described that field predetermined in the access request is obtained by reflection mechanism in the section, comprising:
In response to getting the action type of the operation identification information field instruction request for creation generic operation, by the resource The value of identifier field is set as preset characters.
8. a kind of for controlling the device of resource access, comprising:
First acquisition unit, be configured to obtain user transmission access request, the access request include user identity information, Resource identification information;
First determination unit is configured to the incidence relation according to pre-set resource identification information and label information, determines The associated label information of resource identification information for including with the access request;
Second acquisition unit is configured to obtain pre-set access with the associated at least one set of the user identity information and controls It include the access control information for the label information determined in information processed;
Second determination unit is configured to determine whether to refuse the access request according to acquired access control information.
9. device according to claim 8, wherein the access control information further includes the first operation identification information;With And
Second determination unit, comprising:
First obtains subelement, is configured to obtain the second operation identification information in the access request included;
First determine subelement, be configured to include according to second operation identification information and acquired access control information The first operation identification information whether match and determine whether to refuse the access request.
10. device according to claim 8, wherein the access control information includes indicating whether to refuse the access The instruction information of request;And
Second determination unit, comprising:
Second determines subelement, is configured to determine whether to refuse according to the instruction information that acquired access control information includes The access request.
11. device according to claim 8, wherein the resource identification information includes at least one of the following:
Information, the information of resource region of the affiliated product of resource identifier, resource.
12. device according to claim 8, wherein the second acquisition unit, comprising:
Second obtains subelement, is configured to obtain the associated at least one set of access of the pre-set and user identity information The access control information for the resource identification information that in control information include the label information determined or the access request includes.
13. the device according to any one of claim 8-12, wherein the first acquisition unit, comprising:
Subelement is intercepted, is configured in the device of Authority Verification and/or the method for processing request address mapping by preparatory The section of definition intercepts the access request that user sends;
Third obtains subelement, is configured in the section obtain by reflection mechanism in the access request pre-defined Field.
14. device according to claim 13, wherein the field predetermined include operation identification information field and Resource identifier field;And
The third obtains subelement, is further configured to:
In response to getting the action type of the operation identification information field instruction request for creation generic operation, by the resource The value of identifier field is set as preset characters.
15. a kind of electronic equipment, comprising:
One or more processors;
Storage device is stored thereon with one or more programs;
When one or more of programs are executed by one or more of processors, so that one or more of processors Realize the method as described in any in claim 1-7.
16. a kind of computer-readable medium, is stored thereon with computer program, such as right is realized when which is executed by processor It is required that any method in 1-7.
CN201910257142.9A 2019-04-01 2019-04-01 Method and apparatus for controlling resource access Pending CN109976914A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910257142.9A CN109976914A (en) 2019-04-01 2019-04-01 Method and apparatus for controlling resource access

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910257142.9A CN109976914A (en) 2019-04-01 2019-04-01 Method and apparatus for controlling resource access

Publications (1)

Publication Number Publication Date
CN109976914A true CN109976914A (en) 2019-07-05

Family

ID=67082163

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910257142.9A Pending CN109976914A (en) 2019-04-01 2019-04-01 Method and apparatus for controlling resource access

Country Status (1)

