CN-122020703-A - Authority rule storage and retrieval method

Abstract

The invention relates to a rights rule storage and retrieval method, which comprises three indexes, namely an ordered index, a hash index and a directed acyclic graph index, wherein the rights rule management flow, the adding flow, the deleting flow and the retrieval flow based on the indexes comprise two parts, namely an index information extractor for extracting index information from a user range or an object range, an index data manager for providing rights rule adding capability, rights rule deleting capability and rights rule inquiring capability based on the index information extracted by the index information extractor, and the two parts cooperate to jointly manage rights rules, so that the problems of high time complexity and low efficiency of executing rights reasoning in the current rights rule storage and retrieval method are solved, and the invention has lower retrieval delay and lower retrieval resource occupation.

Inventors

• LIU QIANXI

Assignees

• 东方财富信息股份有限公司

Dates

Publication Date

20260512

Application Date

20251219

Claims (8)

1. 1. The authority rule storage and retrieval method is characterized by comprising three indexes, namely an ordered index, a hash index and a directed acyclic graph index, wherein the authority rule management flow, the adding flow, the deleting flow and the retrieval flow are based on the indexes: The authority rule management flow based on the index comprises a user range or object range index, an index information extractor, a user range or object range index information extraction unit and a user range or object range index management unit, wherein the index information extractor is used for extracting index information from the user range or object range; the index data manager provides authority rule adding capability, authority rule deleting capability and authority rule inquiring capability based on the index information extracted by the index information extractor; The authority rule adding flow comprises the steps of inputting an authority rule to be added, wherein the authority rule comprises a plurality of user ranges, a role, a plurality of authorities and object ranges corresponding to the user ranges, traversing each user range of the input authority rule, attempting to extract index information from the user ranges through an index information extractor for each index constructed for the user ranges, adding the authority rule into the index through an index data manager if the index information is extracted, adding the authority rule into a 'user range index incapable list' if the index information is not extracted, traversing each object range of the input authority rule, attempting to extract the index information from the object ranges through the index information extractor for each index constructed for the object ranges, adding the authority rule into the index through the index data manager if the index information is extracted, and adding the authority rule into the 'object range index incapable list' if the index information is not extracted; The authority rule deleting process comprises the steps of inputting an authority rule to be deleted, wherein the authority rule comprises a plurality of user ranges, a role, a plurality of authorities and object ranges corresponding to the authority rule, traversing each user range of the input authority rule, attempting to extract index information from the user range through an index information extractor for each index constructed for the user range, deleting the authority rule from an index data manager if the index information is extracted, deleting the authority rule from a 'user range index incapable list' if the index information is not extracted, traversing each object range of the input authority rule, attempting to extract index information from the object range through the index information extractor for each index constructed for the object range, deleting the authority rule from the index data manager if the index information is extracted, and deleting the authority rule from the 'object range index incapable list' if the index information is not extracted; The authority rule retrieval flow is characterized by comprising the steps of inputting users, objects and authorities, acquiring authority rules according to index information in an index data manager, marking the authority rules as a set X1, traversing all authority rules of a user range incapable of indexing list, evaluating one by one through an expression, acquiring user ranges meeting the conditions and corresponding authority rules, marking the authority rules as a set X2, acquiring the authority rules according to the index information in the index data manager, marking the authority rules as a set X3, traversing all authority rules of an object range incapable of indexing list, evaluating one by one through the expression, acquiring object ranges meeting the conditions and corresponding authority rules, marking the object ranges as a set X4, acquiring a union set of the set X1 and the set X2, acquiring the authority rules set X5, acquiring the union set of the set X3 and the set X4, acquiring an intersection set of the authority rules X6, acquiring the authority rules meeting the user ranges and the object ranges simultaneously, traversing the authority rules if the authority rules capable of being matched, judging that the input rules are not authorized by one; In the authority rule retrieval flow, authority is obtained by inputting users, obtaining authority rules according to index information in an index data manager for each user range index, marking as a set Y1, traversing all authority rules of a user range index-incapable list, evaluating one by one through expression evaluation, obtaining user ranges meeting the conditions and corresponding authority rules, marking as a set Y2, taking a union set of the set Y1 and the set Y2 to obtain an authority rule set Y3, merging object ranges of the authority rules of the set Y3 and corresponding authorities, and returning a merged result.
2. 2. The rights rule storage and retrieval method of claim 1, wherein the applicable scene and implementation method of ordered indexing: in the search of authority rules, if the atomic proposition in a certain user range or object range involves the size comparison of numbers or the dictionary sequence comparison of character strings, an orderly index can be constructed for the atomic proposition; The index information extractor is realized in a mode that index information of an ordered index comprises two parts, an index key and an index range, and atomic propositions related to size comparison of numbers or dictionary sequence comparison of character strings in different forms are included; The index data manager is realized by using a red-black tree to sequentially store index keys in index information, wherein an index value of each index key comprises three sets of stored authority rules, namely an authority rule set with an index range being greater than, an authority rule set with an index range being equal to and an authority rule set with an index range being less than; The method for realizing authority rule addition, authority rule deletion and authority rule query by the index data manager comprises the steps of adding an index key into a red black tree according to the extracted index information, adding the authority rule into a corresponding set in the index value, deleting the authority rule according to the extracted index information, if the index key is not in the red black tree, indicating that the authority rule is not added, and deleting the authority rule, if the index key is in the red black tree, searching a corresponding set in the index value according to the index range, deleting the authority rule from the set, wherein when a specific user or object is input, the authority rule query comprises the steps of extracting the specific attribute value according to the attribute of the input user or object as the index value, setting the index value as c, searching in the red black tree, obtaining the index value of the index key as c, extracting the authority rule set with the index range equal to the c from the index value, marking the index value as the set c1, obtaining all index values of the index key smaller than c, extracting the authority rule set with the index range larger than the index value and obtaining the union set as the set c2, obtaining the index value with the index range larger than the index value c and marking the authority rule set as the index value larger than the index range and the authority rule set larger than the index value c and the authority rule set larger than the index value equal to the index value c3 and the authority rule set is marked as the final set and 3.
3. 3. The rights rule storing and retrieving method according to claim 1, wherein the hash index is applicable to a scene and implementation method: In the search of authority rules, if the atomic propositions in a certain user range or object range relate to equal comparison of numerical values, hash indexes can be constructed for the atomic propositions; the index information extractor is realized in such a way that the index information of the hash index only comprises a part of index keys, and atomic propositions related to equal comparison of values are included; The hash index data manager is realized by using a hash table to store index keys in index information, wherein the index value of each index key comprises a set of stored authority rules, and the hash index data manager is realized by adding the authority rules, deleting the authority rules and inquiring the authority rules as follows: The authority rule adding step of adding an index key into a hash table according to the extracted index information and adding the authority rule into an authority rule set in the index value, the authority rule deleting step of deleting the authority rule from the authority rule set in the index value according to the extracted index information if the index key is not in the hash table, the authority rule deleting step of deleting the authority rule from the authority rule set in the index value is not needed, and the authority rule inquiring step of extracting a specific attribute value as the index value according to the attribute of the input user or object when the specific user or object is input, setting the index value as a, and searching in the hash table in a mode of acquiring the index value with the index key as a and extracting the authority rule set from the index value.
4. 4. The rights rule storage and retrieval method of claim 1, wherein the applicable scenarios and implementation methods of directed acyclic graph cables: In the search of authority rules, if an atomic proposition in a certain user range or object range relates to the nesting of the relation of the directed acyclic graph, the directed acyclic graph index can be constructed for the atomic proposition; The index information extractor is realized in such a way that the index information of the directed acyclic graph index only comprises a part of index keys, and the atomic propositions related to the equal comparison of the numerical values are included; The index data manager is realized by using the directed acyclic graph to store index keys in index information according to father-son sequence, wherein the index value of each index key comprises a set of preservation authority rules, and additional external information is required to be introduced in the construction process of the directed acyclic graph index, including adding and deleting father-son relations among the index keys in the directed acyclic graph; The index data manager realizes the adding of index key father-son relationship, the deleting of index key father-son relationship, the adding of authority rule, the deleting of authority rule and the inquiring of authority rule by inputting two index keys, adding the two index keys as graph nodes into the directed acyclic graph, and recording connection information; the method comprises the steps of inputting two index keys, searching whether the two index keys exist in a directed acyclic graph, if the two index keys do not exist, deleting the father-son relationship, namely that the father-son relationship is not added, deleting the father-son relationship, adding the permission rules to a permission rule set in an index value according to the extracted index information, adding the index keys to the directed acyclic graph, deleting the permission rules, namely that the permission rules are not added according to the extracted index information, if the index keys are not in the directed acyclic graph, deleting the permission rules from a permission rule set in the index value without deleting the two index keys, namely that when a specific user or object is input, extracting the specific attribute value as the index value according to the attribute of the input user or object, setting the index value as b, searching in a red black tree according to the following mode, acquiring the index value of the index key as b, extracting the permission rule set from the index value, obtaining all the index value b, recording the permission rule set as b1, traversing the whole directed acyclic graph, acquiring all the index keys as b, extracting the permission rule set from the index value b, recording the index value as b, recording the permission rule set as b, and obtaining the permission rule set as b, and recording 2, and finally obtaining the permission rule set as b and recording the permission rule set and 2.
5. 5. The authority rule storing and retrieving method according to claim 1, wherein the index is selected according to actual data conditions, a large number of different attributes exist for a user or object, only a part of the attributes are used for authority judgment, the index is not required to be built for other attributes according to partial use of the index based on analysis of the service, the index is gradually added according to the data conditions, the configuration of the index is not required to be completed once, the configuration of the index is gradually completed following the use conditions of the system, and the index is selected according to the data format and the atomic proposition form.
6. 6. The authority rule storing and retrieving method according to claim 2, wherein in the orderly indexed index information extractor implementation mode, for the different forms of atomic propositions related to size comparison of numbers or dictionary sequence comparison of character strings, the extracted index information is as follows, for the atomic proposition "variable value a is greater than or equal to value b", the index key "value b" is extracted, the index range "greater than or equal to", "for the atomic proposition" variable value a is greater than value b ", the index key" value b "is extracted, the index range" greater than "," for the atomic proposition "variable value a is equal to value b", the index key "value b" is extracted, the index range "equal to", "for the atomic proposition" variable value a is less than value b ", the index key" value b "is extracted, and the index range" less than or equal to "value b" is extracted.
7. 7. The method according to claim 3, wherein in the hash index information extractor, for the atomic propositions related to the equal comparison of values, the extracted index information is such that for the atomic propositions "variable value A is equal to or smaller than value b", the index key "value b" is extracted.
8. 8. The method according to claim 4, wherein in the implementation of the index information extractor for directed acyclic graph index, for atomic propositions involving equal comparison of values, the extracted index information is such that for all child nodes of the atomic propositions "value b", the index key "value b" is extracted.

Description

Authority rule storage and retrieval method Technical Field The invention relates to a right management technology, in particular to a right rule storage and retrieval method. Background The authentication center is a core component for the data management platform to carry out overall authority management and is used for managing the authorities of different departments and personnel at different positions in the platform. In order to meet the requirement of refined authority management, an authentication center needs to design an efficient authority rule storage and retrieval method in the research and development process so as to be capable of rapidly retrieving rules related to current authority query from millions of authority rules and completing the authorization action. In the current mainstream technical solution, rights management includes two steps, authentication (authorization), in which the system generally needs to confirm the identity information of the user through various modes (including but not limited to account passwords, api_keys, and two-factor authentication), and authorization (authorization), in which the system generally needs to retrieve and confirm the rights possessed by the user and the scope of action of the rights. The invention is mainly applied to the authorization step and is used for solving the storage and retrieval problems of the authority rules. In the authorization step, there are three mainstream authorization models: an ACL (access control list) is an entitlement control table containing three elements, user, object, entitlement, e.g., alice-read-book1, representing that user alice has entitlement read to object book 1; RBAC (role based access control) role-based rights management, comprising four elements, user, role, object, rights, e.g., alice-editor-read-book1, representing that user alice owns the role editor and thus has rights read to object book 1; Abac (attribute based access control) attribute-based rights management comprising three elements, user scope, rights, object scope, e.g., prefix (user, a) -read-prefix (object, book), representing a user beginning with user scope a, having rights read for objects beginning with book for object scope, user scope and object scope often being an expression without fixed structure, the description of the expression being given in the description of the embodiments; From the model capability perspective, ABAC > RBAC > ACL is generally considered, and in mainstream commercial products, ABAC is typically used in combination with RBAC to form a type of entitlement rule as shown in fig. 1, comprising four elements, user scope, role, entitlement and object scope. For example, prefix (user, 'a') -editor-read-prefix (object, 'book') represents a user beginning with user range a, and since the character editor is owned, the permission read is owned for an object beginning with the book for the object range. In an actual implementation, a role editor may be bound to multiple user scopes, while having different rights to objects in multiple different object scopes. Further details regarding the use of such ABACs in combination with RBACs are provided in the description of the embodiments. In order to be able to describe the existing scheme more accurately, it will be assumed here that the following entitlement rules exist that need to be stored and retrieved: 1. a user range of prefix (user, 'a') to users beginning with a; 2. role: editor; 3. Rights-object scope: rights read for objects whose object scope starts with a book, write-prefix (object, book) for objects whose object scope starts with a book, rights write for objects whose object scope starts with a book, read-prefix (object, book) for objects whose object scope starts with a right, rights read (no rights write); in a more common implementation at present, such as casbin (an open source access control framework), the rights rules are stored according to the following logic: 1. Dividing the authority rule into two parts, namely a user range-role and a role-authority-object range; 2. Storing the rules of the two ranges in a list in a memory respectively ;prefix(user, 'a')-editor;prefix(user, 'b')-editor;editor-read-prefix(object, 'book');editor-write-prefix(object, 'book');editor-read-prefix(object, 'diary'); At this point, the execution rights retrieval requirement is to check alice whether the book1 has the write rights, and the existing method is executed as follows: 1. Traversing all user range-role rules, and verifying that the prefix (user, 'a') -editor rules meet the matching; 2. Traversing all role-authority-object range rules, and verifying that an editor-write-prefix (object, 'book') rule satisfies a match; In order to avoid ambiguity in the subsequent description of the number of entitlement rules, the number of entitlement rules is defined in the sense that "1 entitlement rule" means "entitlement rule with role as core, including multiple user bindings, m