技术领域Technical Field
本发明涉及工业数据安全领域,尤其是涉及到一种工业互联网数据访问控制方法、装置、设备及介质。The present invention relates to the field of industrial data security, and in particular to an industrial Internet data access control method, device, equipment and medium.
背景技术Background technique
工业互联网是建立在工业系统基础上的信息技术基础设施与平台,实现工业系统与互联网的深度融合。在工业互联网环境下,大量工业设备以及整个生产制造过程会产生海量的数据。这些数据涉及到许多企业核心知识产权和敏感信息,数据的安全性和隐私性保护极为重要。The Industrial Internet is an information technology infrastructure and platform built on the basis of industrial systems, realizing the deep integration of industrial systems and the Internet. In the Industrial Internet environment, a large number of industrial equipment and the entire manufacturing process will generate massive amounts of data. These data involve many core intellectual property rights and sensitive information of enterprises, and the security and privacy protection of data are extremely important.
现有的工业互联网数据访问控制和数据隐私保护方法,大多依赖于中心化服务器,存在单点故障问题,且现有技术中工业互联网数据访问权限控制粒度较粗,不能实现对不同数据主题、不同角色的细粒度、动态的访问控制,这难以适应工业互联网安全监管的需要。Most of the existing industrial Internet data access control and data privacy protection methods rely on centralized servers, which have single point failure problems. In addition, the granularity of industrial Internet data access permission control in existing technologies is relatively coarse, and it is impossible to achieve fine-grained and dynamic access control for different data subjects and different roles, which makes it difficult to meet the needs of industrial Internet security supervision.
发明内容Summary of the invention
有鉴于此,本发明提供了一种工业互联网数据访问控制方法,解决现有技术中工业互联网数据访问权限控制粒度较粗,不能实现对不同数据主题、不同角色的细粒度动态访问控制的技术问题。In view of this, the present invention provides an industrial Internet data access control method to solve the technical problem that the granularity of industrial Internet data access permission control in the prior art is relatively coarse and cannot achieve fine-grained dynamic access control for different data subjects and different roles.
根据本发明的第一方面,提供了一种工业互联网数据访问控制方法,包括:According to a first aspect of the present invention, there is provided an industrial Internet data access control method, comprising:
接收客户端发送的数据访问请求,其中,所述数据访问请求中携带访问客户端标识和被访问资源标识;Receiving a data access request sent by a client, wherein the data access request carries an access client identifier and an accessed resource identifier;
根据访问客户端标识和被访问资源标识,匹配访问控制策略;Match the access control policy according to the access client ID and the accessed resource ID;
判断出没有匹配的访问控制策略时,直接返回拒绝访问的错误;When it is determined that there is no matching access control policy, an access denied error is directly returned;
判断出存在匹配的访问控制策略时,根据所述被访问资源标识,从状态数据库中获取被访问资源的URL链接。When it is determined that there is a matching access control policy, the URL link of the accessed resource is obtained from the state database according to the accessed resource identifier.
根据本发明的第二方面,提供了一种工业互联网数据访问控制装置,包括:According to a second aspect of the present invention, there is provided an industrial Internet data access control device, comprising:
接收模块,用于接收客户端发送的数据访问请求,其中,所述数据访问请求中携带访问客户端标识和被访问资源标识;A receiving module, configured to receive a data access request sent by a client, wherein the data access request carries an access client identifier and an accessed resource identifier;
匹配模块,用于根据访问客户端标识和被访问资源标识,匹配访问控制策略;A matching module, used to match access control policies according to the access client identifier and the accessed resource identifier;
执行模块,用于判断出没有匹配的访问控制策略时,直接返回拒绝访问的错误;判断出存在匹配的访问控制策略时,根据所述被访问资源标识,从状态数据库中获取被访问资源的URL链接。The execution module is used to directly return an access denial error when it is determined that there is no matching access control policy; when it is determined that there is a matching access control policy, obtain the URL link of the accessed resource from the state database according to the accessed resource identifier.
根据本发明的第三方面,提供了一种计算机设备,包括存储器、处理器以及存储在存储器中并可在处理器上运行的计算机程序,处理器执行计算机程序时实现上述的工业互联网数据访问控制方法的步骤。According to a third aspect of the present invention, a computer device is provided, comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor implements the steps of the above-mentioned industrial Internet data access control method when executing the computer program.
根据本发明的第四方面,提供了一种计算机可读存储介质,计算机可读存储介质存储有计算机程序,计算机程序被处理器执行时实现上述的工业互联网数据访问控制方法的步骤。According to a fourth aspect of the present invention, a computer-readable storage medium is provided, which stores a computer program. When the computer program is executed by a processor, the steps of the above-mentioned industrial Internet data access control method are implemented.