Country Link
CN (1) CN109976914A (en)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110661863A (en) * 2019-09-20 2020-01-07 政采云有限公司 A request processing method, device, electronic device and storage medium
CN110825410A (en) * 2019-10-31 2020-02-21 国云科技股份有限公司 Resource relation processing method for multi-cloud management
CN111181983A (en) * 2019-12-31 2020-05-19 奇安信科技集团股份有限公司 Endogenous access control method, apparatus, computing device, and medium
CN111831453A (en) * 2020-07-24 2020-10-27 中国工商银行股份有限公司 Information processing method, information processing apparatus, electronic device, and medium
CN112232771A (en) * 2020-10-17 2021-01-15 严怀华 Big data analysis method and big data cloud platform applied to smart government-enterprise cloud service
CN112882838A (en) * 2019-11-29 2021-06-01 北京百度网讯科技有限公司 Method and apparatus for retiring resource instances
CN112995166A (en) * 2021-02-10 2021-06-18 北京金山云网络技术有限公司 Resource access authentication method and device, storage medium and electronic equipment
CN113254924A (en) * 2020-02-13 2021-08-13 斑马智行网络(香港)有限公司 Data processing method, resource access method, device and equipment
CN113687996A (en) * 2020-05-18 2021-11-23 北京沃东天骏信息技术有限公司 Method, device, equipment and computer readable medium for monitoring data
CN114238896A (en) * 2021-12-24 2022-03-25 中国建设银行股份有限公司 A multi-item authority control method and system
CN114520742A (en) * 2022-02-21 2022-05-20 中国农业银行股份有限公司 Access request processing method, device and storage medium
CN115102720A (en) * 2022-05-31 2022-09-23 苏州浪潮智能科技有限公司 Virtual machine security management method, system and computer equipment
CN116015695A (en) * 2021-10-20 2023-04-25 腾讯科技(深圳)有限公司 Resource access method, system, device, terminal and storage medium
CN117424764A (en) * 2023-12-19 2024-01-19 中关村科学城城市大脑股份有限公司 System resource access request information processing method and device, electronic equipment and medium
CN118133254A (en) * 2024-02-08 2024-06-04 北京字跳网络技术有限公司 Resource access control method, device, electronic equipment, storage medium and product

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101441688A (en) * 2007-11-20 2009-05-27 阿里巴巴集团控股有限公司 User authority allocation method and user authority control method
CN103049684A (en) * 2012-12-21 2013-04-17 大唐软件技术股份有限公司 Data authority control method and data authority control system based on RBAC (role-based access control) model extension
CN103716326A (en) * 2013-12-31 2014-04-09 华为技术有限公司 Resource access method and URG
CN106506521A (en) * 2016-11-28 2017-03-15 腾讯科技(深圳)有限公司 resource access control method and device
CN109033774A (en) * 2018-08-31 2018-12-18 阿里巴巴集团控股有限公司 Acquisition, the method, apparatus of feedback user resource and electronic equipment
CN109522751A (en) * 2018-12-17 2019-03-26 泰康保险集团股份有限公司 Access right control method, device, electronic equipment and computer-readable medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101441688A (en) * 2007-11-20 2009-05-27 阿里巴巴集团控股有限公司 User authority allocation method and user authority control method
CN103049684A (en) * 2012-12-21 2013-04-17 大唐软件技术股份有限公司 Data authority control method and data authority control system based on RBAC (role-based access control) model extension
CN103716326A (en) * 2013-12-31 2014-04-09 华为技术有限公司 Resource access method and URG
CN106506521A (en) * 2016-11-28 2017-03-15 腾讯科技(深圳)有限公司 resource access control method and device
CN109033774A (en) * 2018-08-31 2018-12-18 阿里巴巴集团控股有限公司 Acquisition, the method, apparatus of feedback user resource and electronic equipment
CN109522751A (en) * 2018-12-17 2019-03-26 泰康保险集团股份有限公司 Access right control method, device, electronic equipment and computer-readable medium

Cited By (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110661863A (en) * 2019-09-20 2020-01-07 政采云有限公司 A request processing method, device, electronic device and storage medium
CN110825410A (en) * 2019-10-31 2020-02-21 国云科技股份有限公司 Resource relation processing method for multi-cloud management
CN112882838A (en) * 2019-11-29 2021-06-01 北京百度网讯科技有限公司 Method and apparatus for retiring resource instances
CN111181983B (en) * 2019-12-31 2023-09-08 奇安信科技集团股份有限公司 Endogenous access control method, endogenous access control device, computing equipment and medium
CN111181983A (en) * 2019-12-31 2020-05-19 奇安信科技集团股份有限公司 Endogenous access control method, apparatus, computing device, and medium
CN113254924A (en) * 2020-02-13 2021-08-13 斑马智行网络(香港)有限公司 Data processing method, resource access method, device and equipment
CN113687996A (en) * 2020-05-18 2021-11-23 北京沃东天骏信息技术有限公司 Method, device, equipment and computer readable medium for monitoring data
CN111831453A (en) * 2020-07-24 2020-10-27 中国工商银行股份有限公司 Information processing method, information processing apparatus, electronic device, and medium
CN111831453B (en) * 2020-07-24 2024-02-06 中国工商银行股份有限公司 Information processing method, device, electronic equipment and medium
CN112232771A (en) * 2020-10-17 2021-01-15 严怀华 Big data analysis method and big data cloud platform applied to smart government-enterprise cloud service
CN112995166A (en) * 2021-02-10 2021-06-18 北京金山云网络技术有限公司 Resource access authentication method and device, storage medium and electronic equipment
CN112995166B (en) * 2021-02-10 2023-05-05 北京金山云网络技术有限公司 Authentication method and device for resource access, storage medium and electronic equipment
CN116015695A (en) * 2021-10-20 2023-04-25 腾讯科技(深圳)有限公司 Resource access method, system, device, terminal and storage medium
CN114238896A (en) * 2021-12-24 2022-03-25 中国建设银行股份有限公司 A multi-item authority control method and system
CN114520742A (en) * 2022-02-21 2022-05-20 中国农业银行股份有限公司 Access request processing method, device and storage medium
CN115102720A (en) * 2022-05-31 2022-09-23 苏州浪潮智能科技有限公司 Virtual machine security management method, system and computer equipment
CN115102720B (en) * 2022-05-31 2023-08-11 苏州浪潮智能科技有限公司 Virtual machine security management method, system and computer equipment
CN117424764A (en) * 2023-12-19 2024-01-19 中关村科学城城市大脑股份有限公司 System resource access request information processing method and device, electronic equipment and medium
CN117424764B (en) * 2023-12-19 2024-02-23 中关村科学城城市大脑股份有限公司 System resource access request information processing method and device, electronic equipment and medium
CN118133254A (en) * 2024-02-08 2024-06-04 北京字跳网络技术有限公司 Resource access control method, device, electronic equipment, storage medium and product
CN118133254B (en) * 2024-02-08 2025-06-24 北京字跳网络技术有限公司 Resource access control method, device, electronic equipment, storage medium and product

Similar Documents

Publication Publication Date Title
CN109976914A (en) Method and apparatus for controlling resource access
US11489671B2 (en) Serverless connected app design
US8943319B2 (en) Managing security for computer services
US10944560B2 (en) Privacy-preserving identity asset exchange
CN108111629A (en) Application Programming Interface service unit and Application Programming Interface service system
US20220232010A1 (en) Protected resource authorization using autogenerated aliases
CN113239377A (en) Authority control method, device, equipment and storage medium
US10673835B2 (en) Implementing single sign-on in a transaction processing system
US10891386B2 (en) Dynamically provisioning virtual machines
US11093482B2 (en) Managing access by third parties to data in a network
CN110521182A (en) Protocol-Level Identity Mapping
US11470068B2 (en) System and methods for securely storing data for efficient access by cloud-based computing instances
CN112035282B (en) API management method, device and equipment applied to cloud platform and storage medium
CN112395568A (en) Interface authority configuration method, device, equipment and storage medium
CN110471908A (en) A kind of joint modeling method and device
US10326833B1 (en) Systems and method for processing request for network resources
CN117041959A (en) Service processing method, device, electronic equipment and computer readable medium
CN117193940A (en) Data access method, device, electronic equipment and computer readable medium
US10482397B2 (en) Managing identifiers
US11909720B2 (en) Secure remote support of systems deployed in a private network
CN117061221A (en) Implementation method and device of cloud password service
US12355843B2 (en) Protecting API keys for accessing services
US9159078B2 (en) Managing identifiers
US20240330709A1 (en) Shadow satisfiability modulo theories solver systems
CN113760395B (en) Method, device, equipment and computer-readable medium for interface authentication

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20190705