[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN118965388A - Access processing method, device, equipment and storage medium - Google Patents

Access processing method, device, equipment and storage medium Download PDF

Info

Publication number
CN118965388A
CN118965388A CN202410999504.2A CN202410999504A CN118965388A CN 118965388 A CN118965388 A CN 118965388A CN 202410999504 A CN202410999504 A CN 202410999504A CN 118965388 A CN118965388 A CN 118965388A
Authority
CN
China
Prior art keywords
authority
candidate
user terminal
strategy
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410999504.2A
Other languages
Chinese (zh)
Inventor
薛志侯
孙福平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Construction Bank Corp
CCB Finetech Co Ltd
Original Assignee
China Construction Bank Corp
CCB Finetech Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Construction Bank Corp, CCB Finetech Co Ltd filed Critical China Construction Bank Corp
Priority to CN202410999504.2A priority Critical patent/CN118965388A/en
Publication of CN118965388A publication Critical patent/CN118965388A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/48Program initiating; Program switching, e.g. by interrupt
    • G06F9/4806Task transfer initiation or dispatching
    • G06F9/4843Task transfer initiation or dispatching by program, e.g. task dispatcher, supervisor, operating system
    • G06F9/4881Scheduling strategies for dispatcher, e.g. round robin, multi-level priority queues
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5061Partitioning or combining of resources
    • G06F9/5072Grid computing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Automation & Control Theory (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses an access processing method, an access processing device, access processing equipment and a storage medium. The application relates to the technical field of data processing. The method comprises the following steps: determining at least one candidate authority strategy matched with the real-time data according to the real-time data and a plurality of preset authority strategies in the process of accessing cloud environment resources by the user terminal; sequencing the candidate authority strategies according to the order of the priority of at least one candidate authority strategy from big to small to obtain a candidate authority strategy sequence; when an access request of a user terminal is received, determining a candidate authority strategy of a target cloud environment resource corresponding to the access request, which is the first permission strategy allowing the user terminal to access the access request, in a candidate authority strategy sequence as a target authority strategy of the user terminal according to the access request; and processing the access request according to the target authority strategy. The access processing method has higher safety and flexibility, and simultaneously, the target authority strategy is rapidly determined, and further, the efficient access processing is realized.

Description

Access processing method, device, equipment and storage medium
Technical Field
The present application relates to the field of data processing technologies, and in particular, to an access processing method, apparatus, device, and storage medium.
Background
Cloud computing has been widely used in various industries as an important component of modern information technology. However, with the popularity of cloud computing, security issues in cloud environments are increasingly prominent. In order to improve security, when each user accesses a resource in a cloud environment through a user terminal, the authority of the user needs to be controlled.
Currently, permission policies may be configured for users based on static user roles or rules. When a user accesses resources in the cloud environment through the user terminal, the access of the user is processed according to the authority policy.
However, in the above process, the access of the user is processed based on the static authority policy, which easily leads to authority abuse or data leakage, and the security is poor.
Disclosure of Invention
The application provides an access processing method, an access processing device, access processing equipment and a storage medium, which are used for solving the technical problem of poor security when access processing is performed in the related technology.
In a first aspect, the present application provides an access processing method, including:
determining at least one candidate authority strategy matched with the real-time data according to the real-time data and a plurality of preset authority strategies in the process of accessing cloud environment resources by a user terminal;
Sequencing the candidate authority strategies according to the order of the priority of the at least one candidate authority strategy from big to small to obtain a candidate authority strategy sequence;
When an access request of the user terminal is received, determining a candidate authority strategy of a target cloud environment resource corresponding to the access request, which is allowed by the user terminal, in the candidate authority strategy sequence according to the access request, as a target authority strategy of the user terminal;
and processing the access request according to the target authority strategy.
In a second aspect, the present application provides an access processing apparatus, comprising:
The first determining module is used for determining at least one candidate authority strategy matched with the real-time data according to the real-time data and a plurality of preset authority strategies in the process of accessing cloud environment resources by the user terminal;
The sequencing module is used for sequencing the candidate authority strategies according to the order of the priority of the at least one candidate authority strategy from big to small to obtain a candidate authority strategy sequence;
The second determining module is used for determining a candidate authority strategy allowing the user terminal to access a target cloud environment resource corresponding to the access request in the candidate authority strategy sequence as a target authority strategy of the user terminal according to the access request when the access request of the user terminal is received;
And the processing module is used for processing the access request according to the target authority strategy.
In a third aspect, the present application also provides an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements the access processing method according to any of the present application when the program is executed by the processor.
In a fourth aspect, the present application also provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements an access processing method according to any of the present application.
In a fifth aspect, the application also provides a computer program product comprising a computer program which, when executed by a processor, implements an access processing method according to any of the application.
The technical scheme provided by the application comprises the following steps: determining at least one candidate authority strategy matched with the real-time data according to the real-time data and a plurality of preset authority strategies in the process of accessing cloud environment resources by the user terminal; sequencing the candidate authority strategies according to the order of the priority of at least one candidate authority strategy from big to small to obtain a candidate authority strategy sequence; when an access request of a user terminal is received, determining a candidate authority strategy of a target cloud environment resource corresponding to the access request, which is the first permission strategy allowing the user terminal to access the access request, in a candidate authority strategy sequence as a target authority strategy of the user terminal according to the access request; and processing the access request according to the target authority strategy. In the access processing method, the access request is processed based on the target authority strategy in the candidate authority strategy by determining the candidate authority strategy matched with the real-time data, so that the access request is dynamically processed based on the real-time data, and compared with the access request processing mode based on the static authority strategy, the access processing method has higher safety and flexibility. Meanwhile, the target authority strategy can be determined based on the priority of the candidate authority strategy and the access request, so that the target authority strategy can be determined rapidly, and further, the efficient access processing is realized.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of an application scenario of an access processing method according to an embodiment of the present application;
Fig. 2 is a schematic diagram of another application scenario of the access processing method provided in the embodiment of the present application;
FIG. 3 is a schematic flow chart of an access processing method according to an embodiment of the present application;
FIG. 4 is a diagram of real-time data according to an embodiment of the present application;
FIG. 5 is a flowchart illustrating another access processing method according to an embodiment of the present application;
FIG. 6 is a schematic diagram of a behavior analysis performed in an embodiment of the present application;
FIG. 7 is a schematic diagram of an environmental analysis performed in an embodiment of the present application;
FIG. 8 is a flowchart illustrating another access processing method according to an embodiment of the present application;
fig. 9 is a schematic diagram of an application scenario of another access processing method according to an embodiment of the present application;
FIG. 10 is a flowchart illustrating another access processing method according to an embodiment of the present application;
FIG. 11 is a flowchart illustrating another access processing method according to an embodiment of the present application;
FIG. 12 is a schematic diagram of an access processing system according to an embodiment of the present application;
fig. 13 is a schematic structural diagram of an access processing device according to an embodiment of the present application;
fig. 14 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The application is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the application and are not limiting thereof. It should be further noted that, for convenience of description, only some, but not all of the structures related to the present application are shown in the drawings.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures. Meanwhile, in the description of the present application, the terms "first", "second", "candidate", and "target", etc. are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance. The technical scheme of the application obtains, stores, uses, processes and the like the data, which all meet the relevant regulations of national laws and regulations. It should be noted that, in the embodiments of the present application, some existing solutions in the industry such as software, components, models, etc. may be mentioned, and they should be regarded as exemplary, only for illustrating the feasibility of implementing the technical solution of the present application, but it does not mean that the applicant has or must not use the solution.
Fig. 1 is a schematic diagram of an application scenario of an access processing method according to an embodiment of the present application. As shown in fig. 1, the access processing method provided in this embodiment may be applied to the first electronic device 11 shown in fig. 1. The first electronic device 11 in this embodiment may be a computer device, a server, or the like. The first electronic device 11 in this embodiment is disposed between the user terminal 12 and the cloud environment 13. The user terminal in this embodiment may be an electronic device such as a mobile phone, a personal computer device, a tablet computer, or a vehicle-mounted terminal. The cloud environment 13 is composed of a plurality of second electronic devices 131. The second electronic device 131 has various data resources or information resources stored therein. The user terminal 12 may enable access to various resources in the cloud environment 13 through the first electronic device 11. The first electronic device 11 in this embodiment processes the access request of the user terminal 12 by executing the access processing method provided in this embodiment, so as to improve access security.
