多域环境下基于属性的授权委托模型

传统的基于实体标识的授权模型会导致由于授权路径的不一致而引起权限传播的不一致,并可能导致不合法的实体进入授权路径获得不应有的权限.针对以上两方面的问题,提出一个基于属性的授权委托模型ABADM(attribute-based authorization delegation model),将授权模型中权限的传递与权力的委托均建立在实体所具有的属性集合的基础之上,以属性集合作为实体自身的代表进行授权,从而确保拥有相同属性凭证链的实体其权限是一致的.模型将属性与访问权限进行明确区分,提出了域内属性权限分配策略和域间属性计算模型,通过两者的结合给出了在ABADM模型中计算实体所拥有的跨域属性集合和访问权限的方法,并结合具体实例对模型的使用进行了说明.

Attribute-Based Authorization Delegation Model in Multi-Domain Environments

Traditional identifier-based authorization models are limited to having different authorization paths thatwill cause the inconsistency in propagation of permission. In addition, unauthorized entities may acquire illegalpermission by such an identifier-based authorization path. In order to solve these two problems, an attribute-basedauthorization delegation model (ABADM), suitable for multi-domain environments is presented. In the ABADMmodel, the delegation of authority and the propagation of permission are all based on the attribute sets of entities,which ensure that the entities on the same credential chain have the same permission. The model integratesattribute-permission assignation policies inside autonomic domains and the interdomain attributes mapping model.The algorithm for calculating the attribute sets and permissions of entities in the multi-domain environments isproposed. The usage of the ABADM model is illustrated through a common example.