借由上述技术方案,本发明提供的一种工业互联网数据访问控制方法、装置、设备及介质,通过接收客户端发送的数据访问请求,根据访问客户端标识和被访问资源标识,匹配访问控制策略,判断出没有匹配的访问控制策略时,直接返回拒绝访问的错误,判断出存在匹配的访问控制策略时,根据所述被访问资源标识,从状态数据库中获取被访问资源的URL链接。本发明实现了细粒度的访问控制、数据隔离与完整性保护、实时通信和可扩展的接入管理。By means of the above technical scheme, the present invention provides an industrial Internet data access control method, device, equipment and medium, which receives a data access request sent by a client, matches the access control policy according to the access client identifier and the accessed resource identifier, and directly returns an access denial error when it is determined that there is no matching access control policy, and obtains the URL link of the accessed resource from the state database according to the accessed resource identifier when it is determined that there is a matching access control policy. The present invention realizes fine-grained access control, data isolation and integrity protection, real-time communication and scalable access management.
上述说明仅是本发明技术方案的概述,为了能够更清楚了解本发明的技术手段,并可依照说明书的内容予以实施,并且为了让本发明的上述和其它目的、特征和优点能够更明显易懂,以下特举本发明的具体实施方式。The above description is only an overview of the technical solution of the present invention. In order to more clearly understand the technical means of the present invention and implement it according to the contents of the specification, and to make the above and other purposes, features and advantages of the present invention more obvious and easy to understand, the specific implementation methods of the present invention are listed below.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
此处所说明的附图用来提供对本发明的进一步理解,构成本发明的一部分,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。在附图中:The drawings described herein are used to provide a further understanding of the present invention and constitute a part of the present invention. The exemplary embodiments of the present invention and their descriptions are used to explain the present invention and do not constitute an improper limitation of the present invention. In the drawings:
图1示出了本发明实施例中提供的一种工业互联网数据访问控制的应用场景示意图;FIG1 shows a schematic diagram of an application scenario of industrial Internet data access control provided in an embodiment of the present invention;
图2示出了本发明实施例中提供的一种工业互联网数据访问控制方法的流程示意图;FIG2 shows a schematic flow chart of an industrial Internet data access control method provided in an embodiment of the present invention;
图3示出了本发明实施例中提供的一种工业互联网数据访问控制装置的结构示意图。FIG3 shows a schematic structural diagram of an industrial Internet data access control device provided in an embodiment of the present invention.
具体实施方式Detailed ways
下文中将参考附图并结合实施例来详细说明本发明的具体实施方式。需要说明的是,在不冲突的情况下,本发明中的实施例及实施例中的特征可以相互组合。The specific implementation of the present invention will be described in detail below with reference to the accompanying drawings and in combination with the embodiments. It should be noted that the embodiments and features in the embodiments of the present invention can be combined with each other without conflict.
本发明实施例提供的一种工业互联网数据访问控制方法,可应用于如图1的Hyperledger Fabric区块链场景中,其中,传感器1至3为工业数据产生源头的示意性表示(实际应用中可不仅限于传感器,例如企业MES、ERP等系统均可接入),产生的数据可以包括生产数据、设备数据、传感器数据等,传感器1-3也有可能通过智能网关接入,订阅客户端1-3对应不同机构或组织的访问客户端,分别在不同的通道channel(Hyperledger Fabric区块链中的通道是私有子网络,允许多个方安全和机密地相互交易,通道允许通过锚节点连接不同的用户/参与者(组织)构成联盟。通道账本只能被属于该通道的组织访问)上进行访问控制策略的权限验证。An industrial Internet data access control method provided by an embodiment of the present invention can be applied to a Hyperledger Fabric blockchain scenario as shown in FIG1 , wherein sensors 1 to 3 are schematic representations of the source of industrial data generation (in actual applications, they may not be limited to sensors, for example, enterprise MES, ERP and other systems may be accessible), the generated data may include production data, equipment data, sensor data, etc., sensors 1-3 may also be accessed through an intelligent gateway, and subscription clients 1-3 correspond to access clients of different institutions or organizations, and perform permission verification of access control policies on different channels (channels in the Hyperledger Fabric blockchain are private subnetworks that allow multiple parties to trade with each other securely and confidentially. Channels allow different users/participants (organizations) to form alliances through anchor nodes. Channel ledgers can only be accessed by organizations belonging to the channel).