Fig. 2 is a schematic diagram of another application scenario of the access processing method provided in the embodiment of the present application. As shown in fig. 2, the access processing method provided in this embodiment may be applied to the electronic device cluster 21 shown in fig. 2. The cluster of electronic devices 21 comprises at least two third electronic devices 211. In fig. 2, the electronic device cluster 21 is illustrated as comprising three third electronic devices 211. The electronic device cluster 21 is disposed between the user terminal 12 and the cloud environment 13, and the electronic device cluster 21 processes the access request of the user terminal 12 by executing the access processing method provided in the embodiment, so as to improve access security.
The access processing method of the present application is described in further detail below by way of several specific examples.
Fig. 3 is a flow chart of an access processing method according to an embodiment of the present application. The method may be performed by an access processing device, which may be implemented in hardware and/or software, which may be configured in an electronic device. The electronic device here may be the first electronic device in fig. 1 or the third electronic device in fig. 2. The electronic device in the present embodiment may be a server, for example. As shown in fig. 3, the access processing method provided in this embodiment includes the following steps.
Step 301: and determining at least one candidate permission strategy matched with the real-time data according to the real-time data in the process that the user terminal accesses the cloud environment resource and a plurality of preset permission strategies.
The cloud environment resource in this embodiment refers to a resource in the form of text, image, audio, video, data set, or program code stored in the cloud environment. The user terminal can access the cloud environment resources based on the user requirements.
The authority policy in this embodiment refers to preset information for controlling access behavior of the user. Optionally, at least one of the following may be indicated in the rights policy: role, time, place and resource information. The roles in this embodiment refer to roles of users, and may also be referred to as a user group, including administrators, general users, guests, and the like. The time in the present embodiment refers to the time when the access is initiated, for example, the time when the access is initiated. The location in this embodiment refers to the geographical location where the user terminal is located. The resource information in this embodiment refers to the type of resource, the number of resources, and the like. The resource types may include, for example, common resources or sensitive data, etc.
The authority policy in this embodiment corresponds to priority. The priority in this embodiment is used to indicate the importance level and execution order of the authority policy. The greater the priority of a certain rights policy, the more important the rights policy and the earlier the order of execution. Alternatively, the priority of the rights policy may be determined based on roles in the rights policy. For example, the priority of the included rights policy having the role of administrator is higher than the priority of the included rights policy having the role of general user. Optionally, the priority of the rights policy may also be determined according to the resource information in the rights policy. For example, the priority of the authority policy including the resource information as sensitive data is higher than the priority of the authority policy including the resource information as public information. Alternatively, the priority of the authority policy may be determined comprehensively according to roles in the authority policy and the resource information.
Illustratively, the preset plurality of rights policies may include: an administrator can access all resources in the working time, and the priority is 80; the common users can only access the public resources, and the priority is 75; allowing the user group "Editor" to read and write operations, but not delete, with a priority of 70; access to sensitive data is prohibited during non-working hours, priority 78.
The access processing method in the embodiment can realize dynamic authority management. Based on the difference of real-time data, role-based access control (RBAC) or Attribute-based access control (Attribute-Based Access Control, ABAC) is adopted to realize dynamic rights management. Wherein, ABAC dynamically determines the permission policies based on attributes of users, resources, environments, and operations.
Once the user terminal starts to access the cloud resource environment, the access processing device can acquire real-time data in the process that the user terminal accesses the cloud environment resource. In step 301, at least one candidate authority policy matching with the real-time data is determined according to the real-time data and the plurality of authority policies in the process of accessing the cloud resource environment by the user terminal.
Fig. 4 is a schematic diagram of real-time data according to an embodiment of the application. As shown in fig. 4, the real-time data 41 in the present embodiment includes the following three aspects: user information 411, real-time behavior data 412, and environment information 413.
The user information 411 in this embodiment includes the role of the user corresponding to the user terminal.
The real-time behavior data 412 in this embodiment includes at least one of the following: the login time of the user terminal, the login location of the user terminal, the access frequency of the user terminal, the operation type of the user terminal, the operation frequency of the user terminal, the type of resources accessed by the user terminal and the number of resources accessed by the user terminal. Optionally, the login location of the user terminal refers to a physical location of the user terminal logging into the cloud environment or a location of the network access point. The operation type of the user terminal includes at least one of: clicking, querying, adding, deleting, modifying, etc. The resource type accessed by the user terminal refers to a resource type or a resource form, such as text, image, audio, and the like. The number of resources in the present embodiment refers to the data amount of the resources.
The environment information 413 in the present embodiment includes at least one of: attribute information of the user terminal, information of a network to which the user terminal is connected, geographical location information of the user terminal, and access time information. The attribute information of the user terminal in this embodiment includes at least one of the following: the type of the user terminal, the model of the user terminal, an operating system of the user terminal, the browser type when the user terminal accesses the cloud environment resource, a network protocol (Internet Protocol, abbreviated as IP) address and other information. The information of the network to which the user terminal is connected includes at least one of: internal network, external network, security level of network, transmission rate of network, load of network, etc. The geographical location information of the user terminal may include longitude and latitude information of the user terminal. The access time information includes information such as access time, operating time, and non-operating time.
Before step 301, the access processing method provided in this embodiment further includes the following steps: and acquiring real-time data in the process of accessing cloud environment resources by the user terminal. Optionally, the access processing device acquires the real-time data by: acquiring real-time behavior data and user information of a user terminal through a log, wherein an operation log of the user terminal is recorded in the log, and the operations comprise login, access, modification and the like; the attribute information of the user terminal, the information of the network to which the user terminal is connected, the geographical location information of the user terminal, and other environmental information are collected through a network sensor or an application programming interface (Application Programming Interface, abbreviated as API).
For example, a general user a logs in to the cloud environment from a company network during work time through his user terminal. After the user terminal logs in the system, the operation log records each access operation, modification operation and the like of the user terminal. The real-time data acquired by the access processing device comprises: the role of the user a (general user), login time, IP address, access frequency, operation type, operation frequency, attribute information of the user terminal, geographical location information of the user terminal, and the like. The access frequency, the operation type, the operation frequency, the login time and the IP address can be obtained from the operation log. Attribute information of the user terminal can be acquired through a network sensor. The geographical location information of the user terminal may be obtained through a geographical location service API.
Illustratively, based on the real-time data in the above example, the candidate entitlement policy determined in step 301 may include: strategy 1: an administrator can access all resources during the working time; strategy 3: the user may access sensitive data within the corporate network.
By step 301, it is possible to dynamically determine candidate authority policies according to real-time data of the user terminal, and dynamically adjust the authority policies of the user terminal. For example, the rights of user terminals accessing sensitive data in an untrusted network are restricted.
Optionally, in order to increase the efficiency of determining the candidate entitlement policies, in step 301, at least one candidate entitlement policy may be determined according to the following: analyzing the real-time data, and extracting key attribute values in the real-time data, wherein the key attribute values are used for representing at least one of the following: user information, real-time behavior data, and environmental information; and determining the authority strategy matched with the key attribute value as a candidate authority strategy in the plurality of authority strategies.
In one implementation, the real-time data may be parsed by a machine learning model to extract key attribute values in the real-time data. In another implementation manner, the key attribute value in the real-time data can be extracted by reading each field in the real-time data and based on each field and the value of the field.
It should be noted that, the real-time data in this embodiment refers to the real-time data of the user terminal within the preset duration T, which is obtained after the user terminal logs in the cloud environment for the preset duration T. Or the real-time data in the embodiment refers to all real-time data from the user terminal to the current moment when logging in the cloud environment.
Step 302: and sequencing the candidate authority strategies according to the order of the priority of at least one candidate authority strategy from big to small to obtain a candidate authority strategy sequence.
In this embodiment, in order to improve the access processing efficiency, after determining at least one candidate authority policy, the candidate authority policies are ordered according to the order of the priority of the at least one candidate authority policy from big to small, so as to obtain a candidate authority policy sequence. In the candidate authority strategy sequence, the higher the priority is, the earlier the ranking of the candidate authority strategies is. For example, assume that there are 4 candidate rights policies: candidate authority policy 31, priority: 50; candidate rights policy 32, priority: 80; candidate rights policy 33, priority: 60; candidate rights policy 34, priority: 75, the candidate authority policy sequence is: candidate rights policy 32, candidate rights policy 34, candidate rights policy 33, candidate rights policy 31.
Alternatively, the candidate entitlement policies may be ordered based on: if the priority of the first candidate authority strategy is greater than that of the second candidate authority strategy, determining that the ordering of the first candidate authority strategy is positioned before the second candidate authority strategy; if the priority of the first candidate authority strategy is the same as that of the second candidate authority strategy, sequencing according to the strategy type of the first candidate authority strategy and the strategy type of the second candidate authority strategy; and if the policy type of the first candidate authority policy and the priority of the second candidate authority policy are the same and the policy types are the same, sequencing according to the creation time of the first candidate authority policy and the creation time of the second candidate authority policy.
The policy types of the candidate authority policies in the embodiment include a base authority policy and a composite authority policy. The basic authority policy in this embodiment refers to an authority policy including only one type of element. Here, the elements refer to any one of roles, time, place, and resource information. That is, the basic authority policy refers to an authority policy including only one type of character, one type of time, one type of place, or one type of resource information. The composite rights policy refers to a rights policy that includes multiple classes of elements. For example, rights policy: the common user accesses the public resource in the working time, and the permission policy is a basic permission policy as the common user only comprises one type of roles. Rights policy: during working time, common users can access public resources; an administrator may access all resources at any time; all users are forbidden to access sensitive data in non-working time, including two types of roles, namely a common user and an administrator, and the permission policy is a composite permission policy.
Alternatively, the composite rights policy may precede the base rights policy in order of the policy type of the first candidate rights policy and the policy type of the second candidate rights policy, so that the target rights policy may be quickly determined in step 303.
Alternatively, when ordered by creation time of the first candidate authority policy and creation time of the second candidate authority policy, the authority policy with the later creation time may be located before the authority policy with the earlier creation time. Since the rights policy with the later creation time may better meet the latest security requirement of the cloud environment, this ordering manner may make it easier for the rights policy with the later creation time to be the target rights policy in step 303.
Step 303: when an access request of a user terminal is received, determining a candidate authority strategy of a target cloud environment resource corresponding to the access request as a target authority strategy of the user terminal according to the access request, wherein the first candidate authority strategy allows the user terminal to access the target cloud environment resource.
The access request in this embodiment may be an access request in the real-time data in step 301, or may be an access request obtained after determining the candidate permission policy sequence. The embodiment is not limited thereto.
The access request in this embodiment indicates the target cloud environment resource to be accessed by the access request. Optionally, the access request may further indicate information such as a role, access time, access location, and the like of the user corresponding to the user terminal.
In step 303, according to the arrangement order of the candidate authority policies in the candidate authority policy sequence, the first candidate authority policy allowing the user terminal to access the target cloud environment resource corresponding to the access request is determined as the target authority policy of the user terminal.
The specific process of step 303 may be: determining whether the i candidate authority strategy allows the access request to access a target cloud environment resource corresponding to the access request according to the access request and the i candidate authority strategy in the candidate authority strategy sequence; if the ith candidate authority strategy allows the access request to access the target cloud environment resource corresponding to the access request, determining the ith candidate authority strategy as a target authority strategy; if the i-th candidate authority policy does not allow the access request to access the target cloud environment resource corresponding to the access request, taking the value of i+1 as a new i value, if the new i value is less than or equal to M, returning to execute the step of determining whether the i-th candidate authority policy allows the access request to access the target cloud environment resource corresponding to the access request according to the access request and the i-th candidate authority policy in the candidate authority policy sequence, and if the new i value is greater than M, stopping executing step 303. Wherein M represents the number of candidate authority policies, and the initial value of i is 1.
Step 303 may implement stopping checking the remaining candidate authority policies when a candidate authority policy allowing the user terminal to access the target cloud environment resource is found according to the priority of the candidate authority policy, so as to avoid unnecessary further checking. The method improves the efficiency of access processing and reduces the complexity of determining the target authority strategy. Meanwhile, when the candidate authority strategy for refusing the user terminal to access the target cloud environment resource is found, whether other candidate authority strategies allow the user terminal to access the target cloud environment resource or not can be continuously determined. For example, assuming that the user terminal attempts to access a resource, the system evaluates the policies in turn. When the first policy (policy a) allows access to the resource, policy a is determined to be the target authority policy, and evaluation of subsequent policies is terminated. For another example, assuming that the user terminal attempts to access a resource, the system evaluates the policies in turn. When the first policy (policy B) denies access to the resource, it is necessary to continue evaluating other policies to ensure that no higher priority or more important policies are allowed access.
Optionally, when the access request of the user terminal is received, if it is determined that all the candidate authority policies in the candidate authority policy sequence reject the user terminal to access the target cloud environment resource corresponding to the access request, the access request is rejected. This means that the access request may be an access request that may be harmful to the cloud environment resources, and the access request is denied for improved security.
Step 304: and processing the access request according to the target authority strategy.
After determining the target permission policy, the access request may be processed according to the target permission policy. That is, the access request is allowed to access its corresponding target cloud environment resource. The access request in this embodiment may be used to implement at least one of the following operations on the target cloud environment resource: read, delete, modify, or add, etc.
Optionally, in order to improve the execution efficiency of step 304, after obtaining the target authority policy and before executing step 304, the access processing method provided in this embodiment further includes: acquiring initial authority information of a user corresponding to a user terminal; adjusting the initial authority information according to the target authority strategy to obtain an adjusted authority strategy; and writing the adjusted authority strategy into the authority configuration information of the user. Correspondingly, the implementation process of step 304 is: acquiring an adjusted authority strategy from the authority configuration information; and processing the access request according to the adjusted authority policy. For example, the initial rights information of user a is the ordinary user rights. The target rights policy is to allow an administrator to access all resources. The adjusted entitlement policy is: allowing the administrator to access all resources, and writing the adjusted authority strategy into the authority configuration information of the user A. In step 304, the adjusted rights policy is obtained from the rights configuration information, and the access request is processed.
Optionally, after writing the adjusted rights policy into the rights configuration information of the user, rights verification may also be performed to determine whether the adjusted rights policy was successfully written into the rights configuration information. The verification process may be to test whether the read rights configuration information is an adjusted rights policy. After the permission verification is passed, the user or the system administrator may be notified of the permission adjustment result. For example, the administrator rights are written into the rights configuration of user a; verifying that the authority update of the user A is correct, and ensuring that the user A has the authority to access all resources; notifying user a and the system administrator that their rights have been updated to administrator rights.
Steps 301 to 304 are described below as a specific example. The determined candidate authority policy is assumed to comprise: strategy 1: common users access public resources in working time, and priority is given to the common users: 50; strategy 2: the administrator accesses all resources at any time, priority: 80; strategy 3: access to sensitive data during non-working hours is prohibited, priority: 70; compounding strategy 1: during working hours, common users can access public resources, administrators can access all resources at any time, all users can not access sensitive data during non-working hours, and the priority is that: 75. the candidate entitlement policy sequence is: policy 2, composite policy 1, policy 3, and policy 1.
Assuming that the access request characterizes an administrator attempting to access the resource, policy 2 is determined to be the target entitlement policy and evaluation of other candidate entitlement policies is stopped.
Assuming that the access request characterizes an ordinary user or administrator attempting to access a common resource during the working time, composite policy 1 is determined to be the target entitlement policy and evaluation of other candidate entitlement policies is stopped.
Assuming that the access request characterizes that the user tries to access the sensitive data in the non-working time, the target authority strategy cannot be determined, and the access request is refused.
In the related art, a mode of processing the access of the user based on a static permission policy cannot flexibly cope with the dynamic changing requirement of the user and a complex cloud environment, and the flexibility is not enough. And, static rights policies are easily utilized by attackers, resulting in rights abuse or data leakage. Meanwhile, as cloud environment resources increase and the number of users increases, rights management becomes more complex, and static rights policy configuration is difficult to meet actual requirements, so that complexity of access processing is high. The access processing method provided by the embodiment can dynamically process the access request according to the real-time data of the user, improves the safety and flexibility of the access processing method, can adapt to the safety requirements of different scenes, and improves the safety management level. In addition, the access processing method can realize access processing in a complex cloud environment, and the complexity of the access processing is reduced.
The access processing method provided in this embodiment includes: determining at least one candidate authority strategy matched with the real-time data according to the real-time data and a plurality of preset authority strategies in the process of accessing cloud environment resources by the user terminal; sequencing the candidate authority strategies according to the order of the priority of at least one candidate authority strategy from big to small to obtain a candidate authority strategy sequence; when an access request of a user terminal is received, determining a candidate authority strategy of a target cloud environment resource corresponding to the access request, which is the first permission strategy allowing the user terminal to access the access request, in a candidate authority strategy sequence as a target authority strategy of the user terminal according to the access request; and processing the access request according to the target authority strategy. In the access processing method, the access request is processed based on the target authority strategy in the candidate authority strategy by determining the candidate authority strategy matched with the real-time data, so that the access request is dynamically processed based on the real-time data, and compared with the access request processing mode based on the static authority strategy, the access processing method has higher safety and flexibility. Meanwhile, the target authority strategy can be determined based on the priority of the candidate authority strategy and the access request, so that the target authority strategy can be determined rapidly, and further, the efficient access processing is realized.
Fig. 5 is a flowchart of another access processing method according to an embodiment of the present application. This embodiment describes in detail other steps involved in the access processing method based on the embodiment shown in fig. 3 and various alternative implementations. As shown in fig. 5, the access processing method provided in this embodiment includes the following steps.
Step 501: and determining at least one candidate permission strategy matched with the real-time data according to the real-time data in the process that the user terminal accesses the cloud environment resource and a plurality of preset permission strategies.
Step 502: and sequencing the candidate authority strategies according to the order of the priority of at least one candidate authority strategy from big to small to obtain a candidate authority strategy sequence.
Step 503: when an access request of a user terminal is received, determining a candidate authority strategy of a target cloud environment resource corresponding to the access request, which is the first permission strategy of the candidate authority strategy sequence, as a target authority strategy of the user terminal according to the access request.
Step 504: and processing the access request according to the target authority strategy.
The implementation processes and technical principles of step 501 and step 301, step 502 and step 302, step 503 and step 303, and step 504 and step 304 are similar, and are not repeated here.
Optionally, in this embodiment, the real-time data includes user information, real-time behavior data, and environment information.
The difference between this embodiment and the embodiment shown in fig. 3 and various alternative implementations is that behavior analysis and environmental analysis may also be implemented in this embodiment.
Step 505: and inputting the real-time behavior data, the access request and the target authority strategy into a pre-trained behavior analysis model to obtain a behavior analysis result output by the behavior analysis model.
In step 505, behavioral analysis may be performed based on a pre-trained behavioral analysis model. The behavioral analysis model may be a model trained based on machine learning algorithms.
FIG. 6 is a schematic diagram of behavior analysis in an embodiment of the present application. As shown in fig. 6, the real-time behavior data, the access request, and the target authority policy are input into a behavior analysis model 61 trained in advance, and the behavior analysis result output by the behavior analysis model is obtained. The behavior analysis results in the present embodiment include: normal behavior patterns and abnormal behavior patterns.
Optionally, the real-time behavior data, access request, and target permission policy may be preprocessed to remove noise and invalid data before inputting the real-time behavior data, access request, and target permission policy into the pre-trained behavior analysis model. For example, data cleansing, format conversion, data aggregation, and the like are performed.
Step 506: and inputting the environment information, the access request and the target authority strategy into a pre-trained environment analysis model to obtain an environment analysis result output by the environment analysis model.
In step 506, an environmental analysis may be performed based on a pre-trained environmental analysis model. The environmental analysis model may be a model trained based on machine learning algorithms.
FIG. 7 is a schematic diagram of environmental analysis in an embodiment of the present application. As shown in fig. 7, the environmental information, the access request, and the target authority policy are input into a pre-trained environmental analysis model 71, and the environmental analysis result output from the environmental analysis model is obtained. The environmental analysis results in this embodiment include: whether the environment in which the user operates is secure, whether it is accessed within a trusted network, and whether a trusted device is used.
Optionally, the environmental information, access request, and target permission policy may be preprocessed to remove noise and invalid data before entering the environmental information, access request, and target permission policy into the pre-trained environmental analysis model. For example, data cleansing, format conversion, data aggregation, and the like are performed.
Optionally, when the behavior analysis result indicates that abnormal behavior exists, and/or when the environment analysis result indicates that abnormal environment exists, the access processing device triggers an alarm mechanism, sends alarm information to equipment corresponding to an administrator, or takes automatic response measures, such as locking an account of a user, limiting authority of the user, and the like.
For example, the access processing device cleans the operation log of the terminal device corresponding to the user a, and removes duplicate and invalid records. The operation log includes: real-time behavior data, access requests, target rights policies, and environmental information. The behavior of the terminal device corresponding to the user a is evaluated by step 505, and the environment of the terminal device corresponding to the user a is evaluated by step 506.
According to the access processing method, the behavior of the user terminal can be analyzed based on the behavior analysis model, the environment of the user terminal can be analyzed based on the environment analysis model, abnormal behaviors and potential security threats can be accurately and rapidly found, and the security of cloud environment resources is further improved.
Fig. 8 is a flowchart of another access processing method according to an embodiment of the present application. This embodiment describes in detail the steps preceding the determination of at least one candidate entitlement policy on the basis of the embodiments shown in fig. 3 or 5. As shown in fig. 8, the access processing method provided in this embodiment further includes the following steps.
Step 801: and acquiring a login request of the user terminal.
Wherein the login request includes a user name and a password.
The access processing method provided in this embodiment may implement multi-factor authentication of the user identity before step 301 or step 501.
In this embodiment, multi-factor authentication (MFA) refers to an authentication method, and the identity of a user is confirmed by multiple independent authentication factors, such as a password, a short message authentication code, and biometric identification.
When the user terminal logs in the cloud environment, a login request can be input in the user terminal. The access processing device obtains a login request of the user terminal.
Step 802: and sending the login request to the first authentication server so that the first authentication server verifies the identity of the user corresponding to the user terminal according to the login request, and returning the basic attribute information of the user after the verification is passed.
Wherein the basic attribute information includes authentication factor issuing address information of the user.
In step 802, a factor authentication is implemented. I.e. the user identity is verified by means of a password.
Alternatively, in order to improve verification efficiency, the first authentication server in the present embodiment may be a lightweight directory access protocol (LIGHTWEIGHT DIRECTORY ACCESS PROTOCOL, abbreviated as LDAP) server.
After receiving the login request, the first authentication server verifies the identity of the user according to the user name and the password in the login request. The manner of verification may include at least one of: determining whether the user name is matched with the password; and under the condition that the user name is matched with the password, determining whether the user name is a user name with authority to log in the cloud environment. After the first authentication server passes the verification, the first authentication server returns the basic attribute information of the user to the access processing device.
The basic attribute information in the present embodiment includes verification factor transmission address information. Further, the basic attribute information may further include information of a user name, a role of the user, and the like.
The authentication factor transmission address information in this embodiment refers to an address where an authentication factor is issued. The address information may be a telephone number of the user, a user name (e.g., mailbox name) of the user in a certain application, etc.
Step 803: a verification factor acquisition request is generated.
Wherein the verification factor acquisition request includes verification factor issuing address information.
The access processing means may produce the authentication factor obtaining request after obtaining the authentication factor issuing address information.
Optionally, in order to improve the subsequent authentication efficiency, the verification factor obtaining request in this embodiment may be an open authorization (Open Authorization, abbreviated as OAuth) request.
Step 804: and sending a verification factor acquisition request to the second authentication server so that the second authentication server sends the information of the first verification factor to the equipment corresponding to the address information of the verification factor distribution.
In this embodiment authentication of another factor is achieved by the second authentication server. The second authentication server in this embodiment may be an open authorization server. And after receiving the verification factor acquisition request, the second authentication server sends the information of the first verification factor to the equipment corresponding to the address information issued by the verification factor. It should be noted that, in this embodiment, the device corresponding to the verification factor issuing address information and the user terminal may be the same device or may be different devices. The embodiment is not limited thereto.
Optionally, the second authentication server may also send information of the first verification factor to the access processing device.
The first verification factor in this embodiment may be a short message verification code, a Time-based One-Time-based-Time Password algorithm (TOTP for short), and a biometric feature (such as a feature of a face, a fingerprint, etc.). The information of the first verification factor in the present embodiment may include: the first verification factor itself, for example, a verification code, and type identification information of the first verification factor, for example, the information of the first verification factor includes information for identifying the type of the first verification factor such as "fingerprint" or "face".
After the second authentication server sends the information of the first authentication factor to the device corresponding to the address information of the authentication factor, the user can acquire the information of the first authentication factor through the device corresponding to the address information of the authentication factor. The user may input a second authentication factor in the user terminal based on the information of the first authentication factor.
It should be noted that, the first authentication server in this embodiment may be a server in a cloud environment, or may be a server independent of the cloud environment. The second authentication server in this embodiment may be a server in a cloud environment, or may be a server independent of the cloud environment.
Step 805: and receiving the information of the second verification factor input by the user terminal and the first verification factor sent by the second authentication server.
The access processing device receives a second verification factor input by the user terminal and receives information of the first verification factor sent by the second authentication server.
Step 806: when it is determined that the second authentication factor matches the information of the first authentication factor, it is determined that the identity of the user is authenticated.
Matching the information of the second authentication factor with the first authentication factor means that the type of the second authentication factor is the same as the type of the first authentication factor and/or that the second authentication factor itself is the same as the first authentication factor itself. And when the second verification factor is matched with the information of the first verification factor, the user is a normal user, and the identity of the user passes verification.
Optionally, in step 802 to step 806, a distributed identity authentication system based on blockchain may also be used to implement identity authentication, so as to further improve security and reliability of identity authentication.
Alternatively, after determining that the identity of the user is authenticated, the access processing means may send authentication-passing indication information to the user terminal. After receiving the verification passing indication information, the user terminal can access the cloud environment resource.
After step 806, steps 301 to 304 may be performed, or steps 501 to 506 may be performed.
Optionally, when it is determined that the second authentication factor does not match the information of the first authentication factor, it is determined that the identity of the user is not authenticated, and the login request of the user is rejected.
Fig. 9 is a schematic diagram of an application scenario of another access processing method according to an embodiment of the present application. As shown in fig. 9, the access processing device 91 interacts with the first authentication server 92 and the second authentication server 93 to verify the identity of the user. The user terminal 94 transmits a login request to the access processing device 91. The access processing means 91 transmits a login request to the first authentication server 92. The first authentication server 92 returns the basic attribute information to the access processing apparatus 91. The access processing means 91 generates an authentication factor acquisition request based on the authentication factor issuing address information in the basic attribute information. And transmits a verification factor acquisition request to the second authentication server 93. The second authentication server 93 transmits the information of the first authentication factor to the device corresponding to the address information issued by the authentication factor, and transmits the information of the first authentication factor to the access processing device 91, taking the same device as the user terminal 94 as an example. The user enters the second authentication factor via the user terminal 94. The access processing means 91 receives the second authentication factor transmitted by the user terminal 94 and the information of the first authentication factor transmitted by the second authentication server. The access processing means 91 determines that the identity of the user is authenticated when it is determined that the second authentication factor matches the information of the first authentication factor.
The access processing method provided by the embodiment can realize multi-factor verification of the identity of the user, enhance the safety of identity authentication, reduce the risk of impersonation of the user and further improve the safety of access processing.
Fig. 10 is a flowchart of another access processing method according to an embodiment of the present application. The present embodiment describes in detail how to obtain the implementation of the rights policy based on the embodiments shown in fig. 3, 5 or 8. The rights policy in this embodiment includes a base rights policy and a composite rights policy. As shown in fig. 10, the access processing method provided in this embodiment further includes the following steps.
Step 1001: and determining a plurality of basic authority policies and the priority of each basic authority policy according to the access requirements of the cloud environment resources.
In this embodiment, the access requirements of the cloud environment resources may be counted, and multiple basic authority policies and the priority of each basic authority policy are determined based on various access requirements. The access requirements in this embodiment are used to indicate user information and/or context information. The embodiment can also determine the priority of each basic authority policy.
The range of priority in this embodiment may be 1 to N. N is a number greater than 1. Illustratively, N is 100.
Illustratively, the basic rights policy in this embodiment may include the following policies. Basic rights policy 1: an administrator may access all resources during the working hours. Basic rights policy 2: the common user can only access the common resources. Basic rights policy 3: the user may access sensitive data within the corporate network. Basic rights policy 4: the user is prohibited from accessing the financial data when in a particular geographic location.
Step 1002: and combining part of the basic authority policies in the plurality of basic authority policies to obtain at least one composite authority policy.
In this embodiment, part of the basic authority policies may be combined to obtain at least one composite authority policy, so as to implement more complex and finer authority control. For example, the basic authority policy 10A is used to control the read authority, the basic authority policy 10B is used to control the write authority, and the combination of the basic authority policy 10A and the basic authority policy 10B results in the composite authority policy 10C that can control the read authority and the write authority simultaneously.
In this embodiment, the manner of combining the basic authority policies includes at least one of the following: AND (AND), OR, AND NOT. Illustratively, the composite rights policy may be: and the resources can be accessed only when the basic authority strategy A and the basic authority strategy B are met. For another example, the composite rights policy may be: the public resource can be accessed only if the basic authority policy C is satisfied but the basic authority policy D is not satisfied.
Step 1003: and determining the priority of the composite authority strategy according to the priority of the basic authority strategy forming the composite authority strategy.
The priority of the composite authority policy in this embodiment may be a weighted average, a maximum, a median, or a minimum of priorities of the basic authority policies that constitute the composite authority policy.
Optionally, in this embodiment, the system administrator may configure and update the rights policy through the management interface.
The above procedure is described below with two specific examples.
For example, assume that there is a base rights policy 10D: the user group "Admin" is allowed to do all operations with priority 80, base rights policy 10E: the user group "Editor" is allowed to read and write operations but not delete, with priority 70. Combining the basic authority policy 10D and the basic authority policy 10E to obtain a composite authority policy: and the resources can be deleted only by belonging to the groups of Admin and Editor, and the priority is 75.
For another example, assume that there is a base rights policy 10F: an administrator may access all resources during the working time with priority 78, base rights policy 10G: the average user can only access the public resource with a priority of 75. Combining the basic authority policy 10F and the basic authority policy 10G to obtain a composite authority policy 10H: an administrator can access all resources during the working hours, and a common user can only access the common resources, and the priority is 75.
The access processing method provided by the embodiment can support complex authority policy combination and priority setting, can control different types of users, resources and operations in a fine granularity manner, and improves the fineness and operability of access processing. For example, different authority policies can be set for access behaviors of a specific time period and a specific place, so that finer access processing is realized. Meanwhile, the authority policy can be dynamically expanded to rapidly adapt to the increasingly cloud environment resources and the user demands.
Alternatively, after step 1003, steps 301 to 304, or steps 501 to 506, or steps 801 to 806 may be performed.
According to the access processing method provided by the embodiment, the basic authority strategy and the priority thereof can be determined, the composite authority strategy and the priority thereof can be determined, so that flexible determination of each authority strategy can be realized, various strategy combinations and priority settings are supported, the fineness of the determined authority strategy is improved, the operability of the determined authority strategy is improved, and the authority strategy can be adapted to the security requirements of different scenes.
Fig. 11 is a flowchart of another access processing method according to an embodiment of the present application. This embodiment describes in detail the steps after processing an access request on the basis of the embodiments shown in fig. 3, 5, 8 or 10. As shown in fig. 11, the access processing method provided in this embodiment includes the following steps.
Step 1101: and determining at least one candidate permission strategy matched with the real-time data according to the real-time data in the process that the user terminal accesses the cloud environment resource and a plurality of preset permission strategies.
Step 1102: and sequencing the candidate authority strategies according to the order of the priority of at least one candidate authority strategy from big to small to obtain a candidate authority strategy sequence.
Step 1103: when an access request of a user terminal is received, determining a candidate authority strategy of a target cloud environment resource corresponding to the access request, which is the first permission strategy of the candidate authority strategy sequence, as a target authority strategy of the user terminal according to the access request.
Step 1104: and processing the access request according to the target authority strategy.
The implementation processes and technical principles of step 1101 and step 301, step 1102 and step 302, step 1103 and step 303, and step 1104 and step 304 are similar, and are not repeated here.
Step 1105: and storing the real-time data, the target authority strategy and the access request to obtain a log corresponding to the user.
Efficient logging and auditing mechanisms are important components to ensure security and traceability of access processing methods. The access processing method provided by the embodiment can also record the log of the user and audit the log. In step 1105, real-time data, target rights policies, and access requests may be stored. Optionally, the access result may also be stored.
The log in this embodiment can implement detailed recording of each operation information of the user, including information such as login, resource access, and permission change. The log corresponding to the user in this embodiment includes: operation time, operation user, operation type, operation result, etc.
Optionally, in this embodiment, when storing the log, a distributed storage technology may be used to ensure efficient storage and quick retrieval of the log. Meanwhile, the log can be backed up to a plurality of nodes, so that data loss is prevented.
Alternatively, in this embodiment, the log may be stored in the log server.
Step 1106: and analyzing the log to obtain an analysis result.
The analysis result is used for representing reference information when determining the authority strategy of the user terminal.
In this embodiment, the log may be periodically analyzed by a log analysis tool to find potential security threats and abnormal behaviors, so as to obtain an analysis result. The analysis result in this embodiment is used to characterize the reference information when determining the authority policy of the user terminal, that is, the analysis result is used to determine the candidate authority policy of the user terminal. It can be appreciated that, when the updated real-time data is obtained, the analysis result in this embodiment is used to determine at least one candidate authority policy matching with the updated real-time data based on the updated real-time data, the analysis result and the preset authority policy.
Correspondingly, the implementation manner of step 1101 in this embodiment is: and determining at least one candidate authority strategy matched with the real-time data and the historical log analysis result according to the real-time data, the historical log analysis result and the authority strategies. In other words, in the process of determining the candidate authority strategy, the real-time data is considered, and the historical log analysis result is considered, so that the determined candidate authority strategy is more in line with the actual scene, and the safety of access processing is further improved.
Optionally, in this embodiment, real-time audit may also be performed based on the log. Namely, the log of the user is monitored in real time, and abnormal behaviors are found and responded in time. For example, upon detecting that a user frequently attempts to access an unauthorized resource, the access processing device may immediately notify an administrator or trigger an automatic response policy.
Optionally, in this embodiment, an audit report may also be generated periodically based on the analysis result, so as to ensure that the access request meets relevant regulations and security standards. The audit report includes an operation log, a rights change record, a policy adjustment record, and the like.
For example, the access processing device records an operation log and a permission adjustment log of a user terminal corresponding to the user a, including time, reason and result of each permission adjustment, and obtains a log corresponding to the user a. The access processing device stores the log in a safe log server, and ensures the integrity and the safety of log data. The access processing device periodically analyzes the log, and identifies abnormal operation of the user A, such as accessing sensitive data in non-working time, so as to obtain an analysis result. The access processing device generates a detailed audit report, records the operation condition and the authority adjustment condition of the user A, and is used for an administrator to examine.
The access processing method in the embodiment can realize the process and the result of recording authority adjustment, realize high-efficiency log recording and auditing, further improve the security of access control and ensure the traceability of operation.
Fig. 12 is a schematic structural diagram of an access processing system according to an embodiment of the present application. As shown in fig. 12, the access processing system provided in this embodiment includes an identity authentication module 121, a real-time monitoring and analysis module 122, a policy engine module 123, and a log audit module 124, which are sequentially connected.
The identity authentication module 121 is configured to perform steps 801 to 806.
The real-time monitoring and analyzing module 122 is configured to obtain real-time data during the process of accessing the cloud environment resource by the user terminal, and execute step 505 and step 506.
The policy engine module 123 is configured to perform steps 301 to 304 and steps 1001 to 1003. The policy engine module is a core component of the access processing system and can adjust the authority policy of the user in real time. Alternatively, the policy engine module 123 may feed back the matched target authority policy to the identity authentication module 121. The identity authentication module 121 may control the front-end display according to the target authority policy.
The log audit module 124 is configured to perform step 1105 and step 1106.
The access processing system provided by the embodiment has the following advantages: the expansibility, the system architecture is flexible, the dynamic expansion is supported, and the cloud computing resource and the user demand which are continuously increased can be rapidly adapted; the flexibility can dynamically adjust the authority strategy according to the real-time data of the user, and can adapt to the security requirements of different scenes; the safety can monitor and analyze the user behavior in real time, and timely discover and respond to abnormal behaviors; the fineness, the design of a flexible strategy engine, the support of various authority strategy combinations and priority settings, and the improvement of the fineness and the operability of the access processing.
Fig. 13 is a schematic structural diagram of an access processing device according to an embodiment of the present application. As shown in fig. 13, the access processing apparatus provided in this embodiment includes the following modules: a first determination module 1301, a sorting module 1302, a second determination module 1303, and a processing module 1304.
The first determining module 1301 is configured to determine, according to real-time data and a plurality of preset authority policies in a process of accessing cloud environment resources by a user terminal, at least one candidate authority policy matching with the real-time data.
The sorting module 1302 is configured to sort the candidate authority policies according to the order of the priority of the at least one candidate authority policy from big to small, so as to obtain a candidate authority policy sequence.
And the second determining module 1303 is configured to determine, when an access request of the user terminal is received, a candidate permission policy of a target cloud environment resource corresponding to the access request, which is the first candidate permission policy in the candidate permission policy sequence and allows the user terminal to access the target cloud environment resource, as a target permission policy of the user terminal according to the access request.
And a processing module 1304, configured to process the access request according to the target permission policy.
In one embodiment, the apparatus further comprises: the device comprises a first acquisition module, a first sending module, a generation module, a second sending module, a receiving module and a third determination module.
And the first acquisition module is used for acquiring the login request of the user terminal.
Wherein the login request includes a user name and a password.
The first sending module is used for sending the login request to a first authentication server so that the first authentication server can verify the identity of the user corresponding to the user terminal according to the login request, and after the verification is passed, the basic attribute information of the user is returned. Wherein the basic attribute information includes authentication factor issuing address information of the user.
And the generation module is used for generating a verification factor acquisition request. Wherein the verification factor acquisition request includes the verification factor issuing address information.
And the second sending module is used for sending the verification factor obtaining request to a second authentication server so that the second authentication server sends the information of the first verification factor to the equipment corresponding to the address information of the verification factor issuing.
And the receiving module is used for receiving the second verification factor input by the user terminal and the information of the first verification factor sent by the second authentication server.
And a third determining module, configured to determine that the identity of the user passes verification when it is determined that the second verification factor matches the information of the first verification factor.
In one embodiment, the real-time data includes user information, real-time behavior data, and environmental information.
The user information comprises roles of users corresponding to the user terminals.
The real-time behavioral data includes at least one of: the login time of the user terminal, the login location of the user terminal, the access frequency of the user terminal, the operation type of the user terminal, the operation frequency of the user terminal, the type of resources accessed by the user terminal and the number of resources accessed by the user terminal.
The environmental information includes at least one of: attribute information of the user terminal, information of a network to which the user terminal is connected, geographical location information of the user terminal, and access time information.
In one embodiment, the first determining module 1301 is specifically configured to: analyzing the real-time data, and extracting key attribute values in the real-time data, wherein the key attribute values are used for representing at least one of the following: the user information, the real-time behavior data, and the environmental information; and determining the authority strategy matched with the key attribute value in the plurality of authority strategies as the candidate authority strategy.
In an embodiment, the apparatus further includes a fourth determining module and a fifth determining module. And the fourth determining module is used for inputting the real-time behavior data, the access request and the target authority strategy into a pre-trained behavior analysis model to obtain a behavior analysis result output by the behavior analysis model. And a fifth determining module, configured to input the environmental information, the access request, and the target authority policy into a pre-trained environmental analysis model, to obtain an environmental analysis result output by the environmental analysis model.
In one embodiment, the apparatus further comprises: the device comprises a second acquisition module, an adjustment module and a writing module.
And the second acquisition module is used for acquiring the initial authority information of the user corresponding to the user terminal.
And the adjusting module is used for adjusting the initial authority information according to the target authority strategy to obtain an adjusted authority strategy.
And the writing module is used for writing the adjusted authority strategy into the authority configuration information of the user.
In one embodiment, the processing module 1304 is specifically configured to: acquiring the adjusted authority policy from the authority configuration information; and processing the access request according to the adjusted authority strategy.
In one embodiment, the ranking module 1302 is specifically configured to, in the order of the priority of the at least one candidate authority policy from big to small, rank the candidate authority policies: if the priority of the first candidate authority strategy is higher than that of the second candidate authority strategy, determining that the ordering of the first candidate authority strategy is positioned before the second candidate authority strategy; if the priority of the first candidate authority strategy is the same as the priority of the second candidate authority strategy, sequencing according to the strategy type of the first candidate authority strategy and the strategy type of the second candidate authority strategy; and if the policy type of the first candidate authority policy and the priority of the second candidate authority policy are the same and the policy types are the same, sequencing according to the creation time of the first candidate authority policy and the creation time of the second candidate authority policy.
In one embodiment, the rights policies include a base rights policy and a composite rights policy. The apparatus further comprises: a sixth determination module, a combination module, and a seventh determination module.
And the sixth determining module is used for determining a plurality of basic authority strategies and the priority of each basic authority strategy according to the access requirement of the cloud environment resource.
And the combination module is used for combining part of the basic authority policies in the plurality of basic authority policies to obtain at least one composite authority policy.
And a seventh determining module, configured to determine the priority of the composite rights policy according to the priority of the basic rights policy that forms the composite rights policy.
In one embodiment, the apparatus further comprises a storage module and an analysis module.
And the storage module is used for storing the real-time data, the target authority strategy and the access request to obtain a log corresponding to the user.
And the analysis module is used for analyzing the log to obtain a log analysis result. The log analysis result is used for representing reference information when determining the authority strategy of the user terminal.
In one embodiment, the first determining module 1301 is specifically configured to: and determining at least one candidate permission strategy matched with the real-time data and the historical log analysis result according to the real-time data, the historical log analysis result and the permission strategies.
In an embodiment, the apparatus further includes a rejecting module, configured to reject, when an access request of the user terminal is received, the access request if it is determined that all candidate permission policies in the candidate permission policy sequence reject the user terminal to access a target cloud environment resource corresponding to the access request.
The access processing device provided by the embodiment of the application can be used for executing the technical scheme of the access processing method in the embodiment, and the implementation principle and the technical effect are similar, and are not repeated here.
It should be noted that, it should be understood that the division of the modules of the above apparatus is merely a division of a logic function, and may be fully or partially integrated into a physical entity or may be physically separated. And these modules may all be implemented in software in the form of calls by the processing element; or can be realized in hardware; the method can also be realized in a form of calling software by a processing element, and the method can be realized in a form of hardware by a part of modules. For example, the first determining module 1301, the sorting module 1302, the second determining module 1303 and the processing module 1304 may be individually set up processing elements, may be integrated into one of the chips of the above-mentioned apparatus, may be stored in the memory of the above-mentioned apparatus in the form of program codes, and may be called by one of the processing elements of the above-mentioned apparatus to execute the functions of the first determining module 1301, the sorting module 1302, the second determining module 1303 and the processing module 1304. The implementation of the other modules is similar. In addition, all or part of the modules can be integrated together or can be independently implemented. The processing element here may be an integrated circuit with signal processing capabilities. In implementation, each step of the above method or each module above may be implemented by an integrated logic circuit of hardware in a processor element or an instruction in a software form.
Fig. 14 is a schematic structural diagram of an electronic device according to an embodiment of the present application. As shown in fig. 14, the electronic device may include: a processor 142 and a memory 143.
Processor 142 executes computer-executable instructions stored in memory that cause processor 142 to perform the aspects of the embodiments described above. The processor 142 may be a general-purpose processor including a central processing unit CPU, a network processor (network processor, NP), etc.; but may also be a digital signal processor DSP, an application specific integrated circuit ASIC, a field programmable gate array FPGA or other programmable logic device, a discrete gate or transistor logic device, a discrete hardware component.
The memory 143 is coupled to the processor 142 via a system bus and communicates with each other, and the memory 143 is adapted to store computer program instructions.
Optionally, the electronic device may also include a transceiver 141. The transceiver 141 may be used to receive access requests from user terminals.
The system bus may be a peripheral component interconnect (PERIPHERAL COMPONENT INTERCONNECT, PCI) bus, or an extended industry standard architecture (extended industry standard architecture, EISA) bus, among others. The system bus may be classified into an address bus, a data bus, a control bus, and the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus. The transceiver is used for realizing communication between the access processing device and other computer equipment. The memory may include random access memory (random access memory, RAM) and may also include non-volatile memory (non-volatile memory).
The embodiment of the application also provides a chip for running the instruction, and the chip is used for executing the technical scheme of the access processing method in the embodiment.
The embodiment of the application also provides a computer readable storage medium, wherein the computer readable storage medium stores computer instructions, and when the computer instructions run on a computer, the computer is caused to execute the technical scheme of the access processing method of the embodiment.
Embodiments of the present application also provide a computer program product comprising a computer program which, when executed by a processor, implements an access processing method as provided by any of the embodiments of the present application.
Computer program product in the implementation, the computer program code for carrying out operations of the present application may be written in one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
Note that the above is only a preferred embodiment of the present application and the technical principle applied. It will be understood by those skilled in the art that the present application is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the application. Therefore, while the application has been described in connection with the above embodiments, the application is not limited to the embodiments, but may be embodied in many other equivalent forms without departing from the spirit or scope of the application, which is set forth in the following claims.

Claims (16)

1. An access processing method, comprising:
determining at least one candidate authority strategy matched with the real-time data according to the real-time data and a plurality of preset authority strategies in the process of accessing cloud environment resources by a user terminal;
Sequencing the candidate authority strategies according to the order of the priority of the at least one candidate authority strategy from big to small to obtain a candidate authority strategy sequence;
When an access request of the user terminal is received, determining a candidate authority strategy of a target cloud environment resource corresponding to the access request, which is allowed by the user terminal, in the candidate authority strategy sequence according to the access request, as a target authority strategy of the user terminal;
and processing the access request according to the target authority strategy.
2. The method according to claim 1, wherein before determining at least one candidate permission policy matching with the real-time data according to the real-time data and a plurality of preset permission policies in the process of accessing the cloud environment resource by the user terminal, the method further comprises:
Acquiring a login request of the user terminal; wherein the login request includes a user name and a password;
The login request is sent to a first authentication server, so that the first authentication server verifies the identity of a user corresponding to the user terminal according to the login request, and after the verification is passed, basic attribute information of the user is returned; wherein the basic attribute information comprises verification factor issuing address information of the user;
generating a verification factor acquisition request; wherein the verification factor acquisition request includes the verification factor issuing address information;
sending the verification factor acquisition request to a second authentication server so that the second authentication server sends information of a first verification factor to equipment corresponding to the address information of the verification factor distribution;
receiving a second verification factor input by the user terminal and information of the first verification factor sent by the second authentication server;
When the second verification factor is determined to be matched with the information of the first verification factor, the identity of the user is determined to pass verification.
3. The method of claim 1, wherein the real-time data comprises user information, real-time behavioral data, and environmental information;
the user information comprises roles of users corresponding to the user terminals;
The real-time behavioral data includes at least one of: the login time of the user terminal, the login place of the user terminal, the access frequency of the user terminal, the operation type of the user terminal, the operation frequency of the user terminal, the type of the resources accessed by the user terminal and the number of the resources accessed by the user terminal;
The environmental information includes at least one of: attribute information of the user terminal, information of a network to which the user terminal is connected, geographical location information of the user terminal, and access time information.
4. The method according to claim 3, wherein the determining at least one candidate permission policy matching with the real-time data according to the real-time data and a plurality of preset permission policies in the process of accessing the cloud environment resource by the user terminal includes:
analyzing the real-time data and extracting key attribute values in the real-time data; wherein the key attribute value is used to characterize at least one of: the user information, the real-time behavior data, and the environmental information;
And determining the authority strategy matched with the key attribute value in the plurality of authority strategies as the candidate authority strategy.
5. The method according to claim 3 or 4, characterized in that the method further comprises:
Inputting the real-time behavior data, the access request and the target authority strategy into a pre-trained behavior analysis model to obtain a behavior analysis result output by the behavior analysis model;
And inputting the environment information, the access request and the target authority strategy into a pre-trained environment analysis model to obtain an environment analysis result output by the environment analysis model.
6. The method of any of claims 1 to 4, wherein prior to processing the access request according to the target permission policy, the method further comprises:
Acquiring initial authority information of a user corresponding to the user terminal;
adjusting the initial authority information according to the target authority strategy to obtain an adjusted authority strategy;
and writing the adjusted authority strategy into the authority configuration information of the user.
7. The method of claim 6, wherein said processing said access request according to said target rights policy comprises:
Acquiring the adjusted authority policy from the authority configuration information;
And processing the access request according to the adjusted authority strategy.
8. A method according to any one of claims 1 to 4, wherein said ranking said candidate entitlement policies in order of priority of said at least one candidate entitlement policy from greater to lesser comprises:
If the priority of the first candidate authority strategy is higher than that of the second candidate authority strategy, determining that the ordering of the first candidate authority strategy is positioned before the second candidate authority strategy;
if the priority of the first candidate authority strategy is the same as the priority of the second candidate authority strategy, sequencing according to the strategy type of the first candidate authority strategy and the strategy type of the second candidate authority strategy;
And if the policy type of the first candidate authority policy and the priority of the second candidate authority policy are the same and the policy types are the same, sequencing according to the creation time of the first candidate authority policy and the creation time of the second candidate authority policy.
9. The method of any of claims 1 to 4, wherein the rights policies include a base rights policy and a composite rights policy;
The method further comprises the steps of:
determining a plurality of basic authority policies and priority of each basic authority policy according to the access requirements of the cloud environment resources;
Combining part of the basic authority policies in the plurality of basic authority policies to obtain at least one composite authority policy;
and determining the priority of the composite authority strategy according to the priority of the basic authority strategy forming the composite authority strategy.
10. The method according to any one of claims 1 to 4, further comprising:
Storing the real-time data, the target authority strategy and the access request to obtain a log corresponding to the user;
Analyzing the log to obtain a log analysis result; the log analysis result is used for representing reference information when determining the authority strategy of the user terminal.
11. The method according to claim 10, wherein the determining at least one candidate permission policy matching with the real-time data according to the real-time data and a plurality of preset permission policies during the process of accessing the cloud environment resource by the user terminal includes:
And determining at least one candidate permission strategy matched with the real-time data and the historical log analysis result according to the real-time data, the historical log analysis result and the permission strategies.
12. The method according to any one of claims 1 to 4, further comprising:
When an access request of the user terminal is received, if all the candidate authority strategies in the candidate authority strategy sequence are determined to reject the user terminal to access the target cloud environment resource corresponding to the access request, rejecting the access request.
13. An access processing apparatus, comprising:
The first determining module is used for determining at least one candidate authority strategy matched with the real-time data according to the real-time data and a plurality of preset authority strategies in the process of accessing cloud environment resources by the user terminal;
The sequencing module is used for sequencing the candidate authority strategies according to the order of the priority of the at least one candidate authority strategy from big to small to obtain a candidate authority strategy sequence;
The second determining module is used for determining a candidate authority strategy allowing the user terminal to access a target cloud environment resource corresponding to the access request in the candidate authority strategy sequence as a target authority strategy of the user terminal according to the access request when the access request of the user terminal is received;
And the processing module is used for processing the access request according to the target authority strategy.
14. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable by the processor, wherein the processor implements the access handling method according to any of claims 1 to 12 when executing the computer program.
15. A computer-readable storage medium, on which a computer program is stored, characterized in that the program, when executed by a processor, implements the access processing method according to any one of claims 1 to 12.
16. A computer program product comprising a computer program which, when executed by a processor, implements the access processing method according to any one of claims 1 to 12.
CN202410999504.2A 2024-07-24 2024-07-24 Access processing method, device, equipment and storage medium Pending CN118965388A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410999504.2A CN118965388A (en) 2024-07-24 2024-07-24 Access processing method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410999504.2A CN118965388A (en) 2024-07-24 2024-07-24 Access processing method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN118965388A true CN118965388A (en) 2024-11-15

Family

ID=93406805

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410999504.2A Pending CN118965388A (en) 2024-07-24 2024-07-24 Access processing method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN118965388A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119227117A (en) * 2024-12-02 2024-12-31 天津南大通用数据技术股份有限公司 Database access method and device, electronic device and storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119227117A (en) * 2024-12-02 2024-12-31 天津南大通用数据技术股份有限公司 Database access method and device, electronic device and storage medium

Similar Documents

Publication Publication Date Title
US11658992B2 (en) Lateral movement candidate detection in a computer network
EP3706022B1 (en) Permissions policy manager to configure permissions on computing devices
US12041067B2 (en) Behavior detection and verification
US20190207966A1 (en) Platform and Method for Enhanced Cyber-Attack Detection and Response Employing a Global Data Store
US11240275B1 (en) Platform and method for performing cybersecurity analyses employing an intelligence hub with a modular architecture
US20110314549A1 (en) Method and apparatus for periodic context-aware authentication
US20110314558A1 (en) Method and apparatus for context-aware authentication
US10965680B2 (en) Authority management method and device in distributed environment, and server
CN112165455A (en) Data access control method and device, computer equipment and storage medium
CN115701019A (en) Access request processing method and device of zero trust network and electronic equipment
CN115065512B (en) Account login method, system, device, electronic equipment and storage medium
CN117978556B (en) Data access control method, network switching subsystem and intelligent computing platform
CN118965388A (en) Access processing method, device, equipment and storage medium
CN114189383B (en) Method, apparatus, electronic device, medium and computer program product for blocking
JP2007172221A (en) Quarantine system, quarantine apparatus, quarantine method, and computer program
CN109740328B (en) Authority identification method and device, computer equipment and storage medium
CN116996238A (en) Processing method and related device for network abnormal access
CN110378120B (en) Application program interface attack detection method, device and readable storage medium
CN113645060B (en) Network card configuration method, data processing method and device
Su et al. An Informative and Comprehensive Behavioral Characteristics Analysis Methodology of Android Application for Data Security in Brain‐Machine Interfacing
CN115801472A (en) Authority management method and system based on authentication gateway
CN115828256A (en) Unauthorized and unauthorized logic vulnerability detection method
CN115208689A (en) Access control method, device and equipment based on zero trust
CN112970021A (en) Method for realizing system state perception security policy
CN114422183B (en) Micro-service access control method, system and device based on security attribute

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination