针对企业云存储应用的需求,以及目前基于属性的访问控制方案在访问规则描述方面存在的不足,提出了一种适合企业云存储的基于属性的访问控制方案.该方案直接用字典变量表示主体、资源和环境实体,用Python逻辑表达式描述访问规则,并采用eval函数执行规则,从而使访问规则容易编写,表达能力强,且执行开销小.考虑到资源的层次结构特点,分别为不同的访问权限设计了相应的访问规则继承策略以简化访问规则的编写,并采用跨语言的服务开发框架Thrift对访问控制器进行了实现.%To satisfy the demand of enterprise cloud storage application, and to overcome the drawbacks of the existing attri-bute based access control strategy in access rule description, this paper proposed an attribute based access control strategy suitable for enterprise cloud storage application. The strategy used dictionary variables to denote subject, resource, and environment entities , adopted Python logical expression to express access rule, and adopted the eval function to execute rule;therefore, access rule was easy to write, had strong expression ability, and costed a little. Considering the hierarchical structure of the resources, the strategy designed corresponding access rule inheritance scheme for different access rights to simplify the writing of access rules. It used a cross-language services development framework, Thrift, to implement the access control server.
展开▼