在Hyperledger Fabric区块链网络中,账本由两个不同但相关的部分组成,分别为世界状态(world state)和区块链账本(ledger),其中,世界状态指保存了一组当前值的数据库(比如,LevelDB或CouchDB),访问控制策略可存储在区块链的状态数据库(StateDatabase,SDB),区块链账本则是记录每一次产生状态变化的事务,在超级账本中并不是只有一个区块链,而是一个区块网,可以包括多个通道channel,通道是一个区块网中的一个子网络(子账本),而子账本中装载的智能合约(chaincode链码)拥有一个世界状态,同一链码中的数据位于相同的命名空间。Hyperledger Fabric使用公钥基础设施(PKI)来验证所有网络参与者的行为,每个节点,网络管理员和用户提交的交易需要具有公共证书和私钥以验证其身份,这些身份必须具有有效的信任根源,该证书是由作为网络中的授权服务器CA颁发的。实际应用中,交易提案被发送到背书对等点,对等点Peer模拟交易并根据智能合约验证其正确性,如果获得背书,背书对等点对其进行签名并将其发送回客户端,获得背书的交易被组合成区块,然后发送到排序服务。排序服务从对等节点接收已背书的交易,并将其排序到区块中(创建区块),然后广播到网络中的所有对等节点(将区块交易到每个对等节点),排序服务使用一种共识算法来确保网络中所有节点对区块顺序达成一致。这可以确保所有节点之间的账本一致性,节点检查区块及其包含的交易的数字签名和背书策略的有效性,如果区块有效,交易将被提交到账本,利用哈希块的区块链去中心化保证了数据完整性,将工业互联网设备配置为直接的区块链节点增强了数据的可靠性,消除了人工干预和外部系统依赖,这种方法加强了工业物联网数据的完整性,构建了一个安全和可信的环境。Hyperledger Fabric将事务执行和交易分离,这种拆分提高了可扩展性和性能,降低了节点工作量。与其他区块链设计不同Hyperledger Fabric引入了并行交易处理,解决了智能合约的非确定性问题,这带来更高的吞吐量和更低的延迟。这种方法在安全的物联网数据系统中促进了隐私、信任、可扩展性和访问控制,为在保持隐私和信任的同时实现安全信息交换奠定了基础。In the Hyperledger Fabric blockchain network, the ledger consists of two different but related parts, namely the world state and the blockchain ledger. The world state refers to a database that stores a set of current values (for example, LevelDB or CouchDB). Access control policies can be stored in the blockchain's state database (SDB). The blockchain ledger records every transaction that produces a state change. In the hyperledger, there is not only one blockchain, but a block network that can include multiple channels. A channel is a subnetwork (subledger) in a block network, and the smart contract (chaincode) loaded in the subledger has a world state. The data in the same chain code is in the same namespace. Hyperledger Fabric uses a public key infrastructure (PKI) to verify the behavior of all network participants. Transactions submitted by each node, network administrator, and user need to have a public certificate and private key to verify their identity. These identities must have a valid root of trust, which is issued by the CA as the authorized server in the network. In actual applications, transaction proposals are sent to endorsement peers, who simulate transactions and verify their correctness according to smart contracts. If endorsed, the endorsement peer signs it and sends it back to the client. The endorsed transactions are combined into blocks and then sent to the sorting service. The sorting service receives endorsed transactions from peer nodes and sorts them into blocks (creates blocks), which are then broadcast to all peer nodes in the network (transacts blocks to each peer node). The sorting service uses a consensus algorithm to ensure that all nodes in the network agree on the order of blocks. This ensures the consistency of the ledgers between all nodes. The nodes check the validity of the digital signatures and endorsement policies of the blocks and the transactions they contain. If the blocks are valid, the transactions will be submitted to the ledger. The blockchain decentralization of hash blocks ensures data integrity. Configuring industrial Internet devices as direct blockchain nodes enhances data reliability, eliminates manual intervention and external system dependence, and this approach strengthens the integrity of industrial Internet of Things data and builds a secure and trusted environment. Hyperledger Fabric separates transaction execution and transactions. This split improves scalability and performance and reduces node workload. Unlike other blockchain designs, Hyperledger Fabric introduces parallel transaction processing to solve the non-deterministic problem of smart contracts, which brings higher throughput and lower latency. This approach promotes privacy, trust, scalability, and access control in secure IoT data systems, laying the foundation for secure information exchange while maintaining privacy and trust.
在如图1的场景中,Hyperledger Fabric区块链网络执行的工业互联网数据访问控制方法,通过接收客户端发送的数据访问请求,其中,数据访问请求中携带访问客户端标识和被访问资源标识;根据访问客户端标识和被访问资源标识,匹配访问控制策略;判断出没有匹配的访问控制策略时,直接返回拒绝访问的错误;判断出存在匹配的访问控制策略时,根据被访问资源标识,从状态数据库中获取被访问资源的URL链接,被访问资源的URL链接相当于MQTT的订阅主题,被访问资源可以为传感器等工业物联网设备。本发明实施例实现了细粒度的访问控制、数据隔离与完整性保护、实时通信和可扩展的接入管理。基于Hyperledger Fabric和MQTT的区块链解决方案,结合证书机制、通道隔离、智能合约等技术手段解决了这些技术问题,实现了细粒度的访问控制、数据隔离与完整性保护、实时通信和可扩展的接入管理。In the scenario shown in Figure 1, the industrial Internet data access control method executed by the Hyperledger Fabric blockchain network receives a data access request sent by a client, wherein the data access request carries an access client identifier and an accessed resource identifier; matches the access control policy according to the access client identifier and the accessed resource identifier; when it is determined that there is no matching access control policy, directly returns an access denial error; when it is determined that there is a matching access control policy, the URL link of the accessed resource is obtained from the state database according to the accessed resource identifier, and the URL link of the accessed resource is equivalent to the subscription topic of MQTT, and the accessed resource can be an industrial Internet of Things device such as a sensor. The embodiment of the present invention realizes fine-grained access control, data isolation and integrity protection, real-time communication and scalable access management. The blockchain solution based on Hyperledger Fabric and MQTT solves these technical problems by combining technical means such as certificate mechanism, channel isolation, and smart contracts, and realizes fine-grained access control, data isolation and integrity protection, real-time communication and scalable access management.
下面通过具体的实施例对本发明进行详细描述。The present invention is described in detail below through specific embodiments.
实施例一Embodiment 1
如图2所示,为本发明实施例中提供的一种工业互联网数据访问控制方法,包括:As shown in FIG2 , an industrial Internet data access control method provided in an embodiment of the present invention includes:
步骤201、接收客户端发送的数据访问请求;Step 201: receiving a data access request sent by a client;
其中,所述数据访问请求中携带访问客户端标识和被访问资源标识;The data access request carries an access client identifier and an accessed resource identifier;
步骤202、根据访问客户端标识和被访问资源标识,匹配访问控制策略;Step 202: Match the access control policy according to the access client identifier and the accessed resource identifier;
其中,步骤202可以包括:Wherein, step 202 may include:
步骤202-1、通过链码接口调用智能合约链码,根据所问客户端标识和被访问资源标识,获取客户端角色和被访问资源属性;Step 202-1, call the smart contract chain code through the chain code interface, and obtain the client role and the accessed resource attributes according to the client ID and the accessed resource ID;
步骤202-2、根据所述客户端角色和所述被访问资源属性,对照所述访问控制策略进行权限检查,判断客户端是否有访问权限;Step 202-2: Perform a permission check according to the client role and the accessed resource attributes and check the access control policy to determine whether the client has access rights;
其中,在链码的每个接口中,对照访问控制策略定义进行权限检查,判断调用者是否有访问权限,例如:In each interface of the chaincode, a permission check is performed against the access control policy definition to determine whether the caller has access rights, for example:
function auth(user,device,topic){function auth(user, device, topic) {
policy=getPolicyForDevice(device)policy = getPolicyForDevice(device)
if!matchRole(user,policy.roles)){if! matchRole(user, policy.roles)){
return falsereturn false
}}
if!matchTopic(topic,policy.topics)){if! matchTopic(topic, policy.topics)){
return falsereturn false
}}
return truereturn true
}}
另外,调用链码接口时需要传递调用者证书,链码根据证书内容判断调用者身份,证书与用户身份在Fabric网络中进行了绑定,步骤202-2之前,需要包括:In addition, the caller certificate needs to be passed when calling the chain code interface. The chain code determines the caller identity based on the certificate content. The certificate and user identity are bound in the Fabric network. Before step 202-2, it needs to include:
对客户端提供的数字证书(例如X.509证书)进行认证,其中,数字证书是由组织的证书管理中心根据组织的根证书签发,为每一类参与主体设置一个组织,每一个组织分配一个根证书,数字证书通过企业证书管理中心实现自动化更新和维护。Authenticate the digital certificate (such as X.509 certificate) provided by the client, where the digital certificate is issued by the organization's certificate management center based on the organization's root certificate. An organization is set up for each type of participating entity, and each organization is assigned a root certificate. The digital certificate is automatically updated and maintained through the enterprise certificate management center.
步骤202-3、当所述客户端存在访问权限时,则匹配出访问控制策略Step 202-3: When the client has access rights, the access control policy is matched.
步骤203、判断出没有匹配的访问控制策略时,直接返回拒绝访问的错误;Step 203: When it is determined that there is no matching access control policy, an access denied error is directly returned;
步骤204、判断出存在匹配的访问控制策略时,根据被访问资源标识,从状态数据库中获取被访问资源的URL链接。Step 204: When it is determined that there is a matching access control policy, the URL link of the accessed resource is obtained from the state database according to the accessed resource identifier.
为了实施本发明实施例,需要预先进行Hyperledger Fabric区块链网络的初始化构建,步骤201之前,包括:In order to implement the embodiment of the present invention, it is necessary to initialize and build the Hyperledger Fabric blockchain network in advance. Before step 201, it includes:
步骤201-A、生成证书和密钥对,构建Hyperledger Fabric区块链网络,设置通道和节点;Step 201-A: Generate certificates and key pairs, build a Hyperledger Fabric blockchain network, and set up channels and nodes;
步骤201-B、在Hyperledger Fabric区块链网络中注册工业互联网设备并为设备分配证书,完成设备身份管理;Step 201-B: register the industrial Internet device in the Hyperledger Fabric blockchain network and assign a certificate to the device to complete device identity management;
步骤201-C、生成访问控制策略并上传到Hyperledger Fabric区块链网络;Step 201-C: Generate access control policy and upload it to the Hyperledger Fabric blockchain network;
其中,访问控制策略以JSON格式定义,并保存到区块链的世界状态(world state)中。访问控制策略中会指定设备、主题、角色等访问控制规则,访问控制策略示例如下:The access control policy is defined in JSON format and saved in the world state of the blockchain. The access control policy specifies access control rules such as devices, topics, and roles. An example of an access control policy is as follows:
{{
"device1":{"device1":{
"topics":["temp","humidity"],"topics":["temp","humidity"],
"roles":["operator","manager"]"roles":["operator", "manager"]
}}
}}
步骤201-D、部署智能合约链码到Hyperledger Fabric区块链网络中的普通节点,其中,所述智能合约链码中设有工业互联网设备、主题、角色与访问控制策略之间的匹配关系;Step 201-D: deploying the smart contract chain code to a common node in the Hyperledger Fabric blockchain network, wherein the smart contract chain code is provided with a matching relationship between industrial Internet devices, topics, roles and access control policies;
其中,智能合约链码中定义了访问控制的业务逻辑,包括设备注册、订阅主题授权等接口。这些接口会检查调用者的身份,并根据预定义的策略判断是否有访问权限。The smart contract chaincode defines the business logic of access control, including interfaces such as device registration and subscription topic authorization. These interfaces will check the identity of the caller and determine whether they have access rights based on predefined policies.
步骤201-E、设置MQTT服务器,实现Hyperledger Fabric区块链网络与MQTT服务器的集成;Step 201-E: Set up an MQTT server to integrate the Hyperledger Fabric blockchain network with the MQTT server;
步骤201-F、根据设置的被访问资源的URL链接向MQTT服务器发布数据,其中,被访问资源为MQTT消息队列发布者,根据设置的被访问资源的URL链接向MQTT服务器发布数据。Step 201-F: publishing data to the MQTT server according to the set URL link of the accessed resource, wherein the accessed resource is an MQTT message queue publisher, and publishing data to the MQTT server according to the set URL link of the accessed resource.
使用Channel通道和组织隔离来实现数据隐私保护实现,被访问资源的URL链接与Hyperledger Fabric区块链网络的通道对应即不同的主题对应不同的通道,有效实现了数据隔离,通过Fabric通道将MQTT服务器与特定组织或访问控制策略相绑定,发布者、订阅者、发布主题需要加入对应通道,以构建基于主题的隔离模型。Channels and organizational isolation are used to implement data privacy protection. The URL link of the accessed resource corresponds to the channel of the Hyperledger Fabric blockchain network, that is, different topics correspond to different channels, which effectively implements data isolation. The MQTT server is bound to a specific organization or access control policy through the Fabric channel. Publishers, subscribers, and publishing topics need to join the corresponding channels to build a topic-based isolation model.
实施例二:Embodiment 2:
现有的Hyperledger Fabric区块链网络缺少智能合约的标准管理和共享机制,使得开发者难以搜索和重用智能合约,导致效率低下。现有Hyperledger Fabric区块链网络的命令行操作复杂,对用户不友好,增加了智能合约的使用难度和部署复杂度,Hyperledger Fabric区块链网络缺少类似REST API的通用接口来调用和执行链码,这限制了与外部应用的集成,无法有效比较和重用智能合约的内部资产结构,无法方便地进行定制和二次开发,为了实现智能合约的可重用性、管理性和可用性,本发明实施例中新增了用于管理智能合约链码的服务器,并提供API接口响应用户的查询、修改、更新等操作,为解决该技术问题步骤201-D的部署智能合约链码到Hyperledger Fabric区块链网络中的普通节点的步骤,包括:The existing Hyperledger Fabric blockchain network lacks a standard management and sharing mechanism for smart contracts, making it difficult for developers to search and reuse smart contracts, resulting in low efficiency. The command line operation of the existing Hyperledger Fabric blockchain network is complex and user-unfriendly, which increases the difficulty of using and deploying smart contracts. The Hyperledger Fabric blockchain network lacks a general interface similar to the REST API to call and execute chain codes, which limits integration with external applications, and cannot effectively compare and reuse the internal asset structure of smart contracts, and cannot be easily customized and secondary developed. In order to achieve the reusability, manageability and availability of smart contracts, a server for managing smart contract chain codes is added in the embodiment of the present invention, and an API interface is provided to respond to user queries, modifications, updates and other operations. To solve this technical problem, the step of deploying smart contract chain codes to ordinary nodes in the Hyperledger Fabric blockchain network in step 201-D includes:
步骤201-41、获取Hyperledger Fabric区块链网络中的所有智能合约链码的标签,并存储至智能合约服务器,其中,智能合约链码的标签包括智能合约标识符、名称、所有者、描述、平台类型和基本身份验证规范;Step 201-41, obtain the labels of all smart contract chain codes in the Hyperledger Fabric blockchain network and store them in the smart contract server, where the labels of the smart contract chain codes include the smart contract identifier, name, owner, description, platform type and basic authentication specification;
其中,智能合约链码的标签可以采用如下的JSON形式,如下:Among them, the label of the smart contract chain code can be in the following JSON format, as follows:
{{
"id":"1","id":"1",
"name":"ContractA"//链码名称"name":"ContractA"//chain code name
"author":"AuthorA",//链码开发者"author":"AuthorA", //chaincode developer
"uploaded":"2021-04-18",//链码上传时间"uploaded":"2021-04-18", //Chain code upload time
"description":"..."//链码描述"description":"..."//chain code description
"platform":"Hyperledger Fabric",//平台默认指定为Hyperledger Fabric"platform":"Hyperledger Fabric", //The platform is specified as Hyperledger Fabric by default
"signature_policy":"MAJORITY",//签名的策略"signature_policy":"MAJORITY", //Signature policy
"chain_languages":[...]//开发语言Go或Nodejs"chain_languages": [...]//Development language Go or Nodejs
"app_languages":[...]//应用开发语言"app_languages":[...]//Application development language
"versions":[...]//版本号"versions":[...]//versionnumber
}}
开发人员即用户可通过检索以上字段的信息,寻找匹配的相似的智能合约链码,方便开发人员做复用开发然后可一键部署到Hyperledger Fabric区块链网络,极大的加快了智能合约链码的开发效率、部署速度。Developers, i.e. users, can search for matching similar smart contract chain codes by searching the information in the above fields, which makes it easier for developers to reuse the development and then deploy it to the Hyperledger Fabric blockchain network with one click, greatly speeding up the development efficiency and deployment speed of smart contract chain codes.
步骤201-42、获取智能合约链码的查询请求,在智能合约服务器中查询对应的智能合约链码,其中,智能合约链码的查询请求携带智能合约链码的标签中的关键字;Step 201-42, obtaining a query request for the smart contract chain code, and querying the corresponding smart contract chain code in the smart contract server, wherein the query request for the smart contract chain code carries the keyword in the label of the smart contract chain code;
步骤201-43、根据查询出的智能合约链码,生成可复用的智能合约链码,并部署到Hyperledger Fabric区块链网络中的普通节点。Step 201-43: Generate a reusable smart contract chain code based on the queried smart contract chain code and deploy it to a common node in the Hyperledger Fabric blockchain network.
其中,步骤201-43具体可以包括:Among them, step 201-43 may specifically include:
步骤201-431、根据查询出的智能合约链码,生成可复用的智能合约链码;Step 201-431, generate a reusable smart contract chain code according to the queried smart contract chain code;
步骤201-432、根据可复用的智能合约链码及用户修改指令,生成第一智能合约链码;Step 201-432, generating a first smart contract chain code according to the reusable smart contract chain code and the user modification instruction;
步骤201-433、通过API接口将所述第一智能合约链码自动安装和实例化到Hyperledger Fabric区块链节点上。Step 201-433: automatically install and instantiate the first smart contract chain code on the Hyperledger Fabric blockchain node through the API interface.
本实施例构建智能合约管理系统,使用标签记录智能合约的元数据信息。开发控制界面,用户可以搜索、比较、上传和部署智能合约。开发REST API接口,连接区块链网络,如查询、调用智能合约。用户可以在控制界面中搜索相似的智能合约,复用或定制后部署到区块链。This embodiment builds a smart contract management system and uses tags to record metadata information of smart contracts. A control interface is developed, and users can search, compare, upload and deploy smart contracts. A REST API interface is developed to connect to the blockchain network, such as querying and calling smart contracts. Users can search for similar smart contracts in the control interface, reuse or customize them, and deploy them to the blockchain.
进一步地,作为图1方法的具体实现,本发明实施例中提供了一种工业互联网数据访问控制装置,如图3所示,该装置包括:Further, as a specific implementation of the method of FIG. 1 , an industrial Internet data access control device is provided in an embodiment of the present invention, as shown in FIG. 3 , the device includes:
接收模块310,用于接收客户端发送的数据访问请求,其中,数据访问请求中携带访问客户端标识和被访问资源标识;The receiving module 310 is used to receive a data access request sent by a client, wherein the data access request carries an access client identifier and an accessed resource identifier;
匹配模块320,用于根据访问客户端标识和被访问资源标识,匹配访问控制策略;A matching module 320, used to match the access control policy according to the access client identifier and the accessed resource identifier;
执行模块330,用于判断出没有匹配的访问控制策略时,直接返回拒绝访问的错误;判断出存在匹配的访问控制策略时,根据被访问资源标识,从状态数据库中获取被访问资源的URL链接。The execution module 330 is used to directly return an access denial error when it is determined that there is no matching access control policy; when it is determined that there is a matching access control policy, obtain the URL link of the accessed resource from the state database according to the accessed resource identifier.
本发明实施例中提供了一种计算机设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,处理器执行计算机程序时实现以下步骤:An embodiment of the present invention provides a computer device, including a memory, a processor, and a computer program stored in the memory and executable on the processor. When the processor executes the computer program, the following steps are implemented:
接收客户端发送的数据访问请求,其中,数据访问请求中携带访问客户端标识和被访问资源标识;Receive a data access request sent by a client, wherein the data access request carries an access client identifier and an accessed resource identifier;
根据访问客户端标识和被访问资源标识,匹配访问控制策略;Match the access control policy according to the access client ID and the accessed resource ID;
判断出没有匹配的访问控制策略时,直接返回拒绝访问的错误;When it is determined that there is no matching access control policy, an access denied error is directly returned;
判断出存在匹配的访问控制策略时,根据被访问资源标识,从状态数据库中获取被访问资源的URL链接。When it is determined that there is a matching access control policy, the URL link of the accessed resource is obtained from the state database according to the accessed resource identifier.
本发明实施例中提供了一种计算机可读存储介质,其上存储有计算机程序,计算机程序被处理器执行时实现以下步骤:In an embodiment of the present invention, a computer-readable storage medium is provided, on which a computer program is stored. When the computer program is executed by a processor, the following steps are implemented:
接收客户端发送的数据访问请求,其中,数据访问请求中携带访问客户端标识和被访问资源标识;Receive a data access request sent by a client, wherein the data access request carries an access client identifier and an accessed resource identifier;
根据访问客户端标识和被访问资源标识,匹配访问控制策略;Match the access control policy according to the access client ID and the accessed resource ID;
判断出没有匹配的访问控制策略时,直接返回拒绝访问的错误;When it is determined that there is no matching access control policy, an access denied error is directly returned;
判断出存在匹配的访问控制策略时,根据被访问资源标识,从状态数据库中获取被访问资源的URL链接。When it is determined that there is a matching access control policy, the URL link of the accessed resource is obtained from the state database according to the accessed resource identifier.
需要说明的是,上述关于计算机可读存储介质或计算机设备所能实现的功能或步骤,可对应参阅前述方法实施例中,服务端侧以及客户端侧的相关描述,为避免重复,这里不再一一描述。It should be noted that the above functions or steps that can be implemented by the computer-readable storage medium or computer device can refer to the relevant descriptions on the server side and the client side in the aforementioned method embodiment. To avoid repetition, they will not be described one by one here.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,是可以通过计算机程序来指令相关的硬件来完成,所述的计算机程序可存储于一非易失性计算机可读取存储介质中,该计算机程序在执行时,可包括如上述各方法的实施例的流程。其中,本发明所提供的各实施例中所使用的对存储器、存储、数据库或其它介质的任何引用,均可包括非易失性和/或易失性存储器。非易失性存储器可包括只读存储器(ROM)、可编程ROM(PROM)、电可编程ROM(EPROM)、电可擦除可编程ROM(EEPROM)或闪存。易失性存储器可包括随机存取存储器(RAM)或者外部高速缓冲存储器。作为说明而非局限,RAM以多种形式可得,诸如静态RAM(SRAM)、动态RAM(DRAM)、同步DRAM(SDRAM)、双数据率SDRAM(DDRSDRAM)、增强型SDRAM(ESDRAM)、同步链路(Synchlink)DRAM(SLDRAM)、存储器总线(Rambus)直接RAM(RDRAM)、直接存储器总线动态RAM(DRDRAM)、以及存储器总线动态RAM(RDRAM)等。Those skilled in the art can understand that all or part of the processes in the above-mentioned embodiments can be completed by instructing the relevant hardware through a computer program, and the computer program can be stored in a non-volatile computer-readable storage medium. When the computer program is executed, it can include the processes of the embodiments of the above-mentioned methods. Among them, any reference to memory, storage, database or other media used in the embodiments provided by the present invention can include non-volatile and/or volatile memory. Non-volatile memory can include read-only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM) or flash memory. Volatile memory can include random access memory (RAM) or external cache memory. As an illustration and not limitation, RAM is available in many forms, such as static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous link (Synchlink) DRAM (SLDRAM), memory bus (Rambus) direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
所属领域的技术人员可以清楚地了解到,为了描述的方便和简洁,仅以上述各功能单元、模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能单元、模块完成,即将所述装置的内部结构划分成不同的功能单元或模块,以完成以上描述的全部或者部分功能。Those skilled in the art can clearly understand that for the convenience and simplicity of description, only the division of the above-mentioned functional units and modules is used as an example. In actual applications, the above-mentioned functions can be distributed and completed by different functional units and modules as needed, that is, the internal structure of the device can be divided into different functional units or modules to complete all or part of the functions described above.
以上所述实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围,均应包含在本发明的保护范围之内。The embodiments described above are only used to illustrate the technical solutions of the present invention, rather than to limit the same. Although the present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that the technical solutions described in the aforementioned embodiments may still be modified, or some of the technical features may be replaced by equivalents. Such modifications or replacements do not deviate the essence of the corresponding technical solutions from the spirit and scope of the technical solutions of the embodiments of the present invention, and should be included in the protection scope of the present invention.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410021233.3ACN117896130B (en) | 2024-01-05 | 2024-01-05 | Industrial Internet data access control method, device, equipment and medium |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410021233.3ACN117896130B (en) | 2024-01-05 | 2024-01-05 | Industrial Internet data access control method, device, equipment and medium |
| Publication Number | Publication Date |
|---|---|
| CN117896130Atrue CN117896130A (en) | 2024-04-16 |
| CN117896130B CN117896130B (en) | 2025-01-24 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410021233.3AActiveCN117896130B (en) | 2024-01-05 | 2024-01-05 | Industrial Internet data access control method, device, equipment and medium |
| Country | Link |
|---|---|
| CN (1) | CN117896130B (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN119357947A (en)* | 2024-09-30 | 2025-01-24 | 上海零数众合信息科技有限公司 | Data usage control method, device, equipment and medium |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150304281A1 (en)* | 2014-03-14 | 2015-10-22 | Avni Networks Inc. | Method and apparatus for application and l4-l7 protocol aware dynamic network access control, threat management and optimizations in sdn based networks |
| CN108965468A (en)* | 2018-08-16 | 2018-12-07 | 北京京东尚科信息技术有限公司 | Block chain network service platform and its chain code installation method, storage medium |
| US20200358801A1 (en)* | 2019-05-08 | 2020-11-12 | International Business Machines Corporation | Threat information sharing based on blockchain |
| CN111950019A (en)* | 2020-06-05 | 2020-11-17 | 成都链向科技有限公司 | Block chain-based Internet of things access control system and method |
| CN113743955A (en)* | 2021-08-06 | 2021-12-03 | 广西综合交通大数据研究院 | Food material traceability data security access control method based on intelligent contract |
| CN114219487A (en)* | 2021-12-22 | 2022-03-22 | 中国电子科技网络信息安全有限公司 | Distributed certificate management method for alliance chain |
| CN115396229A (en)* | 2022-09-01 | 2022-11-25 | 西安电子科技大学 | A blockchain-based cross-domain resource isolation and sharing system |
| CN116708397A (en)* | 2023-07-11 | 2023-09-05 | 昆明理工大学 | Internet of things cross-domain authentication system and method based on alliance chain and MQTT |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150304281A1 (en)* | 2014-03-14 | 2015-10-22 | Avni Networks Inc. | Method and apparatus for application and l4-l7 protocol aware dynamic network access control, threat management and optimizations in sdn based networks |
| CN108965468A (en)* | 2018-08-16 | 2018-12-07 | 北京京东尚科信息技术有限公司 | Block chain network service platform and its chain code installation method, storage medium |
| US20200358801A1 (en)* | 2019-05-08 | 2020-11-12 | International Business Machines Corporation | Threat information sharing based on blockchain |
| CN111950019A (en)* | 2020-06-05 | 2020-11-17 | 成都链向科技有限公司 | Block chain-based Internet of things access control system and method |
| CN113743955A (en)* | 2021-08-06 | 2021-12-03 | 广西综合交通大数据研究院 | Food material traceability data security access control method based on intelligent contract |
| CN114219487A (en)* | 2021-12-22 | 2022-03-22 | 中国电子科技网络信息安全有限公司 | Distributed certificate management method for alliance chain |
| CN115396229A (en)* | 2022-09-01 | 2022-11-25 | 西安电子科技大学 | A blockchain-based cross-domain resource isolation and sharing system |
| CN116708397A (en)* | 2023-07-11 | 2023-09-05 | 昆明理工大学 | Internet of things cross-domain authentication system and method based on alliance chain and MQTT |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN119357947A (en)* | 2024-09-30 | 2025-01-24 | 上海零数众合信息科技有限公司 | Data usage control method, device, equipment and medium |
| Publication number | Publication date |
|---|---|
| CN117896130B (en) | 2025-01-24 |
| Publication | Publication Date | Title |
|---|---|---|
| US11611560B2 (en) | Systems, methods, and apparatuses for implementing consensus on read via a consensus on write smart contract trigger for a distributed ledger technology (DLT) platform | |
| CN110490305B (en) | Machine learning model processing method based on block chain network and node | |
| CN110537182B (en) | System and method for providing representational state transfer proxy service for blockchain cloud service | |
| US20200371995A1 (en) | System or method to implement right to be forgotten on metadata driven blockchain using shared secrets and consensus on read | |
| JP2021533448A (en) | Systems and methods to support SQL-based rich queries in hyperlegger fabric blockchain | |
| US20220004539A1 (en) | Privacy preserving architecture for permissioned blockchains | |
| CN111294379B (en) | Block chain network service platform, authority hosting method thereof and storage medium | |
| US20200233858A1 (en) | Peer partitioning | |
| JP2021534512A (en) | DAG-based transaction processing methods and systems in distributed ledgers | |
| US8528043B2 (en) | Systems and methods for generating trust federation data from BPMN choreography | |
| US20190362361A1 (en) | Autocommit transaction management in a blockchain network | |
| CN109325359B (en) | Account system setting method, system, computer device and storage medium | |
| CN110177109B (en) | A dual-agent cross-domain authentication system based on identification password and alliance chain | |
| Manevich et al. | Endorsement in Hyperledger Fabric via service discovery | |
| CN117917681A (en) | Asset transfer method, device, equipment, medium and product based on multi-block chain | |
| US12425249B2 (en) | Dividing data storage and service operations among plural blockchains | |
| KR20220050606A (en) | System and Method for Intelligent mediating based enhanced smart contract for privacy protection | |
| US11138188B2 (en) | Performance optimization | |
| CN117896130B (en) | Industrial Internet data access control method, device, equipment and medium | |
| CN114553440B (en) | Cross-data center identity authentication method and system based on blockchain and attribute signature | |
| CN118556247A (en) | Privacy-preserving asset token exchange | |
| WO2023040554A1 (en) | Blockchain system | |
| Amiri et al. | Separ: A privacy-preserving blockchain-based system for regulating multi-platform crowdworking environments | |
| Ziegler et al. | Designing a security incident response process for self-sovereign identities | |
| CN114579354B (en) | Block chain network service platform, data storage method and storage medium |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |