Nothing Special   »   [go: up one dir, main page]

WO2023108653A1 - 订阅权限信息处理方法、装置、计算机设备及存储介质 - Google Patents

订阅权限信息处理方法、装置、计算机设备及存储介质 Download PDF

Info

Publication number
WO2023108653A1
WO2023108653A1 PCT/CN2021/139321 CN2021139321W WO2023108653A1 WO 2023108653 A1 WO2023108653 A1 WO 2023108653A1 CN 2021139321 W CN2021139321 W CN 2021139321W WO 2023108653 A1 WO2023108653 A1 WO 2023108653A1
Authority
WO
WIPO (PCT)
Prior art keywords
subscription
client
information
source node
cluster
Prior art date
Application number
PCT/CN2021/139321
Other languages
English (en)
French (fr)
Inventor
吕小强
Original Assignee
Oppo广东移动通信有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Oppo广东移动通信有限公司 filed Critical Oppo广东移动通信有限公司
Priority to CN202180103519.0A priority Critical patent/CN118140497A/zh
Priority to PCT/CN2021/139321 priority patent/WO2023108653A1/zh
Publication of WO2023108653A1 publication Critical patent/WO2023108653A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/70Services for machine-to-machine communication [M2M] or machine type communication [MTC]

Definitions

  • the present application relates to the technical field of the Internet of Things, and in particular to a method, device, computer equipment, and storage medium for processing subscription rights information.
  • IoT Internet of Things
  • a client device in the Internet of Things may subscribe resources to a source node (such as a server device) through a proxy device, so as to control and manage the source node.
  • the proxy device may query the source node for the client device's subscription authority to the resources in the source node.
  • Embodiments of the present application provide a method, device, computer equipment, and storage medium for processing subscription rights information. This solution can improve the security when querying the subscription authority through the proxy device. Described technical scheme is as follows:
  • an embodiment of the present application provides a method for processing subscription rights information, the method is executed by a source node, and the method includes:
  • an embodiment of the present application provides a method for processing subscription rights information, the method is executed by a proxy device, and the method includes:
  • the subscription permission information sent by the source node is received, where the subscription permission information is used to indicate the client devices that have subscription permission for the target resource in the source node.
  • an embodiment of the present application provides an apparatus for processing subscription rights information, and the apparatus includes:
  • a sending module configured to send subscription permission information to the proxy device, where the subscription permission information is used to indicate a client device that has subscription permission for the target resource in the source node.
  • an embodiment of the present application provides an apparatus for processing subscription rights information, and the apparatus includes:
  • a receiving module configured to receive subscription permission information sent by the source node, where the subscription permission information is used to indicate client devices that have subscription permission for the target resource in the source node.
  • an embodiment of the present application provides a computer device, the computer device is implemented as an information reporting device, and the computer device includes a processor, a memory, and a transceiver;
  • a computer program is stored in the memory, and the processor executes the computer program, so that the computer device implements the above method for processing subscription rights information.
  • an embodiment of the present application provides a computer device, the computer device includes a processor, a memory, and a transceiver, the memory stores a computer program, and the computer program is used to be executed by the processor to The method for processing the above-mentioned subscription permission information is implemented.
  • an embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored in the storage medium, and the computer program is loaded and executed by a processor to implement the above method for processing subscription rights information.
  • the present application also provides a chip, which is configured to run in a computer device, so that the computer device executes the above method for processing subscription rights information.
  • the present application provides a computer program product comprising computer instructions stored in a computer readable storage medium.
  • the processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device executes the above-mentioned method for processing subscription rights information.
  • the present application provides a computer program, which is executed by a processor of a computer device, so as to implement the above method for processing subscription rights information.
  • the proxy device When the proxy device provides the client device with the proxy service of the target resource on the source node, it can first query the source node for the device that has subscribed to the resource on the source node, so as to authenticate the proxy subscription request of the client device right. During this process, the source node can provide relevant information of client devices that have the authority to subscribe to the target resource to the proxy device, while the relevant information of client devices that have subscribed to resources other than the target resource is not It needs to be provided to the proxy device, so as to improve the security when querying the subscription authority through the proxy device, thereby improving the security of the Internet of Things system.
  • FIG. 1 is a schematic diagram of a network architecture of the Internet of Things provided by an embodiment of the present application
  • FIG. 2 is a schematic diagram of a proxy subscription initiation process provided by an embodiment of the present application
  • FIG. 3 is a flowchart of a method for processing subscription rights information provided by an embodiment of the present application
  • FIG. 4 is a flowchart of a method for processing subscription rights information provided by an embodiment of the present application
  • Fig. 5 is a framework diagram of the subscription authority information processing flow provided by an embodiment of the present application.
  • FIG. 6 is a flowchart of a method for processing subscription rights information provided by an embodiment of the present application.
  • Fig. 7 is a schematic diagram of subscription authority information processing involved in the embodiment shown in Fig. 6;
  • FIG. 8 is a framework diagram of a processing flow of subscription rights information provided by an embodiment of the present application.
  • FIG. 9 is a flowchart of a method for processing subscription rights information provided by an embodiment of the present application.
  • FIG. 10 is a schematic diagram of subscription rights information processing involved in the embodiment shown in FIG. 6;
  • Fig. 11 is a block diagram of an apparatus for processing subscription rights information provided by an embodiment of the present application.
  • Fig. 12 is a block diagram of an apparatus for processing subscription rights information provided by an embodiment of the present application.
  • Fig. 13 is a schematic structural diagram of a computer device provided by an embodiment of the present application.
  • the network architecture and business scenarios described in the embodiments of the present application are for more clearly illustrating the technical solutions of the embodiments of the present application, and do not constitute limitations on the technical solutions provided by the embodiments of the present application.
  • the evolution of the technology and the emergence of new business scenarios, the technical solutions provided in the embodiments of this application are also applicable to similar technical problems.
  • FIG. 1 shows a schematic diagram of a network architecture of the Internet of Things provided by an embodiment of the present application.
  • the network architecture of the Internet of Things may include: a source node 110 (shown as a source node 110a and a source node 110b in FIG. 1 ), a client device 120 (shown as a client device 120a and a client device 120b in FIG. 1 ), Proxy device 130 and configuration device 140;
  • the network architecture may also include cloud server 150;
  • the source node 110 may be a device for providing a server function corresponding to the Internet of Things protocol in the Internet of Things.
  • the source node 110 may be a smart home device, such as a smart lamp, a smart TV, a smart air conditioner, a smart refrigerator, a smart microwave oven, a smart rice cooker, a sweeping robot, a smart speaker, a smart switch, and the like.
  • a smart home device such as a smart lamp, a smart TV, a smart air conditioner, a smart refrigerator, a smart microwave oven, a smart rice cooker, a sweeping robot, a smart speaker, a smart switch, and the like.
  • the source node 110 may be industrial production equipment, such as a lathe, an industrial robot, a solar panel, a wind generator, and the like.
  • the source node 110 may be a commercial service device, for example, an unmanned vending machine or the like.
  • the source node 110 may be an intelligent monitoring device, for example, a monitoring camera, an infrared sensor, a sound sensor, a temperature sensor, and the like.
  • the client device 120 may be a terminal device on the user side.
  • the client device 120 can be a smart controller, a smart remote control, a smart phone, a tablet computer, a smart watch, a smart TV, a gateway, etc.; or, the client device 120 can also be a personal computer, such as a desktop computer or a portable computer. , personal workstations, and more.
  • the client device 120 may also be another device that provides a server function corresponding to the Internet of Things protocol.
  • the client device 120 is a client entity (which may be a virtual entity) running on a terminal device.
  • the client device 120 may run on a terminal device for An application program (Application, APP) for performing operations such as access, control, and management.
  • Application Application, APP
  • the proxy device 130 is connected to the source node 110 and the client device 120 at the same time, and provides a service for the client device 120 to proxy subscribe resources to the source node 110 .
  • the configuration device 140 may be a terminal device on the user side.
  • configuration device 140 may be a smart phone, a tablet computer, a smart watch, a smart TV, and the like.
  • the configuration device 140 may also be a client entity (which may be a virtual entity) running on a terminal device, for example, the configuration device 140 may run on a smart phone, and is used to , the client device 120 and the proxy device 130 manage and configure the APP.
  • client entity which may be a virtual entity
  • the configuration device 140 may run on a smart phone, and is used to , the client device 120 and the proxy device 130 manage and configure the APP.
  • the cloud server 150 is a server deployed on the network side.
  • the cloud server 150 can store relevant information of each source node 110, such as current resource status, binding account, etc.; the cloud server 150 can also provide a service interface for remote access to the source node 110, so that the user remote management or control.
  • the above-mentioned source node 110, client device 120, proxy device 130, configuration device 140, and cloud server 150 may be electronic devices that meet the same or different Internet of Things protocols, for example, they may be electronic devices that meet the requirements of the Connection Standard Alliance (Connectivity Standards Alliance, CSA) (or Zigbee Alliance) under the Matter protocol (or connected home working group (Connected Home over IP Working Group, CHIP) project via IP (Internet Protocol, Internet Protocol)) electronic equipment.
  • Connection Standard Alliance Connectivity Standards Alliance, CSA
  • CHIP Connected Home over IP Working Group
  • IP Internet Protocol, Internet Protocol
  • the data model of Matter devices has the following characteristics:
  • the Matter device contains one or more endpoints Endpoint, represented by an Endpoint Number (Endpoint Number, which can also be abbreviated as endpoint-no).
  • a Matter device is a spotlight, and the spotlight has three bulbs, each bulb corresponds to an endpoint, that is, an actual physical device can contain multiple endpoints (of course, it can only contain one endpoint); another example, a The Matter device is a socket, which has 4 jacks, and each jack can correspond to an Endpoint.
  • Each Endpoint corresponds to one or more device types (Device Type), which are represented by a device ID (Device ID).
  • a Matter device is an air conditioner, and the air conditioner includes a thermostat and a fan.
  • the thermostat and the fan correspond to the same Endpoint, the thermostat corresponds to one device type, and the fan corresponds to another device type. Fans can be controlled through the same Endpoint.
  • Each Endpoint contains a variety of clusters (Cluster), and the Cluster is divided into two types: Server and Client, and the corresponding Cluster IDs are the same.
  • Each Cluster contains a variety of attributes (Attribute), events (Event), and instructions (Command), which are represented by Attribute ID, Event ID, and Command ID, and Attribute and Event have corresponding data types.
  • the Internet of Things devices such as the source node 110, the client device 120, the proxy device 130, and the configuration device 140 may also be Zigbee devices.
  • the data model of the Zigbee device is similar to the data model structure of the Matter device. The difference is that there is no Event.
  • the client device in the Internet of Things can subscribe resources to the source node through the proxy device; for example, in the network architecture shown in FIG. 1 above, the client device 120b can subscribe to the source node 110b Subscribe to resources.
  • FIG. 2 shows a schematic diagram of a proxy subscription initiation process provided by an embodiment of the present application.
  • the process of a client device initiating a proxy subscription is as follows:
  • the client device sends a subscription request (SubscribeRequest) for initiating resource subscription to the source node to the proxy device (Proxy), so as to request to subscribe to the C1 resource on the source node.
  • SubscribeRequest a subscription request for initiating resource subscription to the source node to the proxy device (Proxy)
  • the C1 resource may be any resource on the source node, including functional resources such as switches.
  • the client device may also be called a subscribing device
  • the source node may also be called a subscribing target device or a subscribing target node.
  • the proxy device sends a report data (ReportData) message to the source node, so as to notify the client device that it temporarily has no resources of the source node.
  • ReportData report data
  • the proxy device can check whether the client device has the subscription permission to the C1 resource on the source node, such as the browsing (View) permission.
  • the proxy device has the proxy browsing (ProxyView) authority on the access control list (Access Control Lists, ACL) cluster (cluster) resource of the source node, it can subscribe or read the ACL Cluster.
  • the proxy device can obtain the subscription authority of the client device to the C1 resource on the source node, and then determine whether the client device can subscribe to the C1 resource.
  • the subscribing device directly subscribes to the C1 resource on the source node, or, when subscribing to the above C1 resource through a proxy device, it needs to have the permission to subscribe to the C1 resource on the source node (View permission), for example, at the source node
  • the ACL Cluster needs to have the corresponding access control entry (Access Control Entry, ACE) of the client device.
  • the client device may send a status response (StatusResponse) to the proxy device, and after receiving the status response, the proxy device sends a subscription response (SubscribeResponse) to the client device.
  • StatusResponse status response
  • SubscribeResponse subscription response
  • the proxy device initiates a subscription to the C1 resource on the source node.
  • the proxy device may send a subscription request to the source node, so as to request to subscribe to the C1 resource on the source node.
  • the source node sends a ReportData message to the proxy device, which includes subscription data of the C1 resource, such as the status of the C1 resource.
  • the proxy device after receiving the ReportData message sent by the source node, the proxy device sends a StatusResponse message to the source node, and the source node sends a SubscribeResponse message to the proxy device after receiving the StatusResponse message.
  • the proxy device can send a ReportData message to the client device, which includes subscription data of the subscribed C1 resource; after receiving the ReportData message, the client device can send a StatusResponse message to the proxy device.
  • ACL Cluster is deployed on each node Node (corresponding to the above-mentioned Source device), and there is one corresponding instance.
  • the Node When the Node receives a subscription request, it will first check whether the requester has the subscription permission in the ACL.
  • Attributes in the ACL Cluster can be shown in Table 1 below.
  • the definition of the access control entry AccessControlEntryStruct in the ACL in the above Table 1 may be as shown in Table 2 below.
  • AccessControlEntryPrivilegeEnum The enumeration of access control entry privileges in the above table 2 AccessControlEntryPrivilegeEnum can be defined as follows:
  • Proxy browsing rights Proxy view read and subscribe (including ACLCluster);
  • Management authority Administer: Manage+subscribe and modify ACL Cluster.
  • the code for Access Control Cluster could be as follows:
  • the proxy device Before the proxy device subscribes to the target resource on the source node for the client device, it can first query the source node whether the client device has the authority to subscribe to the target resource on the source node. In a possible solution, the proxy device can Subscribe the above ACL cluster to the source node, and then query whether the client device has subscription rights in the ACL cluster. However, during this process, the proxy device can obtain all ACE records on the source node, resulting in the expansion of the proxy device's authority , affecting the security when querying subscription rights through the proxy device.
  • the following embodiments of the present application provide a solution for processing subscription authority information, so that the source node can provide the proxy device with the subscription authority of the target resource when the proxy device inquires whether the client device has the subscription permission for the target resource.
  • the information of the client device with permission without providing all ACE records, that is to say, for resources other than the target resource on the source node, the source node does not need to provide the client with the subscription permission of these other resources.
  • the information of the device is provided to the proxy device, thereby improving the security of the IoT system.
  • FIG. 3 shows a flowchart of a method for processing subscription rights information provided by an embodiment of the present application.
  • the method can be executed by a source node.
  • the source node can be a source in the network architecture shown in FIG. 1 Node 110; the method may include the following steps:
  • Step 301 Send subscription permission information to the proxy device, where the subscription permission information is used to indicate the client devices that have subscription permission for the target resource in the source node.
  • the permission query request can be used to request a single acquisition, or to subscribe to a client device that has subscription permission for the target resource in the source node.
  • the subscription right information includes identification information of client devices that have the subscription right to the target resource.
  • the above identification information of the client device may be a node (Node) identifier (Identity, ID) corresponding to the client device.
  • the subscription permission information further includes at least one of the following two types of information: resource identification information of the target resource, or index information of the security domain (Fabric) of the source node.
  • the target resource may be a single resource or multiple resources.
  • the identification information of the target resource may be identification information of a cluster (Cluster) corresponding to the target resource.
  • the above-mentioned target resource belongs to a specified type of resource in the source node, for example, a resource that is not sensitive to the proxy device.
  • the resource of the specified type may include an application cluster corresponding to a device function of the source node.
  • App cluster refers to the functional cluster of the source node itself, excluding resources related to configuration and device management.
  • the proxy device when the proxy device provides the client device with the proxy service of the target resource on the source node, it can first query the source node for devices that have subscribed to the resource on the source node , to authenticate requests for proxy subscriptions for this client device.
  • the source node can provide relevant information of client devices that have the authority to subscribe to the target resource to the proxy device, while the relevant information of client devices that have subscribed to resources other than the target resource is not It needs to be provided to the proxy device, so as to improve the security when querying the subscription authority through the proxy device, thereby improving the security of the Internet of Things system.
  • FIG. 4 shows a flow chart of a method for processing subscription rights information provided by an embodiment of the present application.
  • the method can be executed by a proxy device.
  • the proxy device can be a proxy in the network architecture shown in FIG. 1 Device 130; the method may include the following steps:
  • Step 401 receiving subscription permission information sent by a source node, where the subscription permission information is used to indicate client devices that have subscription permission for a target resource in the source node.
  • the source node before receiving the subscription permission information sent by the source node, it further includes:
  • the subscription permission information may include identification information of client devices that have the subscription permission of the target resource.
  • the subscription permission information further includes at least one of the following two types of information: resource identification information of the target resource, or index information of the security domain of the source node.
  • the target resource belongs to a specified type resource in the source node.
  • the proxy device when the proxy device provides the client device with the proxy service of the target resource on the source node, it can first query the source node for devices that have subscribed to the resource on the source node , to authenticate requests for proxy subscriptions for this client device.
  • the source node can provide relevant information of client devices that have the authority to subscribe to the target resource to the proxy device, while the relevant information of client devices that have subscribed to resources other than the target resource is not It needs to be provided to the proxy device, so as to improve the security when querying the subscription authority through the proxy device, thereby improving the security of the Internet of Things system.
  • the source node can preset subscription permission information corresponding to each specified type of resource outside the ACL cluster, and the subscription permission information is used for Indicates the client device having the subscription authority of the corresponding resource, and when the proxy device subsequently initiates a proxy subscription, the source node may send the subscription permission information corresponding to the target resource to be subscribed by the proxy device to the proxy device.
  • FIG. 5 shows a framework diagram of a processing flow of subscription rights information provided by an embodiment of the present application.
  • one or more subscription authority information is also set in the source node 51.
  • different subscription authority information may correspond to different resources or a combination of resources.
  • proxy device 52 can query source node 51 for client device A's subscription authority And authenticate the client device A, the process can be as follows:
  • the proxy device 52 initiates a permission query request to the source node 51, so as to request to query subscription permission information.
  • the subscription authority information at least includes identification information of each client device that has the subscription authority to the resource 2 .
  • the source node 51 sends the subscription authority information to the proxy device 52.
  • the proxy device 52 inquires whether the client device A is included among the client devices having subscription rights to the resource 2, and if so, the authentication is passed, otherwise the authentication is not passed.
  • the subscription permission information may be a newly added cluster outside the ACL cluster in the source node, and the newly added cluster may be updated.
  • the newly added cluster (that is, the above subscription permission information) may be a ProxiedClientMgmt cluster (client subscription management cluster).
  • FIG. 6 shows a flowchart of a method for processing subscription rights information provided by an embodiment of the present application.
  • the method can be executed interactively by a proxy device, a configuration device, and a source node, for example, the proxy device, configuration device, and source node
  • the nodes can be respectively the proxy device 130, the configuration device 140 and the source node 110 in the network architecture shown in FIG. 1; the method can include the following steps:
  • Step 601 when the identification information of the client device with the subscription authority to the specified type of resources in the ACL cluster of the source node changes, update the client subscription management cluster corresponding to the change of the ACL cluster of the source node.
  • the source node has a client subscription management cluster.
  • the above-mentioned target resource belongs to a specified type of resource.
  • the ACL cluster is used to specify the access rights of other devices to the resource content in the device.
  • An ACL cluster includes one or more items (Item), and each item may be called an ACE, and the content in an ACE may indicate that a certain node has access authority to a certain resource.
  • an ACE can contain the binding relationship between a node ID (Node ID) and a resource/cluster ID; for example, an ACE includes the ID of a resource in the current device, and other devices that have access to the resource The Node ID.
  • Node ID node ID
  • resource/cluster ID for example, an ACE includes the ID of a resource in the current device, and other devices that have access to the resource The Node ID.
  • the client subscription management cluster includes the identifier of the client device having the subscription right of the target resource.
  • a ProxiedClientMgmt Cluster can be added on the Source Node, and the Cluster stores a list of Clients that subscribe to or read target resources on the Source Node.
  • the definition of ProxiedClientMgmt may be shown in Table 4 below.
  • fabricIndex fabric index
  • proxiedClientList A list of client IDs of clients that can subscribe to or read target content.
  • different ProxiedClientMgmt clusters can be set in the source node.
  • ProxiedClientMgmt clusters can be set in the source node.
  • the binding relationship between the target resource and the identification (such as Node ID) of the client device may be included in the ACL cluster, and the binding relationship indicates that the client device corresponding to the Node ID has the binding relationship to the target resource.
  • Subscription permissions when the binding relationship in the ACL cluster in the source node is updated (for example, a binding relationship is added or deleted), it means that some client devices may have subscription rights to certain resources that are added or removed.
  • the source node may update the client subscription management cluster based on the update status of the binding relationship in the ACL cluster.
  • the step of updating the client subscription management cluster including:
  • the client subscribes to the first resource in the management cluster
  • the corresponding client subscription management entry is updated; wherein, the first resource belongs to a specified type of resource.
  • the configuration device when the configuration device updates the binding relationship between the target resource contained in the ACL cluster in the source node and the identifier of the client device, it may send an ACL cluster update instruction to the source node, and the source node After receiving the ACL cluster update instruction, according to the configuration of the configuration device, the binding relationship between the target resource contained in the ACL cluster and the identifier of the client device is updated; in an exemplary solution, the source node at this time According to the update status of the binding relationship in the ACL cluster, the client subscription management cluster can be directly updated accordingly. specialized configuration.
  • the source node receives an update instruction sent by the configuration device, where the update instruction is used to instruct to update the client subscription management cluster; to update the client subscription management cluster.
  • the configuration device when the configuration device updates the binding relationship between the target resource contained in the ACL cluster in the source node and the identifier of the client device, it may send an ACL cluster update instruction to the source node, and the source node After receiving the ACL cluster update command, according to the configuration of the configuration device, the binding relationship between the target resource contained in the ACL cluster and the identifier of the client device is updated; in addition, the configuration device can also send the client device to the source node A management cluster update command, after the source node receives the client management cluster update command, updates the above-mentioned client subscription to the management cluster. That is to say, in addition to configuring the ACL cluster, the configuration device may perform special configuration on the aforementioned client subscription management cluster.
  • the client subscription management entry corresponding to the first resource is updated, including:
  • the identification information of the first client having the subscription right to the first resource is removed, delete the identification of the first client device from the client subscription management entry corresponding to the first resource information.
  • the client subscription management entry corresponding to the first resource is updated, including:
  • the identification information of the second client with the subscription authority to the first resource is added to the ACL cluster of the source node, the identification information of the second client device is added to the client subscription management entry corresponding to the first resource .
  • step 602 the proxy device sends a permission query request to the source node; correspondingly, the source node receives the permission query request.
  • the above permission query request may be a subscription request for the client to subscribe to the management cluster, or a request for a single acquisition of the client to subscribe to the management cluster.
  • the permission query request may include resource identification information of the target resource.
  • the permission query request may include identification information (such as the name of the cluster) of the cluster corresponding to the target resource.
  • the above permission query request may be a subscription request for the client subscription management item corresponding to the target resource in the client subscription management cluster; or, the above permission query request may be a single acquisition of the client subscription management cluster, A request for a client subscription management item corresponding to a target resource.
  • step 603 the source node sends the client subscription management cluster to the proxy device; correspondingly, the proxy device receives the client subscription management cluster sent by the source node.
  • the above-mentioned client subscription management cluster includes subscription permission information.
  • the above step of sending the client subscription management cluster to the proxy device includes: when the proxy device has the proxy browsing authority to the source node, sending the client subscription management cluster to the proxy device.
  • the above-mentioned proxy browsing permission includes browsing permission to other resources in the source node except the ACL cluster; that is to say, the above-mentioned proxy browsing permission includes: reading and subscribing to client subscription management in the source node Permissions for clusters, and permissions for reading and subscribing to other clusters in the source node except the ACL cluster and client subscription management cluster.
  • a proxy device with the proxy browsing authority of the source node can read and subscribe to other clusters/resources in the source node except the ACL cluster (including the ability to read and subscribe to the above-mentioned ProxiedClientMgmt cluster).
  • the browse permission includes: permission to read and subscribe to other clusters/resources in the source node except the ACL cluster and the client subscription management cluster.
  • the authority settings in the IoT system may be as shown in Table 5 below.
  • the above step of sending the client subscription management cluster to the proxy device includes: when the proxy device has the browsing authority to the source node, sending the client subscription management cluster to the proxy device.
  • the authority of the proxy device to the source node may also be set as the browsing authority.
  • the browsing authority includes the browsing authority to other resources in the source node except the ACL cluster. That is to say, the above browsing permission includes: permission to read and subscribe to other clusters (including the client subscription management cluster) in the source node except the ACL cluster. It should be noted that, in this case, the proxy browsing permission may not be set.
  • the permission settings in the IoT system may be as shown in Table 6 below.
  • the sixth client device when the resource subscription request sent by the sixth client device is received, and the subscription permission information indicates that the sixth client device has subscription permission for the target resource in the source node, the sixth client device is established The subscription relationship in which the device subscribes to the target resource.
  • the proxy device receives the resource subscription request sent by the sixth client device (that is, requests the proxy to subscribe to the above-mentioned target resource), and after obtaining the above-mentioned client subscription management cluster, the proxy device can check the above-mentioned client Whether the identifier (Node ID) of the sixth client device is included in the subscription management cluster, if so, and the source node, the proxy device and the sixth client device belong to the same Fabric (indicated by the FabricIndex in the above-mentioned client subscription management cluster) , the proxy device may proxy subscribe the target resource for the sixth client device, and establish a subscription relationship in which the sixth client device subscribes to the target resource.
  • the identifier Node ID
  • step 601 may be performed before step 603, or may be performed after step 603.
  • Step 604 when the proxy device successfully subscribes to the client subscription management cluster, the source node sends a first update notification to the proxy device, and the proxy device receives the first update notification accordingly.
  • the first update notification is used to instruct the client to subscribe to the update situation of the management cluster.
  • the proxy device after the configuration device adds or deletes the subscription authority of a certain client device to the target resource in the ACL cluster of the source node, if the proxy device has obtained the The client subscribes to the management cluster (including the ProxiedClientMgmt Cluster corresponding to the target resource), and the source node can send the client subscription management cluster update notification to the source node.
  • the first update notification may include a new ProxiedClientMgmt Cluster, or the first update notification may also include identification information of newly added or deleted client devices.
  • the source node sends the first update notification to the proxy device, including:
  • a first update notification is sent to the proxy device.
  • Step 605 when the first update notification indicates to delete the identification information of the third client device from the client subscription management cluster, remove the subscription relationship corresponding to the third client device.
  • FIG. 7 shows a schematic diagram of subscription rights information processing according to the embodiment of the present application. As shown in Figure 7, the process may include the following steps:
  • Step S71 The APP sets on the SourceNode the permission of the Client to access the target resource of the targetCluster on it; if the permission assigned to the Client includes the view permission, the ProxiedClientMgmt cluster needs to be processed.
  • the set permissions are View, ProxyView, operate, manage, and administer permissions, it means that the client can have subscription or read permissions.
  • targetCluster can be App cluster. App cluster refers to the functional cluster of the device itself, excluding resources related to configuration and device management. Step S71 may involve two methods of processing the ProxiedClientMgmt Cluster:
  • the Source Node After the ACL cluster is set, the Source Node automatically updates the Cluster according to the ACL setting result. If a client has read or subscribe permission to the target resource in the ACL, a binding relationship between the client and the target resource will be automatically added in the ProxiedClientMgmt Cluster. If a client's read or subscribe permission to the target resource is canceled, the binding relationship between the corresponding client and the target resource will be automatically deleted in the ProxiedClientMgmt cluster accordingly.
  • the ACL Cluster After the ACL Cluster is set, it is necessary to continue to set the ProxiedClientMgmt Cluster. If the ACL adds a client to read or subscribe to the target resource, the APP will continue to add a binding relationship between the client and the target resource in the ProxiedClientMgmt Cluster. If the corresponding binding relationship is not set, the Proxy cannot perceive the client's authority, and cannot complete the proxy of the client's subscription to the target resource. Correspondingly, if a client's read or subscribe permission to the target resource is canceled, the APP correspondingly deletes the binding relationship between the corresponding client and the target resource in the ProxiedClientMgmt cluster.
  • the Client discovers Proxys through a Proxy discovery mechanism, and selects one of them as its proxy Proxy.
  • the so-called proxy proxy means that the client can subscribe to the target resource on the source node by sending a subscription message to the proxy.
  • the Client sends to the Proxy a request for subscribing to the target resource on the Source Node.
  • Proxy if the Proxy has not subscribed to the target resource on the Source Node before, the Proxy is required to subscribe to the target resource on the Source Node. On this basis, if the Proxy has not subscribed to the ProxiedClientMgmt Cluster, it needs to subscribe to the Cluster. After successfully subscribing, Proxy can get the content of ProxiedClientMgmt Cluster.
  • the Proxy can also determine whether the above-mentioned Client has the authority to subscribe to the target resource on the Source Node according to the content of the obtained ProxiedClientMgmt Cluster, that is, whether the Target includes the target resource; whether the Subjects include the NodeID of the Client; whether they are the same Fabric, if If the above conditions are all satisfied, it means that the Client has the permission, and the Proxy can allow the Client to subscribe to the target resource.
  • the Source Node automatically updates the content of the ProxiedClientMgmt Cluster, and deletes the Node ID of the Client from the corresponding record (the target contains the record of the target resource). Deleting the record means that the Client has no permission to access the Source Node target resource.
  • the APP continues to modify the content of the ProxiedClientMgmt Cluster, and deletes the Client's Node ID from the corresponding record (the target contains the target resource record).
  • the Source Node can send a content change message to the Proxy subscribed to the ProxiedClientMgmt Cluster. Therefore, the Proxy can learn the latest list of clients that can access the target resources of the Source Node.
  • the Proxy can confirm which (or which) Clients have canceled the permission to subscribe to the target resource, so that the Proxy needs to initiate the step of terminating the subscription relationship.
  • the Source Node can also directly send a list of Clients that cancel the subscription permission to the Proxy, and the Proxy can also directly cancel the subscription relationship of the Client to the target resource according to the contents of the list.
  • the Proxy needs to process in this step is the subscription relationship of the client that directly subscribes to the Proxy. If a Client indirectly subscribes to the Proxy and SourceNode by subscribing to other proxies, it does not need to be processed.
  • the above steps are described by taking the agent device to obtain/subscribe the entire client subscription management cluster as an example.
  • the agent device can also obtain/subscribe the client subscription management cluster once.
  • Manage information corresponding to target resources in the cluster For example, the identification information of the client device having the subscription authority to the target resource may be obtained/subscribed from the client subscription management cluster in a single time (that is, to subscribe separately or obtain the above-mentioned subscription authority information).
  • the proxy device can subscribe to the management cluster from the client through the common instructions of the Internet of Things protocol. Obtain/subscribe the above subscription permission information once.
  • the proxy device when the above-mentioned single acquisition/subscription of the identification information of the client device that has the subscription authority to the target resource from the client subscription management cluster, the proxy device can also provide A dedicated instruction set for the client subscription management cluster to obtain/subscribe the above subscription permission information once.
  • the client subscription management cluster further includes a first instruction set
  • the first set of instructions is used to provide the proxy device with the identification information of the client device that has the subscription authority to the target resource according to the client subscription management cluster.
  • the above-mentioned first instruction set defines the instructions used between the proxy device and the source node for subscribing/single querying the above-mentioned subscription authority information.
  • the first instruction set includes at least one of the following instructions:
  • Client information acquisition request is used for a single request to subscribe to permission information
  • the client information acquisition response is used to carry the subscription permission information
  • Client information subscription request the client information subscription request is used to subscribe to the above subscription permission information
  • Client information subscription response is used to indicate whether the subscription is successful
  • Client information report is used to carry the subscription authority information, or carry the first change information; the first change information is used to indicate the change of the subscription authority information.
  • the ProxiedClientMgmt shown in the above Table 4 can be included, and the command (Command) used when obtaining the information in the ProxiedClientMgmt can also be provided.
  • the definitions of the clusters involved in this solution may be shown in Table 7 below.
  • sending the subscription authority information to the proxy device by the source node includes: sending a client information acquisition response to the proxy device when receiving the client information acquisition request sent by the proxy device.
  • the above client information acquisition request may carry identification information of the target resource, such as resource ID/cluster ID of the target resource.
  • the proxy device before receiving the subscription permission information sent by the source node, the proxy device also sends a client information acquisition request to the source node; the client information acquisition request is used for a single request for subscription permission information; the proxy device receives the subscription permission information sent by the source node
  • the information step includes: receiving the client information acquisition response sent by the source node; the client information acquisition response includes rights subscription information; the rights subscription information is generated by the source node according to the client subscription management cluster in the source node.
  • the source node sends the subscription authority information to the proxy device, including: when receiving the client information subscription request sent by the proxy device and determining that the proxy device succeeds, sending a client information subscription response to the proxy device ; Send a client information report carrying subscription rights information to the proxy device.
  • the above client information subscription request may carry the identification information of the target resource.
  • the proxy device before receiving the subscription permission information sent by the source node, the proxy device also sends a client information subscription request to the source node; the client information subscription request is used to subscribe to the above subscription permission information; and receives the client information subscription response sent by the source node , the client information subscription response is used to indicate whether the subscription is successful; the steps for the proxy device to receive the subscription permission information sent by the source node include:
  • the client information subscription response indicates that the subscription is successful
  • the client information report containing the permission subscription information sent by the source node is received; the permission subscription information is generated by the source node according to the client subscription management cluster in the source node.
  • the source node can send the proxy device Sending a second update notification, where the second update notification is used to indicate the change of the client subscription management entry corresponding to the target resource.
  • the proxy device can receive the second update notification sent by the source node;
  • the second update notification is sent when the terminal subscription management entry changes, and the second update notification is used to indicate the change of the client subscription management entry corresponding to the target resource.
  • the second update notification is a client information report including the above-mentioned first change information.
  • the proxy device may remove the subscription relationship corresponding to the fourth client device.
  • the proxy device when the proxy device provides the client device with the proxy service of the target resource on the source node, it can first query the source node for devices that have subscribed to the resource on the source node , to authenticate requests for proxy subscriptions for this client device.
  • the source node can provide relevant information of client devices that have the authority to subscribe to the target resource to the proxy device, while the relevant information of client devices that have subscribed to resources other than the target resource is not It needs to be provided to the proxy device, so as to improve the security when querying the subscription authority through the proxy device, thereby improving the security of the Internet of Things system.
  • the above-mentioned subscription authority information may also be information automatically generated by the source node according to the ACL cluster, and the source node may use the generated subscription authority information sent to the proxy device.
  • FIG. 8 shows a framework diagram of a processing flow of subscription rights information provided by an embodiment of the present application.
  • an ACL cluster is set in the source node 81, and the ACL cluster includes ACEs corresponding to various resources; for example, in FIG. 5, ACE 81a corresponds to resource 1, and ACE 81b Corresponding to resource 2, ACE 81c corresponds to resource 3.
  • proxy device 82 may query source node 81 for the subscription of client device A.
  • authority and authenticate client device A the process can be as follows:
  • the proxy device 82 initiates a permission query request to the source node 81, so as to request to query the subscription permission information corresponding to the resource 2.
  • the source node 81 queries the ACL cluster, generates subscription permission information corresponding to the resource 2, and sends it to the proxy device 52.
  • the proxy device 82 inquires whether each client device indicated by the subscription permission information corresponding to the resource 2 includes the client device A, and if so, the authentication passes, otherwise, the authentication fails.
  • an ACL subscription cluster (observeACL cluster) can be set in the source node, and the cluster provides a method of obtaining and subscribing to the client list with the permission to subscribe to the target resource.
  • the Proxy can obtain the Client List that has the permission to subscribe to the target resource. Therefore, the Proxy does not need to directly access the ACL resource.
  • SourceNode receives the Proxy's observeACL cluster command, and can generate a response based on the content of the ACL.
  • FIG. 9 shows a flow chart of a method for processing subscription rights information provided by an embodiment of the present application.
  • the method can be executed interactively by a proxy device, a configuration device, and a source node.
  • the proxy device, configuration device, and source node The nodes can be respectively the proxy device 130, the configuration device 140 and the source node 110 in the network architecture shown in FIG. 1; the method can include the following steps:
  • step 901 the proxy device sends a permission query request to the source node; correspondingly, the source node receives the permission query request.
  • the permission query request is used for a single acquisition or subscription of identification information of client devices that have subscription permission for the target resource in the source node.
  • the permission query request may include resource identification information of the target resource.
  • the permission query request may include identification information (such as the name of the cluster) of the cluster corresponding to the target resource.
  • Step 902 the source node generates subscription permission information according to the ACL cluster in the source node.
  • the source node includes a subscribed access control list ACL cluster (observeACL cluster); the subscribed ACL cluster is used to indicate the processing mode of the permission query request sent by the proxy device.
  • observeACL cluster subscribed access control list ACL cluster
  • the ACL subscription cluster may include a second instruction set, and the second instruction set is used to provide the proxy device with the identification information of the client device that has the subscription right to the target resource according to the ACL cluster.
  • the source node when receiving the permission query request sent by the proxy device, the source node generates subscription permission information according to the ACL cluster of the source node. For example, the source node can query the ACE corresponding to the target resource from the local ACL cluster; wherein, the ACE corresponding to the target resource contains the binding relationship between the target resource and the identity of the client device; then, the source node according to the query As a result, subscription permission information is generated.
  • the second instruction set includes at least one of the following instructions:
  • ACE acquisition request (GetProxiedClientACEReq); ACE acquisition request is used for a single request to subscribe to permission information;
  • ACE acquisition response (GetProxiedClientACERsp); ACE acquisition response is used to carry the subscription permission information generated according to the ACL cluster;
  • ACE subscription request (SubscribeProxiedACEReq); ACE subscription request is used to subscribe to the above subscription permission information;
  • ACE subscription response (SubscribeProxiedACERsp); ACE subscription response is used to indicate whether the subscription is successful;
  • the ACE report (ReportProxiedACE); the ACE report is used to carry the subscription permission information generated according to the ACL cluster, or to carry the second change information, and the second change information is used to indicate the change situation of the subscription permission information.
  • the source node may query the ACE corresponding to the target resource in the ACL cluster according to the resource identifier of the target resource, and generate the above subscription permission information based on the ACE corresponding to the target resource.
  • the source node After the source node inquires about the ACE corresponding to the target resource, it generates the above-mentioned subscription authority information according to the identification (such as Node ID) of the client device in the inquired ACE. For example, the identifier of the client device in the queried ACE is extracted and combined with the identifier of the target resource and the identifier of the security domain of the source node to generate the above subscription authority information.
  • the identification such as Node ID
  • the source node may also directly use the queried ACE as the subscription permission information, or add the queried ACE to the subscription permission information.
  • step 903 the source node sends subscription permission information to the proxy device; correspondingly, the proxy device receives the subscription permission information sent by the source node.
  • the step of the source node generating subscription permission information according to the ACL cluster of the source node may include: when receiving the ACE acquisition request sent by the proxy device, generating subscription permission information according to the ACL cluster of the source node; When , when the source node sends subscription permission information to the proxy device, it may send an ACE to the proxy device to obtain a response.
  • the proxy device before the proxy device receives the subscription permission information sent by the source node, it can also send an ACE acquisition request to the source node; the ACE acquisition request is used for a single request for subscription permission information; the steps for the proxy device to receive the subscription permission information sent by the source node It may include: receiving the ACE acquisition response sent by the source node; the ACE acquisition response includes permission subscription information.
  • the source node when the source node generates subscription permission information according to the ACL cluster of the source node, it may receive the ACE subscription request sent by the proxy device and determine that the proxy device subscribes successfully, and then generate the subscription permission information according to the ACL cluster of the source node. Generate subscription permission information; at this time, when sending the subscription permission information to the proxy device, the source node may send an ACE report carrying the subscription permission information to the proxy device.
  • the proxy device before receiving the subscription permission information sent by the source node, can also send an ACE subscription request to the source node; the ACE subscription request is used to subscribe to the above subscription permission information; receive the ACE subscription response sent by the source node, the ACE subscription response uses To indicate whether the subscription is successful; when the proxy device receives the subscription permission information sent by the source node, it can receive the ACE report containing the permission subscription information sent by the source node when the ACE subscription response indicates that the subscription is successful; the permission subscription information is provided by the source node.
  • the node is generated according to the ACL cluster in the source node.
  • the subscription permission information is sent to the proxy device, including:
  • the source node sends the subscription permission information to the proxy device.
  • the subscription authority information is sent to the proxy device.
  • the above-mentioned SubscribeProxiedACEReq is used to request the source node to subscribe to the information of the client device with the subscription authority to the target resource (specifically, it can be ReportProxiedACE). Notify the proxy device.
  • the above-mentioned ReportProxiedACE may include the Node ID of the client device that has subscription authority to the target resource in the source node.
  • GetProxiedClientACEReq is used to request from the source node to obtain (such as a single acquisition) the information of the client device that has the subscription permission to the target resource
  • GetProxiedClientACERsp is used to respond to GetProxiedClientACEReq, which carries the client device that has the subscription permission to the target resource device identification information.
  • the sixth client device when the resource subscription request sent by the sixth client device is received, and the subscription permission information indicates that the sixth client device has the subscription permission of the target resource in the source node, the sixth client device is established A subscription relationship in which a device subscribes to a target resource.
  • Step 904 In the case that the proxy device successfully subscribes to the above-mentioned subscription authority information, when the identification information of the client device with the subscription authority to the target resource in the ACL cluster of the source node changes, a third update notification is sent to the proxy device , correspondingly, the proxy device receives the third update notification.
  • the third update notification is used to indicate the change of the identification information of the client device having the subscription right to the resource in the source node.
  • the third update notification is an ACE report including the second change information.
  • the ACL cluster update notification is used to indicate the update situation of the binding relationship in the ACL cluster.
  • an ACL cluster update notification is sent to the proxy device, including:
  • the ACL cluster update notification is sent to the proxy device.
  • an ACL cluster update notification is sent to the proxy device, including:
  • the ACE information of the reporting proxy is sent to the proxy device.
  • the source node when the binding relationship between the target resource contained in the ACL cluster in the source node and the identifier of the client device is updated, the source node can directly report the proxy's ACE information, The agent device is notified of the above update situation.
  • receiving the ACL cluster update notification sent by the source node includes:
  • Step 905 when the third update notification indicates that the identification information of the fifth client device is deleted from the client subscription management cluster, the proxy device removes the subscription relationship corresponding to the fifth client device.
  • the observeACL cluster stipulates that "those Nodes can access those resources by which means”; thus, the Source Node can learn the information in response to the observeACL method from the information in the ACL record.
  • the definition of observeACL cluster may be as shown in Table 8 below.
  • GetProxiedClientACERsp or ReportProxiedACE can contain a list, and each list item in the list can include the fabricindex of the source node, the sourceID of a certain target resource, and the The NodeID of the client device with subscription permissions.
  • the proxy device when the proxy device queries the subscription permission information through a single acquisition, the proxy device sends GetProxiedClientACEReq to the source node to query the Node ID corresponding to the target resource. Correspondingly, the source node returns GetProxiedClientACERsp to the proxy device.
  • the proxy device when the proxy device queries subscription permission information through subscription, the proxy device sends SubscribeProxiedACEReq to the source node to subscribe to the Node ID corresponding to the target resource, and the source node returns SubscribeProxiedACERsp to the proxy device to notify the proxy device whether the subscription is successful. If successful, the source node also sends ReportProxiedACE to the proxy device, and when the binding relationship related to the target resource in the subsequent ACL cluster changes, the source node sends a new ReportProxiedACE to the proxy device again.
  • the above-mentioned Cluster is used for proxy, and other types of devices are unavailable.
  • the source node can confirm whether the request is initiated by a proxy-type device.
  • FIG. 10 shows a schematic diagram of subscription rights information processing according to the embodiment of the present application. As shown in Figure 10, the process may include the following steps:
  • the app configures the ACL Cluster of the Source Node; in this process, it assigns permissions to the Clients that subscribe to the target resources on the SourceNode.
  • the Client discovers Proxys through a Proxy discovery mechanism, and selects one of them as its proxy Proxy.
  • the so-called proxy proxy means that the client can subscribe to the target resource on the source node by sending a subscription message to the proxy.
  • the Client sends a request to the Proxy to subscribe to the target resource on the Source Node.
  • the proxy sends SubscribeProxiedACEReq to subscribe to the Client with the view permission to access the Source Node resource; here the View permission corresponds to the ACL privilege including: View, operate, management, and Administer.
  • the Source Node checks whether the Proxy has permission to trigger this method: whether it has the operate permission, and whether it is a proxy. If it has the authority, execute the subsequent S1006.
  • the SourceNode sends SubscribeProxiedACERsp to complete the subscription.
  • the optional Proxy can also obtain the Client Node List with view permission through GetProxiedACEReq, and the Source Node responds through the GetProxiedClientACERsp message, and the message contains the Client List that can subscribe to the target resource. You can also carry FabricIndex and Target.
  • the proxy device when the proxy device provides the client device with the proxy service of the target resource on the source node, it can first query the source node for devices that have subscribed to the resource on the source node , to authenticate requests for proxy subscriptions for this client device.
  • the source node can provide the proxy device with relevant information about the client device that has the authority to subscribe to the target resource that the client device wants to subscribe to, and for other resources that have the right to subscribe to the target resource
  • the relevant information of the client device does not need to be provided to the proxy device, thereby improving the security when querying the subscription authority through the proxy device, thereby improving the security of the Internet of Things system.
  • FIG. 11 shows a block diagram of an apparatus for processing subscription rights information provided by an embodiment of the present application.
  • the device has the functions executed by the source node in each of the foregoing method embodiments.
  • the subscription rights information processing apparatus 1100 may include:
  • the sending module 1101 is configured to send subscription permission information to the proxy device, where the subscription permission information is used to indicate client devices that have subscription permission for the target resource in the source node.
  • the subscription permission information includes identification information of client devices that have subscription permission for the target resource.
  • the subscription permission information further includes at least one of the following two types of information:
  • Resource identification information of the target resource or security domain index information of the source node.
  • the source node has a client subscription management cluster
  • the client subscription management cluster includes identification information of client devices that have subscription rights to the target resource.
  • the sending module is configured to send the client subscription management cluster to the proxy device, where the client subscription management cluster includes the subscription permission information.
  • the device further includes:
  • the first update module is configured to update the ACL cluster of the source node corresponding to the change of the ACL cluster of the source node when the identification information of the client device having the subscription authority to a specified type of resource changes in the ACL cluster of the source node.
  • the above client subscribes to the management cluster to update;
  • the target resource belongs to the specified type of resource.
  • the first updating module is configured to, when the identification information of the client device with the subscription authority to the first resource in the ACL cluster of the source node changes, corresponding to the For the change of the ACL cluster in the source node, update the client subscription management entry corresponding to the first resource in the client subscription management cluster;
  • the first resource belongs to the specified type of resource.
  • the first update module is configured to, when the identification information of the first client that has the subscription right to the first resource in the ACL cluster of the source node is removed, Deleting the identification information of the first client device from the client subscription management entry corresponding to the first resource.
  • the first updating module is configured to, when the identification information of the second client with the subscription right to the first resource is added to the ACL cluster of the source node, in The identification information of the second client device is added to the client subscription management entry corresponding to the first resource.
  • the resource of the specified type includes an application cluster corresponding to the device function of the source node.
  • the device further includes:
  • a receiving module configured to receive an update instruction sent by the configuration device, where the update instruction is used to instruct to update the client subscription management cluster;
  • the second update module is configured to update the client subscription management cluster.
  • the sending module is configured to send the client subscription management cluster to the proxy device when the proxy device has proxy browsing authority to the source node;
  • the proxy browsing permission includes browsing permission to other resources in the source node except the ACL cluster.
  • the sending module is configured to send the client subscription management cluster to the proxy device when the proxy device has browsing authority to the source node;
  • the browsing permission includes browsing permission to other resources in the source node except the ACL cluster.
  • the sending module is further configured to, when the proxy device successfully subscribes to the client subscription management cluster, when the client subscription management cluster changes, send the The proxy device sends a first update notification, where the first update notification is used to instruct the client to subscribe to an update situation of the management cluster.
  • the client subscription management cluster further includes a first instruction set
  • the first set of instructions is used to provide, to the proxy device, identification information of a client device that has a subscription right to the target resource according to the client subscription management cluster.
  • the first instruction set includes at least one of the following instructions:
  • a client information acquisition request is used for a single request for the subscription permission information
  • a client information acquisition response is used to carry the subscription permission information
  • a client information subscription request is used to subscribe to the subscription permission information
  • a client information subscription response is used to indicate whether the subscription is successful
  • a client information report is used to carry the subscription authority information, or carry first change information; the first change information is used to indicate the change of the subscription authority information.
  • the sending module is configured to send the client information obtaining response to the proxy device when receiving the client information obtaining request sent by the proxy device.
  • the sending module is configured to send the client information subscription request sent by the proxy device to the proxy device when it is determined that the proxy device succeeds.
  • the sending module is further configured to send the client information report carrying the subscription permission information to the proxy device.
  • the sending module is further configured to, when the proxy device successfully subscribes to the subscription permission information, when the client subscribes to the resource corresponding to the target resource in the management cluster
  • a second update notification is sent to the proxy device, where the second update notification is used to indicate a change situation of the client subscription management entry corresponding to the target resource.
  • the second update notification is the client information report including the first change information.
  • the source node has an ACL subscription cluster
  • the ACL subscription cluster includes a second instruction set, and the second instruction set is used to provide the proxy device with identification information of a client device that has a subscription right to the target resource according to the ACL cluster.
  • the second instruction set includes at least one of the following instructions:
  • An access control entry ACE acquisition request is used for a single request for the subscription permission information
  • An ACE acquisition response is used to carry the subscription permission information generated according to the ACL cluster;
  • the ACE subscription request is used to subscribe to the subscription permission information
  • the ACE subscription response is used to indicate whether the subscription is successful
  • the ACE report is used to carry the subscription permission information generated according to the ACL cluster, or to carry second change information, where the second change information is used to indicate a change situation of the subscription permission information.
  • the device further includes:
  • a generating module configured to generate the subscription permission information according to the ACL cluster of the source node before the sending module sends the subscription permission information to the proxy device.
  • the generating module is configured to generate the subscription permission information according to the ACL cluster of the source node when receiving the ACE acquisition request sent by the proxy device;
  • the sending module is configured to send the ACE acquisition response to the proxy device.
  • the generating module is configured to generate an ACL cluster according to the source node when receiving the ACE subscription request sent by the proxy device and determining that the proxy device subscribes successfully.
  • the subscription rights information ;
  • the sending module is configured to send the ACE report carrying the subscription permission information to the proxy device.
  • the sending module is further configured to: when the proxy device successfully subscribes to the subscription permission information, when the ACL cluster of the source node has the When the identification information of the client device with subscription authority changes, send a third update notification to the proxy device, where the third update notification is used to indicate the Changes to the identification information.
  • the third update notification is the ACE report that includes the second change information.
  • the sending module is configured to: if the device type of the proxy device is a proxy type, and the proxy device has the authority to execute the function of the source node, send the proxy device the Subscription permission information described above.
  • FIG. 12 shows a block diagram of an apparatus for processing subscription rights information provided by an embodiment of the present application.
  • the apparatus is capable of realizing the functions executed by the agent device in each of the foregoing method embodiments.
  • the subscription right information processing apparatus 1200 may include:
  • the receiving module 1201 is configured to receive subscription permission information sent by a source node, where the subscription permission information is used to indicate client devices that have subscription permission for a target resource in the source node.
  • the subscription permission information includes identification information of client devices that have subscription permission for the target resource.
  • the subscription permission information further includes at least one of the following two types of information:
  • Resource identification information of the target resource or security domain index information of the source node.
  • the receiving module is configured to receive the client subscription management cluster sent by the source node; the client subscription management cluster includes clients with subscription rights to the target resource The identification information of the end device.
  • the receiving module is further configured to receive the first update notification sent by the source node when the proxy device successfully subscribes to the client subscription management cluster, and the second An update notification is used to instruct the client to subscribe to the update status of the management cluster.
  • the device further includes:
  • a first removal module configured to remove the subscription relationship corresponding to the third client device when the first update notification indicates that the identification information of the third client device is deleted from the client subscription management cluster .
  • the device further includes:
  • a first sending module configured to send a client information acquisition request to the source node before the receiving module receives the subscription authority information sent by the source node; the client information acquisition request is used for a single request for the subscription authority information;
  • the receiving module is configured to receive a client information acquisition response sent by the source node; the client information acquisition response includes the authority subscription information; the authority subscription information is obtained by the source node according to the source node Client subscriptions in management cluster generation.
  • the device further includes:
  • the second sending module is configured to send a client information subscription request to the source node before the receiving module receives the subscription permission information sent by the source node; the client information subscription request is used to subscribe to the subscription permission information;
  • the receiving module is configured to receive the client information subscription response sent by the source node, and the client information subscription response is used to indicate whether the subscription is successful;
  • the receiving module is further configured to receive a client information report containing the permission subscription information sent by the source node when the client information subscription response indicates that the subscription is successful; the permission subscription information is provided by the The source node is generated according to the client subscription management cluster in the source node.
  • the receiving module is further configured to receive a second update notification sent by the source node when the proxy device successfully subscribes to the subscription authority information; the second update The notification is sent by the source node when the client subscription management entry corresponding to the target resource in the client subscription management cluster changes, and the second update notification is used to indicate that the client subscription management entry corresponding to the target resource Changes to client subscription management entries.
  • the second update notification is a client information report including first change information; the first change information is used to indicate a change of the subscription permission information.
  • the device further includes:
  • a second removal module configured to remove the subscription relationship corresponding to the fourth client device when the second update notification indicates that the identification information of the fourth client device is deleted from the client subscription management cluster .
  • the device further includes:
  • a third sending module configured to send an ACE acquisition request to the source node before the receiving module receives the subscription authority information sent by the source node; the ACE acquisition request is used to request the subscription authority information once;
  • the receiving module is configured to receive the ACE acquisition response sent by the source node; the ACE acquisition response includes the permission subscription information; the permission subscription information is obtained by the source node according to the ACL cluster in the source node generate.
  • the device further includes:
  • a fourth sending module configured to send an ACE subscription request to the source node before the receiving module receives the subscription permission information sent by the source node; the ACE subscription request is used to subscribe to the subscription permission information;
  • the receiving module is configured to receive the ACE subscription response sent by the source node, and the ACE subscription response is used to indicate whether the subscription is successful;
  • the receiving module is further configured to receive an ACE report containing the permission subscription information sent by the source node when the ACE subscription response indicates that the subscription is successful; the permission subscription information is provided by the source node according to ACL cluster generation in the source node.
  • the receiving module is further configured to receive a third update notification sent by the source node when the proxy device successfully subscribes to the subscription authority information; the third update The notification is sent by the source node in the ACL cluster when the identification information of the client device that has subscription rights to the target resource changes, and the third update notification is used to indicate that the client device that has subscription rights to the source node Changes in the identification information of the client device for subscription rights to resources in .
  • the third update notification is an ACE report including second change information; the second change information is used to indicate a change of the subscription right information.
  • the device further includes:
  • a third removing module configured to remove the subscription relationship corresponding to the fifth client device when the third update notification indicates that the identification information of the fifth client device is deleted from the client subscription management cluster .
  • the device further includes:
  • a relationship establishment module configured to receive a resource subscription request sent by a sixth client device, and the subscription permission information indicates that the sixth client device has subscription permission for the target resource in the source node , establishing a subscription relationship in which the sixth client device subscribes to the target resource.
  • the device provided by the above embodiment realizes its functions, it only uses the division of the above-mentioned functional modules as an example for illustration. In practical applications, the above-mentioned function allocation can be completed by different functional modules according to actual needs. That is, the content structure of the device is divided into different functional modules to complete all or part of the functions described above.
  • FIG. 13 shows a schematic structural diagram of a computer device 1300 provided by an embodiment of the present application.
  • the computer device 1300 may include: a processor 1301 , a receiver 1302 , a transmitter 1303 , a memory 1304 and a bus 1305 .
  • the processor 1301 includes one or more processing cores, and the processor 1301 executes various functional applications and information processing by running software programs and modules.
  • the receiver 1302 and the transmitter 1303 can be implemented as a communication component, which can be a communication chip.
  • the communication chip can also be called a transceiver.
  • the memory 1304 is connected to the processor 1301 through the bus 1305 .
  • the memory 1304 may be used to store a computer program, and the processor 1301 is used to execute the computer program, so as to implement the various steps in the foregoing method embodiments.
  • volatile or non-volatile storage device includes but not limited to: magnetic disk or optical disk, electrically erasable and programmable Read Only Memory, Erasable Programmable Read Only Memory, Static Anytime Access Memory, Read Only Memory, Magnetic Memory, Flash Memory, Programmable Read Only Memory.
  • the transceiver 1302 when the computer device 1300 is implemented as a source node, the transceiver 1302 is configured to send subscription rights information to the proxy device, and the subscription rights information is used to indicate that the target in the source node A resource is a client device with subscription permissions.
  • the transceiver 1302 is configured to receive the subscription authority information sent by the source node, and the subscription authority information is used to indicate the The target resource is a client device that has subscription permissions.
  • the embodiment of the present application also provides a computer-readable storage medium, where a computer program is stored in the storage medium, and the computer program is loaded and executed by a processor to implement each of the above method embodiments, the agent device or the source node All or part of the steps performed.
  • the present application also provides a chip, which is used to run in a computer device, so that the computer device executes all or part of the steps performed by the proxy device or the source node in the above method embodiments.
  • the present application also provides a computer program product, the computer program product or the computer program includes computer instructions, and the computer instructions are stored in a computer-readable storage medium.
  • the processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device performs all or part of the steps performed by the proxy device or the source node in the above method embodiments.
  • the present application also provides a computer program, which is executed by a processor of a computer device, so as to implement all or part of the steps performed by the proxy device or the source node in each of the above method embodiments.
  • the functions described in the embodiments of the present application may be implemented by hardware, software, firmware or any combination thereof.
  • the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.
  • Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another.
  • a storage media may be any available media that can be accessed by a general purpose or special purpose computer.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

一种订阅权限信息处理方法、装置、计算机设备及存储介质,属于物联网技术领域。所述方法包括:向代理设备发送订阅权限信息(301),所述订阅权限信息用于指示对所述源节点中的目标资源具有订阅权限的客户端设备。本方案中,源节点可以将具有订阅目标资源的权限的客户端设备的相关信息提供给代理设备,而对于具有订阅该目标资源之外的其它资源的客户端设备的相关信息,则不需要提供给代理设备,从而提高通过代理设备进行订阅权限查询时的安全性,进而提高了物联网系统的安全性。

Description

订阅权限信息处理方法、装置、计算机设备及存储介质 技术领域
本申请涉及物联网技术领域,特别涉及一种订阅权限信息处理方法、装置、计算机设备及存储介质。
背景技术
随着物联网(Internet of Things,IoT)技术的不断发展,越来越多的物联网设备在智能家居、工业生产等诸多领域给用户的生产生活带来了极大的便利性。
在相关技术中,物联网中的客户端设备可以通过代理设备向源节点(比如服务端设备)订阅资源,以实现对源节点的控制和管理。在上述订阅过程中,代理设备可以向源节点查询该客户端设备对源节点中的资源的订阅权限。
发明内容
本申请实施例提供了一种订阅权限信息处理方法、装置、计算机设备及存储介质。该方案能够提高通过代理设备进行订阅权限查询时的安全性。所述技术方案如下:
一方面,本申请实施例提供了一种订阅权限信息处理方法,所述方法由源节点执行,所述方法包括:
向代理设备发送订阅权限信息,所述订阅权限信息用于指示对所述源节点中的目标资源具有订阅权限的客户端设备。
一方面,本申请实施例提供了一种订阅权限信息处理方法,所述方法由代理设备执行,所述方法包括:
接收源节点发送的订阅权限信息,所述订阅权限信息用于指示对所述源节点中的目标资源具有订阅权限的客户端设备。
另一方面,本申请实施例提供了一种订阅权限信息处理装置,所述装置包括:
发送模块,用于向代理设备发送订阅权限信息,所述订阅权限信息用于指示对所述源节点中的目标资源具有订阅权限的客户端设备。
另一方面,本申请实施例提供了一种订阅权限信息处理装置,所述装置包括:
接收模块,用于接收源节点发送的订阅权限信息,所述订阅权限信息用于指示对所述源节点中的目标资源具有订阅权限的客户端设备。
另一方面,本申请实施例提供了一种计算机设备,所述计算机设备实现为信息上报设备,所述计算机设备包括处理器、存储器和收发器;
存储器中存储有计算机程序,处理器执行所述计算机程序,以使得计算机设备实现上述订阅权限信息处理方法。
再一方面,本申请实施例提供了一种计算机设备,所述计算机设备包括处理器、存储器和收发器,所述存储器存储有计算机程序,所述计算机程序用于被所述处理器执行,以实现上述订阅权限信息处理方法。
又一方面,本申请实施例还提供了一种计算机可读存储介质,所述存储介质中存储有计算机程序,所述计算机程序由处理器加载并执行以实现上述订阅权限信息处理方法。
又一方面,本申请还提供了一种芯片,所述芯片用于在计算机设备中运行,以使得所述计算机设备执行上述订阅权限信息处理方法。
又一方面,本申请提供了一种计算机程序产品,该计算机程序产品包括计算机指令,该计算机指令存储在计算机可读存储介质中。计算机设备的处理器从计算机可读存储介质读取该计算机指令,处理器执行该计算机指令,使得该计算机设备执行上述订阅权限信息处理方法。
又一方面,本申请提供了一种计算机程序,该计算机程序由计算机设备的处理器执行,以实现上述订阅权限信息处理方法。
本申请实施例提供的技术方案可以带来如下有益效果:
当代理设备为客户端设备提供源节点上的目标资源的代理服务时,可以先向该源节点查询具有订阅该源节点上的资源的设备,以便对该客户端设备的代理订阅的请求进行鉴权。在此过程中,源节点可以将具有订阅该目标资源的权限的客户端设备的相关信息提供给代理设备,而对于具有订阅该目标资源之外的其它资源的客户端设备的相关信息,则不需要提供给代理设备,从而提高通过代理设备进行订阅权限查询时的安全性,进而提高了物联网系统的安全性。
附图说明
为了更清楚地说明本申请实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。
图1是本申请一个实施例提供的物联网的网络架构的示意图;
图2是本申请一个实施例提供的代理订阅发起流程示意图;
图3是本申请一个实施例提供的订阅权限信息处理方法的流程图;
图4是本申请一个实施例提供的订阅权限信息处理方法的流程图;
图5是本申请一个实施例提供的订阅权限信息处理流程的框架图;
图6是本申请一个实施例提供的订阅权限信息处理方法的流程图;
图7是图6所示实施例涉及的订阅权限信息处理的示意图;
图8是本申请一个实施例提供的订阅权限信息处理流程的框架图;
图9是本申请一个实施例提供的订阅权限信息处理方法的流程图;
图10是图6所示实施例涉及的订阅权限信息处理的示意图;
图11是本申请一个实施例提供的订阅权限信息处理装置的框图;
图12是本申请一个实施例提供的订阅权限信息处理装置的框图;
图13是本申请一个实施例提供的计算机设备的结构示意图。
具体实施方式
为使本申请的目的、技术方案和优点更加清楚,下面将结合附图对本申请实施方式作进一步地详细描述。
本申请实施例描述的网络架构以及业务场景是为了更加清楚地说明本申请实施例的技术方案,并不构成对本申请实施例提供的技术方案的限定,本领域普通技术人员可知,随着网络架构的演变和新业务场景的出现,本申请实施例提供的技术方案对于类似的技术问题,同样适用。
请参考图1,其示出了本申请一个实施例提供的物联网的网络架构的示意图。该物联网的网络架构可以包括:源节点110(图1中示出为源节点110a和源节点110b)、客户端设备120(图1中示出为客户端设备120a和客户端设备120b)、代理设备130以及配置设备140;可选的,该网络架构还可以包括云端服务器150;
源节点110可以是在物联网中,用于提供物联网协议对应的服务端功能的设备。
比如,源节点110可以是智能家居设备,例如,智能灯具、智能电视、智能空调、智能冰箱、智能微波炉、智能电饭煲、扫地机器人、智能音箱、智能开关等等。
或者,源节点110可以是工业生产设备,例如,车床、工业机器人、太阳能面板、风力发电机等等。
或者,源节点110可以是商业服务设备,例如,无人售货机等等。
或者,源节点110可以是智能监控设备,例如,监控摄像头、红外传感器、声音传感器、温度传感器等等。
在一种可能的实现方式中,客户端设备120可以是用户侧的终端设备。比如,客户端设备120可以是智能控制器、智能遥控器、智能手机、平板电脑、智能手表、智能电视、网关等等;或者,客户端设备120也可以是个人电脑,比如台式电脑、便携式计算机、个人工作站等等。
或者,客户端设备120也可以是另一个提供物联网协议对应的服务端功能的设备。
在另一种可能的实现方式中,客户端设备120是基于终端设备运行的客户端实体(可以是虚拟实体),例如,客户端设备120可以是运行在终端设备中,用于对物联网设备进行访问、控制、以及管理等操作的应用程序(Application,APP)。
在一种可能的实现方式中,上述代理设备130同时连接源节点110和客户端设备120,并为客户端设备120提供向源节点110代理订阅资源的服务。
配置设备140可以是用户侧的终端设备。比如,配置设备140可以是智能手机、平板电脑、智能手表、智能电视等等。
在另一种可能的实现方式中,配置设备140也可以是基于终端设备运行的客户端实体(可以是虚拟实体),例如,配置设备140可以是运行在智能手机中,用于对源节点110、客户端设备120以及代理设备130进行管理配置的APP。
云端服务器150是部署在网络侧的服务器。比如,云端服务器150可以存储各个源节点110的相关信 息,比如当前资源状态、绑定账号等等;云端服务器150还可以提供对源节点110进行远程访问的服务接口,以便用户对源节点110进行远程管理或控制。
在本申请实施例中,上述源节点110、客户端设备120、代理设备130、配置设备140、云端服务器150可以是满足相同或者不同的物联网协议的电子设备,比如,可以是满足连接标准联盟(Connectivity Standards Alliance,CSA)(或称Zigbee联盟)下的Matter协议(或称通过IP(Internet Protocol,网际互联协议)连接家庭工作组(Connected Home over IP Working Group,CHIP)项目)的电子设备。
以上述源节点110、客户端设备120、代理设备130以及配置设备140等物联网设备是Matter设备为例,Matter设备的数据模型具有如下特点:
1)Matter设备包含一个或者多个端点Endpoint,使用端点号(Endpoint Number,也可以简写为endpoint-no)表示。
比如,一个Matter设备为射灯,该射灯有三个灯泡,则每个灯泡对应一个端点,也就是一个实际的物理设备可以包含多个端点(当然也可以只包含一个端点);再比如,一个Matter设备为插座,该插座有4个插孔,则每个插孔可以对应一个Endpoint。
2)每个Endpoint下对应一个或者多个设备类型(Device Type),使用设备标识(Device ID)表示。
比如,一个Matter设备为空调设备,该空调设备包含恒温器和风扇,其中,上述恒温器和风扇对应在同一个Endpoint下,恒温器对应一个设备类型,风扇对应另一个设备类型,且恒温器和风扇可以通过同一个Endpoint进行控制。
3)每个Endpoint包含多种簇(Cluster),Cluster分为服务端(Server)和客户端(Client)两种,且对应的Cluster ID相同。
4)每个Cluster包含多种属性(Attribute)、事件(Event)、指令(Command),分别使用Attribute ID、Event ID、Command ID表示,Attribute和Event具有相应的数据类型。
上述源节点110、客户端设备120、代理设备130以及配置设备140等物联网设备还可以是Zigbee设备,Zigbee设备的数据模型与Matter设备的数据模型结构类似,区别在于Zigbee设备的数据模型中没有Event。
1)代理订阅
在本申请各个实施例中,物联网中的客户端设备可以通过代理设备向源节点订阅资源;比如,在上述图1所示的网络架构中,客户端设备120b可以通过代理设备130向源节点110b订阅资源。
请参考图2,其示出了本申请一个实施例提供的代理订阅发起流程示意图。如图2所示,客户端设备发起代理订阅的过程如下:
S21,客户端设备(Client)向代理设备(Proxy)发送向源节点发起资源订阅的订阅请求(SubscribeRequest),以请求订阅上述源节点上的C1资源。
其中,C1资源可以是源节点上的任何资源,包括功能资源,例如开关等。
在某些场景中,客户端设备也可以被称为订阅设备,上述源节点也可以称为订阅目标设备或者订阅目标节点等。
S22,代理设备向源节点发送报告数据(ReportData)消息,以通知客户端设备其暂时没有源节点的资源。
在此过程中,代理设备可以检查客户端设备是否有对源节点上C1资源的订阅权限,比如浏览(View)权限。其中,当代理设备在源节点的访问控制列表(Access Control Lists,ACL)簇(cluster)资源上具有代理浏览(ProxyView)的权限时,可以订阅或者读取该ACL Cluster。基于此,代理设备可以获取客户端设备对源节点上的C1资源的订阅权限,进而判定客户端设备是否可以订阅该C1资源。可选的,订阅设备直接订阅上述源节点上的C1资源,或者,通过代理设备代理订阅上述C1资源时,需要具有订阅该源节点上的C1资源的权限(View权限),比如,在源节点的ACL Cluster上需要具有客户端设备对应的访问控制条目(Access Control Entry,ACE)。
其中,客户端设备接收到ReportData消息后,可以向代理设备发送状态响应(StatusResponse),代理设备接收到该状态响应后,向客户端设备发送订阅响应(SubscribeResponse)。
S23,代理设备发起对源节点上C1资源的订阅。
在此过程中,代理设备可以向源节点发送订阅请求,以请求订阅上述源节点上的C1资源。源节点向代理设备发送ReportData消息,其中包含C1资源的订阅数据,比如C1资源的状态等。
可选的,代理设备接收到源节点发送的ReportData消息后,向源节点发送StatusResponse消息,源节点接收到该StatusResponse消息后,向代理设备发送SubscribeResponse消息。
S24,代理设备向源节点订阅成功后,处理客户端设备的订阅流程。
在此过程中,代理设备可以向客户端设备发送ReportData消息,其中包含订阅的C1资源的订阅数据; 客户端设备接收到该ReportData消息后,可以向代理设备发送StatusResponse消息。
2)访问控制列表簇ACL Cluster
ACL Cluster部署在每一个节点Node(对应上述Source设备)上,且对应有一个实例。当该Node收到一个订阅请求时,会首先在ACL中检查请求方是否具有订阅权限。
ACL Cluster中属性Attributes可以如下述表1所示。
表1
Figure PCTCN2021139321-appb-000001
其中,上述表1中的ACL中的访问控制表项条目AccessControlEntryStruct的定义可以如下述表2所示。
表2
ID Name Type Access Conformance
0 FabricIndex   RW M
1 Privilege AccessControlEntryPrivilegeEnum RWS M
2 AuthMode AccessControlEntryAuthmodeEnum RWS M
3 Subjects List[SubjectID] RWS M
4 Targets List[TargetStruct] RWS M
上述表2中的访问控制表项权限列举AccessControlEntryPrivilegeEnum的定义可以如下:
查看权限View:读取和订阅(除ACL Cluster);
代理浏览权限Proxy view:读取和订阅(含ACLCluster);
操作权限Operate:View+执行设备的主要功能(除ACL Cluster);
管理权限Manage:Operate+修改配置数据(除ACL Cluster);
管理权限Administer:Manage+订阅和修改ACL Cluster。
表2中的访问控制表项认证模式列举AccessControlEntryAuthmodeEnum的定义可以如表3所示:
表3
Value Name Description
1 PASE 密码验证会话,Passcode Authenticated Session
2 CASE 证书认证会话,Certificate Authenticated Session
3 GROUP 组认证会话,Group Authenticated Session
例如,Access Control Cluster的代码可以如下:
Figure PCTCN2021139321-appb-000002
Figure PCTCN2021139321-appb-000003
代理设备为客户端设备代理订阅源节点上的目标资源之前,可以先向源节点查询该客户端设备是否具有订阅该源节点上的目标资源的权限,在一种可能的方案中,代理设备可以向源节点订阅上述ACL簇,然后在ACL簇中查询该客户端设备是否具有订阅权限,然而,在此过程中,代理设备可以获取到源节点上所有的ACE记录,导致了代理设备的权限扩大,影响通过代理设备进行订阅权限查询时的安全性。
对于上述方案,本申请后续实施例提供了一种订阅权限信息处理的方案,使得源节点在代理设备查询客户端设备是否具有对目标资源的订阅权限时,可以向代理设备提供具有目标资源的订阅权限的客户端设备的信息,而不需要提供全部的ACE记录,也就是说,对于具有订阅源节点上除了目标资源之外的其它资源,源节点无需将具有这些其它资源的订阅权限的客户端设备的信息提供给代理设备,从而提高物联网系统的安全性。
请参考图3,其示出了本申请一个实施例提供的订阅权限信息处理方法的流程图,该方法可以由源节点执行,比如,该源节点可以是图1所示的网络架构中的源节点110;该方法可以包括如下几个步骤:
步骤301,向代理设备发送订阅权限信息,订阅权限信息用于指示对源节点中的目标资源具有订阅权限的客户端设备。
在一种可能的实现方式中,在接收到代理设备发送的权限查询请求时,向代理设备发送订阅权限信息;
其中,权限查询请求可以用于请求单次获取,或者订阅对源节点中的目标资源具有订阅权限的客户端设备。
在一种可能的实现方式中,订阅权限信息中包含具有目标资源的订阅权限的客户端设备的标识信息。
其中,上述客户端设备的标识信息,可以是客户端设备对应的节点(Node)标识(Identity,ID)。
在一种可能的实现方式中,订阅权限信息中还包含以下两种信息中的至少一种:目标资源的资源标识信息,或者,源节点的安全域(Fabric)的索引信息。
其中,目标资源可以是单个资源,也可以是多个资源。目标资源的标识信息,可以是目标资源对应的簇(Cluster)的标识信息。
其中,上述目标资源属于源节点中的指定类型资源,比如,对于代理设备来说非敏感的资源。
在一种可能的实现方式中,上述指定类型资源可以包括与源节点的设备功能对应的应用簇。
可选的,上述应用簇(App cluster)是指源节点本身的功能性cluster,不包含配置、设备管理相关的资源。
综上所述,本申请实施例所示的方案,当代理设备为客户端设备提供源节点上的目标资源的代理服务时,可以先向该源节点查询具有订阅该源节点上的资源的设备,以便对该客户端设备的代理订阅的请求进行鉴权。在此过程中,源节点可以将具有订阅该目标资源的权限的客户端设备的相关信息提供给代理设备,而对于具有订阅该目标资源之外的其它资源的客户端设备的相关信息,则不需要提供给代理设备,从而提高通过代理设备进行订阅权限查询时的安全性,进而提高了物联网系统的安全性。
请参考图4,其示出了本申请一个实施例提供的订阅权限信息处理方法的流程图,该方法可以由代理设备执行,比如,该代理设备可以是图1所示的网络架构中的代理设备130;该方法可以包括如下步骤:
步骤401,接收源节点发送的订阅权限信息,订阅权限信息用于指示对源节点中的目标资源具有订阅权限的客户端设备。
在一种可能的实现方式中,接收源节点发送的订阅权限信息之前,还包括:
向源节点发送权限查询请求;
在一种可能的实现方式中,订阅权限信息中可以包含具有目标资源的订阅权限的客户端设备的标识信息。
在一种可能的实现方式中,订阅权限信息中还包含以下两种信息中的至少一种:目标资源的资源标识信息,或者,源节点安全域的索引信息。
在一种可能的实现方式中,目标资源属于源节点中的指定类型资源。
综上所述,本申请实施例所示的方案,当代理设备为客户端设备提供源节点上的目标资源的代理服务时,可以先向该源节点查询具有订阅该源节点上的资源的设备,以便对该客户端设备的代理订阅的请求进行鉴权。在此过程中,源节点可以将具有订阅该目标资源的权限的客户端设备的相关信息提供给代理设备,而对于具有订阅该目标资源之外的其它资源的客户端设备的相关信息,则不需要提供给代理设备,从而提高通过代理设备进行订阅权限查询时的安全性,进而提高了物联网系统的安全性。
基于本申请上述图3和图4所示的内容,在一种示例性的方案中,源节点中可以在ACL簇之外,对应各个指定类型资源预先设置订阅权限信息,该订阅权限信息用于指示具有对应的资源的订阅权限的客户端设备,后续代理设备在发起代理订阅时,源节点可以将代理设备要代理订阅的目标资源对应的订阅权限信息发送给代理设备。
请参考图5,其示出了本申请一个实施例提供的订阅权限信息处理流程的框架图。在一种可能的应用场景中,如图5所示,源节点51中除了设置有ACL簇之外,还设置有一至多个订阅权限信息,可选的,不同的订阅权限信息可以对应不同的资源或者资源组合。
如图5所示,当客户端设备A向代理设备52发起代理订阅的请求,以请求代理设备52为其代理订阅资源2时,代理设备52可以向源节点51查询客户端设备A的订阅权限并对客户端设备A进行鉴权,该过程可以如下:
S1,代理设备52向源节点51发起权限查询请求,以请求查询订阅权限信息。
其中,该订阅权限信息中至少包含对资源2具有订阅权限的各个客户端设备的标识信息。
S2,源节点51将订阅权限信息发送给代理设备52。
S3,代理设备52查询对资源2具有订阅权限的各个客户端设备中是否包含客户端设备A,若是,则鉴权通过,否则鉴权不通过。
在上述图5所示的方案中,订阅权限信息可以是源节点中,在ACL簇之外新增的簇,且该新增的簇可以进行更新。比如,该新增的簇(即上述订阅权限信息)可以为ProxiedClientMgmt cluster(客户端订阅管理簇)。
请参考图6,其示出了本申请一个实施例提供的订阅权限信息处理方法的流程图,该方法可以由代理设备、配置设备和源节点交互执行,比如,该代理设备、配置设备和源节点分别可以是图1所示的网络架构中的代理设备130、配置设备140以及源节点110;该方法可以包括如下几个步骤:
步骤601,当源节点的ACL簇中,具有对指定类型资源的订阅权限的客户端设备的标识信息发生变更时,对应源节点的ACL簇的变更情况,对客户端订阅管理簇进行更新。
在本申请实施例中,源节点中具有客户端订阅管理簇。
其中,上述目标资源属于指定类型资源。
在本申请实施例中,ACL簇用于规定其他设备对本设备中的资源内容的访问权限。ACL簇中包含一个或多个项目(Item),每个项目即可以称为一个ACE,一个ACE中的内容可以指示某个节点对某个资源具有访问权限。
比如,ACE中可以包含节点标识(Node ID)与资源/簇的标识之间的绑定关系;比如,一个ACE中包含当前设备中的一个资源的标识,以及对该资源具有访问权限的其它设备的Node ID。
其中,客户端订阅管理簇中包含具有目标资源的订阅权限的客户端设备的标识。
在本申请实施例中,可以在Source Node上增加一个ProxiedClientMgmt Cluster,该Cluster存储具有订阅或者读取Source Node上目标资源的Client列表。ProxiedClientMgmt的定义可以如下表4所示。
表4
ID Name Type Description
0 fabricIndex    
1 target List[ClusterID] 一系列Cluster标识
2 proxiedClientList List[NodeID] 一系列Node的标识
表4中的相关信息的含义可以如下:
fabricIndex:fabric索引;
target:设置client可订阅的Cluster的Cluster ID;
proxiedClientList:可订阅或者读取target内容的client的client ID的列表。
该ProxiedClientMgmt Cluster设定时,需要对应的Client的权限已经在该Source Node上的ACL Cluster中被设定,也就是具有对应的ACE。如果一个Client需要订阅该Source Node,且需要通过Proxy,则需要注册到该表中。以上说明和限制在Proxy所在fabric内有效。
可选的,对于不同的目标资源,源节点中可以对应设置不同的ProxiedClientMgmt cluster。
或者,对于不同的资源组,源节点中可以对应设置不同的ProxiedClientMgmt cluster。
在本申请实施例中,ACL簇中可以包含目标资源与客户端设备的标识(比如Node ID)之间的绑定关系,该绑定关系表示该Node ID对应的客户端设备具有对目标资源的订阅权限。其中,当源节点中的ACL簇中的绑定关系发生了更新(比如有绑定关系新增或者删除)时,表示可能有某些客户端设备对某些资源 的订阅权限被新增或者移除,此时,源节点可以基于ACL簇中的绑定关系的更新情况,对客户端订阅管理簇进行相应的更新。
在一种可能的实现方式中,上述当所述源节点的ACL簇中,具有对指定类型资源的订阅权限的客户端设备的标识信息发生变更时,对应所述源节点的ACL簇的变更情况,对所述客户端订阅管理簇进行更新的步骤,包括:
当源节点的ACL簇中,具有对第一资源的订阅权限的客户端设备的标识信息发生变更时,对应源节点中的ACL簇的变更情况,对客户端订阅管理簇中,与第一资源相对应的客户端订阅管理条目进行更新;其中,第一资源属于指定类型资源。
在本申请实施例中,配置设备在对源节点中的ACL簇中包含的目标资源与客户端设备的标识之间的绑定关系进行更新时,可以向源节点发送ACL簇更新指令,源节点接收到该ACL簇更新指令后,按照配置设备的配置,对ACL簇中包含的目标资源与客户端设备的标识之间的绑定关系进行更新;在一个示例性的方案中,源节点此时可以根据ACL簇中的绑定关系的更新情况,直接对客户端订阅管理簇进行相应的更新,也就是说,配置设备在对ACL进行配置之外,不需要再对上述客户端订阅管理簇进行专门的配置。
在一种可能的实现方式中,源节点接收配置设备发送的更新指令,更新指令用于指示对客户端订阅管理簇进行更新;对客户端订阅管理簇进行更新。
在本申请实施例中,配置设备在对源节点中的ACL簇中包含的目标资源与客户端设备的标识之间的绑定关系进行更新时,可以向源节点发送ACL簇更新指令,源节点接收到该ACL簇更新指令后,按照配置设备的配置,对ACL簇中包含的目标资源与客户端设备的标识之间的绑定关系进行更新;此外,配置设备还可以向源节点发送客户端管理簇更新指令,源节点接收到该客户端管理簇更新指令后,对上述客户端订阅管理簇进行更新。也就是说,配置设备可以在对ACL簇进行配置之外,再对上述客户端订阅管理簇进行专门的配置。
在一种可能的实现方式中,当源节点的ACL簇中,具有对第一资源的订阅权限的客户端设备的标识信息发生变更时,对应源节点中的ACL簇的变更情况,对客户端订阅管理簇中,与第一资源相对应的客户端订阅管理条目进行更新,包括:
当源节点的ACL簇中,具有对第一资源的订阅权限的第一客户端的标识信息被移除时,从与第一资源相对应的客户端订阅管理条目中删除第一客户端设备的标识信息。
在一种可能的实现方式中,当源节点的ACL簇中,具有对第一资源的订阅权限的客户端设备的标识信息发生变更时,对应源节点中的ACL簇的变更情况,对客户端订阅管理簇中,与第一资源相对应的客户端订阅管理条目进行更新,包括:
当源节点的ACL簇中,增加了具有对第一资源的订阅权限的第二客户端的标识信息时,在与第一资源相对应的客户端订阅管理条目中增加第二客户端设备的标识信息。
步骤602,代理设备向源节点发送权限查询请求;相应的,源节点接收该权限查询请求。
其中,上述权限查询请求可以是对客户端订阅管理簇的订阅请求,或者,是单次获取客户端订阅管理簇的请求。
在一种可能的实现方式中,该权限查询请求中可以包含目标资源的资源标识信息。比如,权限查询请求中可以包含目标资源对应的簇的标识信息(比如簇的名称)。
也就是说,上述权限查询请求可以是对客户端订阅管理簇中,与目标资源对应的客户端订阅管理项目的订阅请求;或者,上述权限查询请求可以是单次获取客户端订阅管理簇中,与目标资源对应的客户端订阅管理项目的请求。
步骤603,源节点向代理设备发送客户端订阅管理簇;相应的,代理设备接收源节点发送的客户端订阅管理簇。
其中,上述客户端订阅管理簇包含订阅权限信息。
在一种可能的实现方式中,上述向代理设备发送客户端订阅管理簇的步骤,包括:当代理设备具有对源节点的代理浏览权限时,向代理设备发送客户端订阅管理簇。
在本申请实施例中,上述代理浏览权限包括对源节点中除了ACL簇之外的其它资源的浏览权限;也就是说,上述代理浏览权限包括:读取和订阅源节点中的客户端订阅管理簇的权限,以及,读取和订阅源节点中除了ACL簇和客户端订阅管理簇之外的其它簇的权限。
也就是说,具有源节点的代理浏览权限的代理设备,可以读取和订阅源节点中除ACL簇之外的其它簇/资源(包括可以读取和订阅上述ProxiedClientMgmt cluster)。需要说明的是,在这种情况下,浏览权限包括:读取和订阅源节点中,除了ACL簇和客户端订阅管理簇之外的其它簇/资源的权限。此时,物联网系统中的权限设置可以如下述表5所示。
表5
权限名称 定义
View 读取和订阅(除ACL Cluster和ProxiedClientMgmt Cluster)
Proxyview 读取和订阅(除ACL Cluster)
Operate View+执行设备的主要功能(除ACL Cluster)
Manage Operate+修改配置数据(除ACL Cluster)
Administer Manage+订阅和修改ACL Cluster
在另一种可能的实现方式中,上述向代理设备发送客户端订阅管理簇的步骤,包括:当代理设备具有对源节点的浏览权限时,向代理设备发送客户端订阅管理簇。
在本申请实施例中,代理设备对源节点的权限也可以被设置为浏览权限,此时,该浏览权限包括对源节点中除了ACL簇之外的其它资源的浏览权限。也就是说,上述浏览权限包括:读取和订阅源节点中,除了ACL簇之外的其它簇(包括上述客户端订阅管理簇)的权限。需要说明的是,在这种情况下,可以不设置代理浏览权限。此时,物联网系统中的权限设置可以如下述表6所示。
表6
权限名称 定义
View 读取和订阅(除ACL Cluster)
Operate View+执行设备的主要功能(除ACL Cluster)
Manage Operate+修改配置数据(除ACL Cluster)
Administer Manage+订阅和修改ACL Cluster
在一种可能的实现方式中,在接收到第六客户端设备发送的资源订阅请求,且订阅权限信息指示第六客户端设备对源节点中的目标资源具有订阅权限时,建立第六客户端设备对目标资源进行订阅的订阅关系。
在一个示例性的方案中,代理设备接收到第六客户端设备发送的资源订阅请求(即请求代理订阅上述目标资源),且获取到上述客户端订阅管理簇之后,代理设备可以检查上述客户端订阅管理簇中是否包含该第六客户端设备的标识(Node ID),若是,且源节点、代理设备以及第六客户端设备属于同一个Fabric(由上述客户端订阅管理簇中的FabricIndex指示),则代理设备可以为第六客户端设备代理订阅上述目标资源,并建立第六客户端设备对目标资源进行订阅的订阅关系。
其中,上述步骤601可以在步骤603之前执行,也可以在步骤603之后执行。
步骤604,在代理设备成功订阅客户端订阅管理簇的情况下,源节点向代理设备发送第一更新通知,相应的,代理设备接收该第一更新通知。
其中,第一更新通知用于指示客户端订阅管理簇的更新情况。
在本申请实施例的一个示例性的方案中,配置设备在源节点的ACL簇中新增或者删除了某个客户端设备对目标资源的订阅权限后,如果代理设备已经从源节点获取过该客户端订阅管理簇(包含目标资源对应的ProxiedClientMgmt Cluster),则源节点可以向源节点发送客户端订阅管理簇更新通知。
在一种可能的实现方式中,上述第一更新通知中可以包含新的ProxiedClientMgmt Cluster,或者,上述第一更新通知中也可以包含新增或者删除的客户端设备的标识信息。
在一种可能的实现方式中,源节点向代理设备发送第一更新通知,包括:
当客户端订阅管理簇中删除了至少一个客户端设备的标识信息时,向代理设备发送第一更新通知。
步骤605,当第一更新通知指示从客户端订阅管理簇中删除第三客户端设备的标识信息时,移除与第三客户端设备对应的订阅关系。
请参考图7,其示出了本申请实施例涉及的一种订阅权限信息处理的示意图。如图7所示,该过程可以包括以下步骤:
S71,APP在SourceNode上设定Client访问其上targetCluster目标资源的权限;如果为Client分配的权限包含view权限,则需要处理ProxiedClientMgmt cluster。如前所述,设定的权限如果为View、ProxyView、operate、manage、administer权限,都是代表client可以具有订阅或者读取权限。另外targetCluster可以是App cluster。App cluster指设备本身功能性cluster,不包含配置、设备管理相关的资源。在S71步骤可能涉及两种处理ProxiedClientMgmt Cluster的方法:
1)当ACL cluster被设定之后,Source Node自动根据ACL的设定结果来更新该Cluster。如果ACL中增加了一个Client对目标资源的可读取或者订阅权限,则自动在ProxiedClientMgmt Cluter中增加一个对该Client与目标资源的绑定关系。如果取消了一个Client对目标资源的读取或者订阅权限,则相应的自动在ProxiedClientMgmt cluster中删除对应的Client与目标资源的绑定关系。
2)当ACL Cluster被设定之后,需要继续设定ProxiedClientMgmt Cluster。如果ACL中增加了一个Client对目标资源的可读取或者订阅权限,则APP继续在ProxiedClientMgmt Cluter中增加一个对该Client与目标资源的绑定关系。如果不设定对应的绑定关系,则Proxy无法感知到client的权限,无法完成client对目标资源订阅的代理。相应的,如果取消了一个Client对目标资源的读取或者订阅权限,则APP相应的在ProxiedClientMgmt cluster中删除对应的Client与目标资源的绑定关系。
S72,Client通过Proxy发现机制来发现Proxys,并选择其中一个作为其代理Proxy。
其中,所谓代理Proxy指Client可以通过向Proxy发送订阅消息,从而订阅到Source Node上的目标资源。
S73,Client向Proxy发送订阅Source Node上目标资源的请求。
S74,如果Proxy在此之前没有订阅过Source Node上的目标资源,则需要Proxy去订阅Source Node上的目标资源。在此基础上,如果Proxy没有订阅过ProxiedClientMgmt Cluster,则需要订阅该Cluster。成功订阅之后,Proxy可以获取到ProxiedClientMgmt Cluster的内容。
S75,Proxy根据获取的ProxiedClientMgmt Cluster的内容,进而也可以判定上述Client是否有订阅Source Node上的目标资源的权限,即Target是否包含目标资源;Subjects是否包含Client的NodeID;是否是同一个Fabric,如果上述条件都满足,则表示Client具有该权限,Proxy可以允许Client对该目标资源进行订阅。
S76,如果在Source Node上的ACL Cluster中,上述Client被取消了上述订阅权限:针对S71步骤两种可能的方案,这里也有两个可能的处理方式:
1)当ACL中上述权限被APP取消,Source Node自动更新ProxiedClientMgmt Cluster的内容,将Client的Node ID从对应的记录(target包含目标资源的记录)删除,删除了记录即表示Client没有权限访问Source Node的目标资源。
2)当ACL中上述权限被APP取消之后,APP继续修改ProxiedClientMgmt Cluster的内容,将Client的Node ID从对应的记录(target包含目标资源的记录)删除。
S77,无论上述那种方式,Source Node都可以向订阅了ProxiedClientMgmt Cluster的Proxy发送内容变更的消息。因此,Proxy可以得知最新的可访问Source Node的目标资源的client列表。
S78,通过步骤S77得到最新的client列表和当前维护的订阅关系,Proxy可以确认哪个(或哪些)Client被取消了订阅目标资源的权限,从而需要Proxy发起结束订阅关系的步骤。取消订阅关系有很多方式,其中之一是在事件最大时间间隔内不发送通知消息。
可选的,在S77中,Source Node也可以直接给Proxy发送一个取消订阅权限的Client的列表,则proxy也可以直接根据该列表的内容取消Client对该目标资源的订阅关系。
可选的,本步骤Proxy需要处理的是直接订阅到Proxy的client的订阅关系,如果一个Client通过订阅其他的proxy,从而间接订阅到本Proxy和SourceNode,则可以不做处理。
在本申请实施例中,上述步骤以代理设备单次获取/订阅整个客户端订阅管理簇为例进行说明,在另一种可能的实现方式中,代理设备也可以单次获取/订阅客户端订阅管理簇中与目标资源相对应的信息。比如,可以单独从客户端订阅管理簇中单次获取/订阅对目标资源具有订阅权限的客户端设备的标识信息(即单独订阅或者获取上述订阅权限信息)。
其中,上述单独从客户端订阅管理簇中单次获取/订阅对目标资源具有订阅权限的客户端设备的标识信息时,代理设备可以通过物联网协议通用的指令,从客户端订阅管理簇中单次获取/订阅上述订阅权限信息。
在另一种可能的实现方式中,上述单独从客户端订阅管理簇中单次获取/订阅对目标资源具有订阅权限的客户端设备的标识信息时,代理设备也可以通过客户端订阅管理簇提供的专用指令集,从客户端订阅管理簇中单次获取/订阅上述订阅权限信息。
在一种可能的实现方式中,客户端订阅管理簇中还包含第一指令集;
第一指令集用于根据客户端订阅管理簇,向代理设备提供对目标资源具有订阅权限的客户端设备的标识信息。
在本申请实施例中,上述第一指令集定义了代理设备与源节点之间,订阅/单次查询上述订阅权限信息所使用的指令。
在一种可能的实现方式中,第一指令集包括以下指令中的至少一种:
客户端信息获取请求;客户端信息获取请求用于单次请求订阅权限信息;
客户端信息获取响应;客户端信息获取响应用于携带订阅权限信息;
客户端信息订阅请求;客户端信息订阅请求用于订阅上述订阅权限信息;
客户端信息订阅响应;客户端信息订阅响应用于指示是否订阅成功;
客户端信息报告;客户端信息报告用于携带对订阅权限信息,或者,携带第一变更信息;第一变更信 息用于指示订阅权限信息的变更情况。
在本申请实施例中,在同一个ProxiedClientMgmt cluster中,既可以包含上述表4所示的ProxiedClientMgmt,也可以提供获取ProxiedClientMgmt中的信息时使用的指令(Command)。该方案涉及的簇的定义可以如下述表7所示。
表7
Figure PCTCN2021139321-appb-000004
在一种可能的实现方式中,源节点向代理设备发送订阅权限信息,包括:在接收到代理设备发送的客户端信息获取请求时,向代理设备发送客户端信息获取响应。
其中,上述客户端信息获取请求中可以携带目标资源的标识信息,比如目标资源的资源ID/簇ID。
相应的,代理设备在接收源节点发送的订阅权限信息之前,还向源节点发送客户端信息获取请求;客户端信息获取请求用于单次请求订阅权限信息;代理设备接收源节点发送的订阅权限信息的步骤,包括:接收源节点发送的客户端信息获取响应;客户端信息获取响应中包含权限订阅信息;权限订阅信息由源节点根据源节点中的客户端订阅管理簇生成。
在一种可能的实现方式中,源节点向代理设备发送订阅权限信息,包括:在接收到代理设备发送的客户端信息订阅请求,且确定代理设备成功时,向代理设备发送客户端信息订阅响应;向代理设备发送携带订阅权限信息的客户端信息报告。
其中,上述客户端信息订阅请求中可以携带目标资源的标识信息。
相应的,代理设备在接收源节点发送的订阅权限信息之前,还向源节点发送客户端信息订阅请求;客户端信息订阅请求用于订阅上述订阅权限信息;接收源节点发送的客户端信息订阅响应,客户端信息订阅响应用于指示是否订阅成功;代理设备接收源节点发送的订阅权限信息的步骤,包括:
在客户端信息订阅响应指示订阅成功的情况下,接收源节点发送的,包含权限订阅信息的客户端信息报告;权限订阅信息由源节点根据源节点中的客户端订阅管理簇生成。
在一种可能的实现方式中,在代理设备成功订阅上述订阅权限信息的情况下,当客户端订阅管理簇中与目标资源相对应的客户端订阅管理条目发生变更时,源节点可以向代理设备发送第二更新通知,第二更新通知用于指示与目标资源相对应的客户端订阅管理条目的变更情况。
相应的,在代理设备成功订阅上述订阅权限信息的情况下,代理设备可以接收源节点发送的第二更新通知;第二更新通知是源节点在客户端订阅管理簇中与目标资源相对应的客户端订阅管理条目发生变更时发送的,第二更新通知用于指示与目标资源相对应的客户端订阅管理条目的变更情况。
在一种可能的实现方式中,第二更新通知为包含上述第一变更信息的客户端信息报告。
在一种可能的实现方式中,当第二更新通知指示从客户端订阅管理簇中删除第四客户端设备的标识信息时,代理设备可以移除与第四客户端设备对应的订阅关系。
综上所述,本申请实施例所示的方案,当代理设备为客户端设备提供源节点上的目标资源的代理服务时,可以先向该源节点查询具有订阅该源节点上的资源的设备,以便对该客户端设备的代理订阅的请求进 行鉴权。在此过程中,源节点可以将具有订阅该目标资源的权限的客户端设备的相关信息提供给代理设备,而对于具有订阅该目标资源之外的其它资源的客户端设备的相关信息,则不需要提供给代理设备,从而提高通过代理设备进行订阅权限查询时的安全性,进而提高了物联网系统的安全性。
基于本申请上述图3和图4所示的内容,在一种示例性的方案中,上述订阅权限信息也可以是由源节点根据ACL簇自动生成的信息,源节点可以将生成的订阅权限信息发送给代理设备。
请参考图8,其示出了本申请一个实施例提供的订阅权限信息处理流程的框架图。在一种可能的应用场景中,如图8所示,源节点81中设置有ACL簇,ACL簇中包含各种资源对应的ACE;例如,在图5中,ACE 81a对应资源1,ACE 81b对应资源2,ACE 81c对应资源3。
如图8所示,当客户端设备A向代理设备82发起代理订阅的请求,以请求代理设备82为其代理订阅资源2时,代理设备82可以向源节点81查询该客户端设备A的订阅权限并对客户端设备A进行鉴权,该过程可以如下:
S1,代理设备82向源节点81发起权限查询请求,以请求查询资源2对应的订阅权限信息。
S2,源节点81查询ACL簇,生成资源2对应的订阅权限信息,并发送给代理设备52。
S3,代理设备82查询资源2对应的订阅权限信息所指示的各个客户端设备中是否包含客户端设备A,若是,则鉴权通过,否则鉴权不通过。
在上述图8所示的方案中,源节点中可以设置一个ACL订阅簇(observeACL cluster),该Cluster提供了获取和订阅具有订阅目标资源权限的client List的方法。Proxy通过该方法可以获取具有订阅目标资源权限的Client List。由此Proxy不用直接去访问ACL资源。SourceNode收到Proxy的observeACL cluster的命令,可以根据ACL的内容来生成应答。
请参考图9,其示出了本申请一个实施例提供的订阅权限信息处理方法的流程图,该方法可以由代理设备、配置设备和源节点交互执行,比如,该代理设备、配置设备和源节点分别可以是图1所示的网络架构中的代理设备130、配置设备140以及源节点110;该方法可以包括如下几个步骤:
步骤901,代理设备向源节点发送权限查询请求;相应的,源节点接收该权限查询请求。
其中,该权限查询请求用于单次获取或者订阅对源节点中的目标资源具有订阅权限的客户端设备的标识信息。
在一种可能的实现方式中,该权限查询请求中可以包含目标资源的资源标识信息。比如,权限查询请求中可以包含目标资源对应的簇的标识信息(比如簇的名称)。
步骤902,源节点根据源节点中的ACL簇生成订阅权限信息。
在本申请实施例中,源节点中包含订阅访问控制列表ACL簇(observeACL cluster);该订阅ACL簇用于指示对代理设备发送的权限查询请求的处理方式。
比如,该ACL订阅簇可以包含第二指令集,该第二指令集用于根据ACL簇,向代理设备提供对目标资源具有订阅权限的客户端设备的标识信息。
在一个示例性的方案中,在接收到代理设备发送的权限查询请求时,源节点根据源节点的ACL簇生成订阅权限信息。例如,源节点可以从本地的ACL簇中查询与目标资源对应的ACE;其中,与目标资源对应的ACE中包含目标资源与客户端设备的标识之间的绑定关系;然后,源节点根据查询结果生成订阅权限信息。
可选的,第二指令集包括以下指令中的至少一种:
访问控制条目ACE获取请求(GetProxiedClientACEReq);ACE获取请求用于单次请求订阅权限信息;
ACE获取响应(GetProxiedClientACERsp);ACE获取响应用于携带根据ACL簇生成的订阅权限信息;
ACE订阅请求(SubscribeProxiedACEReq);ACE订阅请求用于订阅上述订阅权限信息;
ACE订阅响应(SubscribeProxiedACERsp);ACE订阅响应用于指示是否订阅成功;
ACE报告(ReportProxiedACE);ACE报告用于携带根据ACL簇生成的订阅权限信息,或者,携带第二变更信息,第二变更信息用于指示订阅权限信息的变更情况。
可选的,源节点可以根据目标资源的资源标识,查询ACL簇中与目标资源相对应的ACE,并基于与目标资源相对应的ACE,生成上述订阅权限信息。
比如,源节点查询到与目标资源相对应的ACE之后,根据查询到的ACE中的客户端设备的标识(比如Node ID)生成上述订阅权限信息。例如,将查询到的ACE中的客户端设备的标识提取出来,与目标资源的标识,以及源节点的安全域的标识组成,生成上述订阅权限信息。
在另一种示例性的方案中,源节点也可以将查询到的ACE直接作为上述订阅权限信息,或者,将查询到的ACE添加至上述订阅权限信息。
步骤903,源节点向代理设备发送订阅权限信息;相应的,代理设备接收源节点发送的订阅权限信息。
在一种可能的实现方式中,源节点根据源节点的ACL簇生成订阅权限信息的步骤可以包括:在接收到代理设备发送的ACE获取请求时,根据源节点的ACL簇生成订阅权限信息;此时,源节点向代理设备发送订阅权限信息时,可以向代理设备发送ACE获取响应。
相应的,代理设备在接收源节点发送的订阅权限信息之前,还可以向源节点发送ACE获取请求;ACE获取请求用于单次请求订阅权限信息;代理设备接收源节点发送的订阅权限信息的步骤可以包括:接收源节点发送的ACE获取响应;ACE获取响应中包含权限订阅信息。
在一种可能的实现方式中,源节点在根据源节点的ACL簇生成订阅权限信息时,可以在接收到代理设备发送的ACE订阅请求,且确定代理设备订阅成功时,根据源节点的ACL簇生成订阅权限信息;此时,在向代理设备发送订阅权限信息时,源节点可以向代理设备发送携带订阅权限信息的ACE报告。
相应的,代理设备在接收源节点发送的订阅权限信息之前,还可以向源节点发送ACE订阅请求;ACE订阅请求用于订阅上述订阅权限信息;接收源节点发送的ACE订阅响应,ACE订阅响应用于指示是否订阅成功;代理设备在接收源节点发送的订阅权限信息时,可以在ACE订阅响应指示订阅成功的情况下,接收源节点发送的,包含权限订阅信息的ACE报告;权限订阅信息由源节点根据源节点中的ACL簇生成。
在一种可能的实现方式中,向代理设备发送订阅权限信息,包括:
当代理设备的设备类型是代理类型时,源节点向代理设备发送订阅权限信息。
比如,若代理设备的设备类型是代理类型,且代理设备具有执行源节点的功能的权限,则向代理设备发送订阅权限信息。
其中,上述SubscribeProxiedACEReq用于向源节点请求订阅具有对目标资源的订阅权限的客户端设备的信息(具体可以是ReportProxiedACE),后续ACL簇发生更新时,源节点进一步可以通过ReportProxiedACE将ACL簇的更新情况通知给代理设备。上述ReportProxiedACE中可以包含对源节点中的目标资源具有订阅权限的客户端设备的Node ID。
上述GetProxiedClientACEReq用于向源节点请求获取(比如单次获取)具有对目标资源的订阅权限的客户端设备的信息,而GetProxiedClientACERsp用于对GetProxiedClientACEReq进行响应,其中携带对目标资源具有订阅权限的客户端设备的设备标识信息。
在一种可能的实现方式中,在接收到第六客户端设备发送的资源订阅请求,且订阅权限信息指示第六客户端设备具有源节点中的目标资源的订阅权限时,建立第六客户端设备对目标资源进行订阅的订阅关系。
步骤904,在代理设备成功订阅上述订阅权限信息的情况下,当源节点的ACL簇中,具有对目标资源的订阅权限的客户端设备的标识信息发生变更时,向代理设备发送第三更新通知,相应的,代理设备接收该第三更新通知。
其中,该第三更新通知用于指示具有对源节点中的资源的订阅权限的客户端设备的标识信息的变更情况。
在一种可能的实现方式中,上述第三更新通知为包含第二变更信息的ACE报告。
其中,该ACL簇更新通知用于指示ACL簇中的绑定关系的更新情况。
在一种可能的实现方式中,当源节点中的ACL簇中包含的目标资源与客户端设备的标识之间的绑定关系被更新时,向代理设备发送ACL簇更新通知,包括:
当源节点中的ACL簇中包含的目标资源与客户端设备的标识之间的绑定关系被更新,且绑定关系的更新情况包括删除目标资源与第三客户端设备的标识之间的绑定关系时,向代理设备发送ACL簇更新通知。
在一种可能的实现方式中,当源节点中的ACL簇中包含的目标资源与客户端设备的标识之间的绑定关系被更新时,向代理设备发送ACL簇更新通知,包括:
当源节点中的ACL簇中包含的目标资源与客户端设备的标识之间的绑定关系被更新时,向代理设备发送报告代理的ACE信息。
也就是说,在本申请实施例中,当源节点中的ACL簇中包含的目标资源与客户端设备的标识之间的绑定关系被更新时,源节点可以直接通过报告代理的ACE信息,将上述更新情况通知给代理设备。
在一种可能的实现方式中,接收源节点发送的ACL簇更新通知,包括:
接收资源绑定设备在目标资源与客户端设备的标识之间的绑定关系被更新发送的报告代理的ACE信息。
步骤905,当第三更新通知指示从客户端订阅管理簇中删除第五客户端设备的标识信息时,代理设备移除与第五客户端设备对应的订阅关系。
在本申请实施例中,observeACL cluster中规定可以“那些Node,使用何种方式,可以访问那些资源”; 由此Source Node可以从ACL记录中的信息得知应答observeACL方法的信息。其中,observeACL cluster的定义可以如下述表8所示。
表8
Figure PCTCN2021139321-appb-000005
如图8所示,在一个示例性的方案中,GetProxiedClientACERsp或者ReportProxiedACE中可以包含一个列表,该列表中每个列表项可以包含源节点的fabricindex,某个目标资源的sourceID,以及具有对该目标资源的订阅权限的客户端设备的NodeID。
例如,代理设备通过单次获取的方式查询订阅权限信息时,代理设备向源节点发送GetProxiedClientACEReq,以查询目标资源对应的Node ID,相应的,源节点向代理设备返回GetProxiedClientACERsp。
再例如,代理设备通过订阅的方式查询订阅权限信息时,代理设备向源节点发送SubscribeProxiedACEReq,以订阅目标资源对应的Node ID,源节点向代理设备返回SubscribeProxiedACERsp,以通知代理设备是否订阅成功,若订阅成功,源节点还向代理设备发送ReportProxiedACE,并且,后续ACL簇中与该目标资源相关的绑定关系发生变化时,源节点会再次向代理设备发送新的ReportProxiedACE。
在一种可能的实现方式中,上述Cluster针对proxy使用,其他类型的设备不可用,在触发上述方法时,源节点可以确认请求是否为proxy类型设备发起的。
请参考图10,其示出了本申请实施例涉及的一种订阅权限信息处理的示意图。如图10所示,该过程可以包括以下步骤:
S1001,app配置Source Node的ACL Cluster;在此过程中为订阅SourceNode上目标资源的Clients分配权限。
S1002,Client通过Proxy发现机制来发现Proxys,并选择其中一个作为其代理Proxy。
其中,所谓代理Proxy指Client可以通过向Proxy发送订阅消息,从而订阅到Source Node上的目标资源。
S1003,Client向Proxy发送订阅Source Node上目标资源请求。
S1004,如果上述proxy没有订阅过SourceNode(包括目标资源和ACL),则proxy通过发送SubscribeProxiedACEReq来订阅具有访问Source Node资源view权限的Client;这里View权限对应ACL privilege包括:View、operate、management、Administer。
S1005,Source Node检查Proxy是否有权限触发该方法:是否具有operate权限,以及是否为proxy。如果具有权限则执行后续S1006。
S1006,发送ReportProxiedACE消息,该消息携带具有view权限的所有Client的标识。比如,该消息携带Client IDs,可选的,还可以携带FabricIndex和Target。
S1007,SourceNode发送SubscribeProxiedACERsp完成订阅。
S1008,当ACL权限发生变化(增加一个Client的View权限、一个Client的删除View)时,源节点通过ReportProxiedACE报告给Proxy。
S1009,当Proxy收到ProxiedClientMgmt变更消息,且变更为取消一个Client订阅Souce Node的权限之后,会检查该client是否直接订阅到该proxy,如果是,则结束订阅关系。
可选的Proxy也可以通过GetProxiedACEReq来获取具有view权限的Client Node List,Source Node通过GetProxiedClientACERsp消息来应答,且该消息中包含了可以订阅目标资源的Client List。还可以携带FabricIndex和Target。
综上所述,本申请实施例所示的方案,当代理设备为客户端设备提供源节点上的目标资源的代理服务时,可以先向该源节点查询具有订阅该源节点上的资源的设备,以便对该客户端设备的代理订阅的请求进行鉴权。在此过程中,源节点可以针对客户端设备要订阅的目标资源,将具有订阅该目标资源的权限的客 户端设备的相关信息提供给代理设备,而对于具有订阅该目标资源之外的其它资源的客户端设备的相关信息,则不需要提供给代理设备,从而提高通过代理设备进行订阅权限查询时的安全性,进而提高了物联网系统的安全性。
请参考图11,其示出了本申请一个实施例提供的订阅权限信息处理装置的框图。该装置具有实现上述各个方法实施例中,由源节点执行的功能。如图11所示,该订阅权限信息处理装置1100可以包括:
发送模块1101,用于向代理设备发送订阅权限信息,所述订阅权限信息用于指示对所述源节点中的目标资源具有订阅权限的客户端设备。
在一种可能的实现方式中,所述订阅权限信息中包含对所述目标资源具有订阅权限的客户端设备的标识信息。
在一种可能的实现方式中,所述订阅权限信息中还包含以下两种信息中的至少一种:
所述目标资源的资源标识信息,或者,所述源节点的安全域索引信息。
在一种可能的实现方式中,所述源节点中具有客户端订阅管理簇;
所述客户端订阅管理簇中包含对所述目标资源具有订阅权限的客户端设备的标识信息。
在一种可能的实现方式中,所述发送模块,用于向所述代理设备发送所述客户端订阅管理簇,所述客户端订阅管理簇包含所述订阅权限信息。
在一种可能的实现方式中,所述装置还包括:
第一更新模块,用于当所述源节点的ACL簇中,具有对指定类型资源的订阅权限的客户端设备的标识信息发生变更时,对应所述源节点的ACL簇的变更情况,对所述客户端订阅管理簇进行更新;
其中,所述目标资源属于所述指定类型资源。
在一种可能的实现方式中,所述第一更新模块,用于当所述源节点的ACL簇中,具有对第一资源的订阅权限的客户端设备的标识信息发生变更时,对应所述源节点中的ACL簇的变更情况,对所述客户端订阅管理簇中,与所述第一资源相对应的客户端订阅管理条目进行更新;
其中,所述第一资源属于所述指定类型资源。
在一种可能的实现方式中,所述第一更新模块,用于当所述源节点的ACL簇中,具有对所述第一资源的订阅权限的第一客户端的标识信息被移除时,从与所述第一资源相对应的客户端订阅管理条目中删除所述第一客户端设备的标识信息。
在一种可能的实现方式中,所述第一更新模块,用于当所述源节点的ACL簇中,增加了具有对所述第一资源的订阅权限的第二客户端的标识信息时,在与所述第一资源相对应的客户端订阅管理条目中增加所述第二客户端设备的标识信息。
在一种可能的实现方式中,所述指定类型资源包括与所述源节点的设备功能对应的应用簇。
在一种可能的实现方式中,所述装置还包括:
接收模块,用于接收配置设备发送的更新指令,所述更新指令用于指示对所述客户端订阅管理簇进行更新;
第二更新模块,用于对所述客户端订阅管理簇进行更新。
在一种可能的实现方式中,所述发送模块,用于当所述代理设备具有对所述源节点的代理浏览权限时,向所述代理设备发送所述客户端订阅管理簇;
其中,所述代理浏览权限包括对所述源节点中除了ACL簇之外的其它资源的浏览权限。
在一种可能的实现方式中,所述发送模块,用于当所述代理设备具有对所述源节点的浏览权限时,向所述代理设备发送所述客户端订阅管理簇;
其中,所述浏览权限包括对所述源节点中除了ACL簇之外的其它资源的浏览权限。
在一种可能的实现方式中,所述发送模块,还用于在所述代理设备成功订阅所述客户端订阅管理簇的情况下,当所述客户端订阅管理簇发生变更时,向所述代理设备发送第一更新通知,所述第一更新通知用于指示所述客户端订阅管理簇的更新情况。
在一种可能的实现方式中,所述客户端订阅管理簇中还包含第一指令集;
所述第一指令集用于根据所述客户端订阅管理簇,向代理设备提供对所述目标资源具有订阅权限的客户端设备的标识信息。
在一种可能的实现方式中,所述第一指令集包括以下指令中的至少一种:
客户端信息获取请求;所述客户端信息获取请求用于单次请求所述订阅权限信息;
客户端信息获取响应;所述客户端信息获取响应用于携带所述订阅权限信息;
客户端信息订阅请求;所述客户端信息订阅请求用于订阅所述订阅权限信息;
客户端信息订阅响应;所述客户端信息订阅响应用于指示是否订阅成功;
客户端信息报告;所述客户端信息报告用于携带对所述订阅权限信息,或者,携带第一变更信息;所述第一变更信息用于指示所述订阅权限信息的变更情况。
在一种可能的实现方式中,所述发送模块,用于在接收到所述代理设备发送的客户端信息获取请求时,向所述代理设备发送所述客户端信息获取响应。
在一种可能的实现方式中,所述发送模块,用于在接收到所述代理设备发送的所述客户端信息订阅请求,且确定所述代理设备成功时,向所述代理设备发送所述客户端信息订阅响应;
所述发送模块,还用于向所述代理设备发送携带所述订阅权限信息的所述客户端信息报告。
在一种可能的实现方式中,所述发送模块,还用于在所述代理设备成功订阅所述订阅权限信息的情况下,当所述客户端订阅管理簇中与所述目标资源相对应的客户端订阅管理条目发生变更时,向所述代理设备发送第二更新通知,所述第二更新通知用于指示与所述目标资源相对应的客户端订阅管理条目的变更情况。
在一种可能的实现方式中,所述第二更新通知为包含所述第一变更信息的所述客户端信息报告。
在一种可能的实现方式中,所述源节点中具有访问控制列表ACL订阅簇;
所述ACL订阅簇包含第二指令集,所述第二指令集用于根据ACL簇,向代理设备提供对所述目标资源具有订阅权限的客户端设备的标识信息。
在一种可能的实现方式中,所述第二指令集包括以下指令中的至少一种:
访问控制条目ACE获取请求;所述ACE获取请求用于单次请求所述订阅权限信息;
ACE获取响应;所述ACE获取响应用于携带根据所述ACL簇生成的所述订阅权限信息;
ACE订阅请求;所述ACE订阅请求用于订阅所述订阅权限信息;
ACE订阅响应;所述ACE订阅响应用于指示是否订阅成功;
ACE报告;所述ACE报告用于携带根据所述ACL簇生成的所述订阅权限信息,或者,携带第二变更信息,所述第二变更信息用于指示所述订阅权限信息的变更情况。
在一种可能的实现方式中,所述装置还包括:
生成模块,用于在所述发送模块向代理设备发送订阅权限信息之前,根据所述源节点的ACL簇生成所述订阅权限信息。
在一种可能的实现方式中,所述生成模块,用于在接收到所述代理设备发送的所述ACE获取请求时,根据所述源节点的ACL簇生成所述订阅权限信息;
所述发送模块,用于向所述代理设备发送所述ACE获取响应。
在一种可能的实现方式中,所述生成模块,用于在接收到所述代理设备发送的所述ACE订阅请求,且确定所述代理设备订阅成功时,根据所述源节点的ACL簇生成所述订阅权限信息;
所述发送模块,用于向所述代理设备发送携带所述订阅权限信息的所述ACE报告。
在一种可能的实现方式中,所述发送模块,还用于在所述代理设备成功订阅所述订阅权限信息的情况下,当所述源节点的ACL簇中,具有对所述目标资源的订阅权限的客户端设备的标识信息发生变更时,向所述代理设备发送第三更新通知,所述第三更新通知用于指示具有对所述源节点中的资源的订阅权限的客户端设备的标识信息的变更情况。
在一种可能的实现方式中,所述第三更新通知为包含所述第二变更信息的所述ACE报告。
在一种可能的实现方式中,所述发送模块,用于若所述代理设备的设备类型是代理类型,且所述代理设备具有执行所述源节点的功能的权限,则向代理设备发送所述订阅权限信息。
请参考图12,其示出了本申请一个实施例提供的订阅权限信息处理装置的框图。该装置具有实现上述各个方法实施例中,由代理设备执行的功能。如图12所示,该订阅权限信息处理装置1200可以包括:
接收模块1201,用于接收源节点发送的订阅权限信息,所述订阅权限信息用于指示对所述源节点中的目标资源具有订阅权限的客户端设备。
在一种可能的实现方式中,所述订阅权限信息中包含对所述目标资源具有订阅权限的客户端设备的标识信息。
在一种可能的实现方式中,所述订阅权限信息中还包含以下两种信息中的至少一种:
所述目标资源的资源标识信息,或者,所述源节点的安全域索引信息。
在一种可能的实现方式中,所述接收模块,用于接收所述源节点发送的所述客户端订阅管理簇;所述客户端订阅管理簇中包含对所述目标资源具有订阅权限的客户端设备的标识信息。
在一种可能的实现方式中,所述接收模块,还用于在所述代理设备成功订阅所述客户端订阅管理簇的情况下,接收所述源节点发送的第一更新通知,所述第一更新通知用于指示所述客户端订阅管理簇的更新情况。
在一种可能的实现方式中,所述装置还包括:
第一移除模块,用于当所述第一更新通知指示从所述客户端订阅管理簇中删除第三客户端设备的标识信息时,移除与所述第三客户端设备对应的订阅关系。
在一种可能的实现方式中,所述装置还包括:
第一发送模块,用于在所述接收模块接收源节点发送的订阅权限信息之前,向所述源节点发送客户端信息获取请求;所述客户端信息获取请求用于单次请求所述订阅权限信息;
所述接收模块,用于接收所述源节点发送的客户端信息获取响应;所述客户端信息获取响应中包含所述权限订阅信息;所述权限订阅信息由所述源节点根据所述源节点中的客户端订阅管理簇生成。
在一种可能的实现方式中,所述装置还包括:
第二发送模块,用于在所述接收模块接收源节点发送的订阅权限信息之前,向所述源节点发送客户端信息订阅请求;所述客户端信息订阅请求用于订阅所述订阅权限信息;
所述接收模块,用于接收所述源节点发送的客户端信息订阅响应,所述客户端信息订阅响应用于指示是否订阅成功;
所述接收模块,还用于在所述客户端信息订阅响应指示订阅成功的情况下,接收所述源节点发送的,包含所述权限订阅信息的客户端信息报告;所述权限订阅信息由所述源节点根据所述源节点中的客户端订阅管理簇生成。
在一种可能的实现方式中,所述接收模块,还用于在所述代理设备成功订阅所述订阅权限信息的情况下,接收所述源节点发送的第二更新通知;所述第二更新通知是所述源节点在所述客户端订阅管理簇中与所述目标资源相对应的客户端订阅管理条目发生变更时发送的,所述第二更新通知用于指示与所述目标资源相对应的客户端订阅管理条目的变更情况。
在一种可能的实现方式中,所述第二更新通知为包含第一变更信息的客户端信息报告;所述第一变更信息用于指示所述订阅权限信息的变更情况。
在一种可能的实现方式中,所述装置还包括:
第二移除模块,用于当所述第二更新通知指示从所述客户端订阅管理簇中删除第四客户端设备的标识信息时,移除与所述第四客户端设备对应的订阅关系。
在一种可能的实现方式中,所述装置还包括:
第三发送模块,用于在所述接收模块接收源节点发送的订阅权限信息之前,向所述源节点发送ACE获取请求;所述ACE获取请求用于单次请求所述订阅权限信息;
所述接收模块,用于接收所述源节点发送的ACE获取响应;所述ACE获取响应中包含所述权限订阅信息;所述权限订阅信息由所述源节点根据所述源节点中的ACL簇生成。
在一种可能的实现方式中,所述装置还包括:
第四发送模块,用于在所述接收模块接收源节点发送的订阅权限信息之前,向所述源节点发送ACE订阅请求;所述ACE订阅请求用于订阅所述订阅权限信息;
所述接收模块,用于接收所述源节点发送的ACE订阅响应,所述ACE订阅响应用于指示是否订阅成功;
所述接收模块,还用于在所述ACE订阅响应指示订阅成功的情况下,接收所述源节点发送的,包含所述权限订阅信息的ACE报告;所述权限订阅信息由所述源节点根据所述源节点中的ACL簇生成。
在一种可能的实现方式中,所述接收模块,还用于在所述代理设备成功订阅所述订阅权限信息的情况下,接收所述源节点发送的第三更新通知;所述第三更新通知是所述源节点在所述ACL簇中,具有对所述目标资源的订阅权限的客户端设备的标识信息发生变更时发送的,所述第三更新通知用于指示具有对所述源节点中的资源的订阅权限的客户端设备的标识信息的变更情况。
在一种可能的实现方式中,所述第三更新通知为包含第二变更信息的ACE报告;所述第二变更信息用于指示所述订阅权限信息的变更情况。
在一种可能的实现方式中,所述装置还包括:
第三移除模块,用于当所述第三更新通知指示从所述客户端订阅管理簇中删除第五客户端设备的标识信息时,移除与所述第五客户端设备对应的订阅关系。
在一种可能的实现方式中,所述装置还包括:
关系建立模块,用于在接收到第六客户端设备发送的资源订阅请求,且所述订阅权限信息指示所述第六客户端设备具有对所述源节点中的所述目标资源的订阅权限时,建立所述第六客户端设备对所述目标资源进行订阅的订阅关系。
需要说明的一点是,上述实施例提供的装置在实现其功能时,仅以上述各个功能模块的划分进行举例 说明,实际应用中,可以根据实际需要而将上述功能分配由不同的功能模块完成,即将设备的内容结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。
关于上述实施例中的装置,其中各个模块执行操作的具体方式已经在有关该方法的实施例中进行了详细描述,此处将不做详细阐述说明。
请参考图13,其示出了本申请一个实施例提供的计算机设备1300的结构示意图。该计算机设备1300可以包括:处理器1301、接收器1302、发射器1303、存储器1304和总线1305。
处理器1301包括一个或者一个以上处理核心,处理器1301通过运行软件程序以及模块,从而执行各种功能应用以及信息处理。
接收器1302和发射器1303可以实现为一个通信组件,该通信组件可以是一块通信芯片。该通信芯片也可以称为收发器。
存储器1304通过总线1305与处理器1301相连。
存储器1304可用于存储计算机程序,处理器1301用于执行该计算机程序,以实现上述方法实施例中的各个步骤。
此外,存储器1304可以由任何类型的易失性或非易失性存储设备或者它们的组合实现,易失性或非易失性存储设备包括但不限于:磁盘或光盘,电可擦除可编程只读存储器,可擦除可编程只读存储器,静态随时存取存储器,只读存储器,磁存储器,快闪存储器,可编程只读存储器。
在一个示例性的方案中,当计算机设备1300实现为源节点时,所述收发器1302,用于向代理设备发送订阅权限信息,所述订阅权限信息用于指示对所述源节点中的目标资源具有订阅权限的客户端设备。
其中,上述计算机设备1300中的处理器1301和/或收发器1302执行的过程可以参考上述各个方法实施例中,由源节点执行的各个步骤。
在另一个示例性的方案中,当计算机设备1300实现为代理设备时,所述收发器1302,用于接收源节点发送的订阅权限信息,所述订阅权限信息用于指示对所述源节点中的目标资源具有订阅权限的客户端设备。
其中,上述计算机设备1300中的处理器1301和/或收发器1302执行的过程可以参考上述各个方法实施例中,由代理设备执行的各个步骤。
本申请实施例还提供了一种计算机可读存储介质,所述存储介质中存储有计算机程序,所述计算机程序由处理器加载并执行以实现上述各个方法实施例中,由代理设备或者源节点执行的全部或者部分步骤。
本申请还提供了一种芯片,该芯片用于在计算机设备中运行,以使得计算机设备执行上述各个方法实施例中,由代理设备或者源节点执行的全部或者部分步骤。
本申请还提供了一种计算机程序产品,该计算机程序产品或计算机程序包括计算机指令,该计算机指令存储在计算机可读存储介质中。计算机设备的处理器从计算机可读存储介质读取该计算机指令,处理器执行该计算机指令,使得计算机设备执行上述各个方法实施例中,由代理设备或者源节点执行的全部或者部分步骤。
本申请还提供了一种计算机程序,该计算机程序由计算机设备的处理器执行,以实现上述各个方法实施例中,由代理设备或者源节点执行的全部或者部分步骤。
本领域技术人员应该可以意识到,在上述一个或多个示例中,本申请实施例所描述的功能可以用硬件、软件、固件或它们的任意组合来实现。当使用软件实现时,可以将这些功能存储在计算机可读介质中或者作为计算机可读介质上的一个或多个指令或代码进行传输。计算机可读介质包括计算机存储介质和通信介质,其中通信介质包括便于从一个地方向另一个地方传送计算机程序的任何介质。存储介质可以是通用或专用计算机能够存取的任何可用介质。
以上所述仅为本申请的示例性实施例,并不用以限制本申请,凡在本申请的精神和原则之内,所作的任何修改、等同替换、改进等,均应包括在本申请的保护范围之内。

Claims (95)

  1. 一种订阅权限信息处理方法,其特征在于,所述方法由源节点执行,所述方法包括:
    向代理设备发送订阅权限信息,所述订阅权限信息用于指示对所述源节点中的目标资源具有订阅权限的客户端设备。
  2. 根据权利要求1所述的方法,其特征在于,所述订阅权限信息中包含对所述目标资源具有订阅权限的客户端设备的标识信息。
  3. 根据权利要求2所述的方法,其特征在于,所述订阅权限信息中还包含以下两种信息中的至少一种:
    所述目标资源的资源标识信息,或者,所述源节点的安全域索引信息。
  4. 根据权利要求1至3任一所述的方法,其特征在于,所述源节点中具有客户端订阅管理簇;
    所述客户端订阅管理簇中包含对所述目标资源具有订阅权限的客户端设备的标识信息。
  5. 根据权利要求4所述的方法,其特征在于,所述向代理设备发送订阅权限信息,包括:
    向所述代理设备发送所述客户端订阅管理簇,所述客户端订阅管理簇包含所述订阅权限信息。
  6. 根据权利要求5所述的方法,其特征在于,所述方法还包括:
    当所述源节点的ACL簇中,具有对指定类型资源的订阅权限的客户端设备的标识信息发生变更时,对应所述源节点的ACL簇的变更情况,对所述客户端订阅管理簇进行更新;
    其中,所述目标资源属于所述指定类型资源。
  7. 根据权利要求6所述的方法,其特征在于,所述当所述源节点的ACL簇中,具有对指定类型资源的订阅权限的客户端设备的标识信息发生变更时,对应所述源节点的ACL簇的变更情况,对所述客户端订阅管理簇进行更新,包括:
    当所述源节点的ACL簇中,具有对第一资源的订阅权限的客户端设备的标识信息发生变更时,对应所述源节点中的ACL簇的变更情况,对所述客户端订阅管理簇中,与所述第一资源相对应的客户端订阅管理条目进行更新;
    其中,所述第一资源属于所述指定类型资源。
  8. 根据权利要求7所述的方法,其特征在于,所述当所述源节点的ACL簇中,具有对第一资源的订阅权限的客户端设备的标识信息发生变更时,对应所述源节点中的ACL簇的变更情况,对所述客户端订阅管理簇中,与所述第一资源相对应的客户端订阅管理条目进行更新,包括:
    当所述源节点的ACL簇中,具有对所述第一资源的订阅权限的第一客户端的标识信息被移除时,从与所述第一资源相对应的客户端订阅管理条目中删除所述第一客户端设备的标识信息。
  9. 根据权利要求7所述的方法,其特征在于,所述当所述源节点的ACL簇中,具有对第一资源的订阅权限的客户端设备的标识信息发生变更时,对应所述源节点中的ACL簇的变更情况,对所述客户端订阅管理簇中,与所述第一资源相对应的客户端订阅管理条目进行更新,包括:
    当所述源节点的ACL簇中,增加了具有对所述第一资源的订阅权限的第二客户端的标识信息时,在与所述第一资源相对应的客户端订阅管理条目中增加所述第二客户端设备的标识信息。
  10. 根据权利要求6至9任一所述的方法,其特征在于,所述指定类型资源包括与所述源节点的设备功能对应的应用簇。
  11. 根据权利要求5所述的方法,其特征在于,所述方法还包括:
    接收配置设备发送的更新指令,所述更新指令用于指示对所述客户端订阅管理簇进行更新;
    对所述客户端订阅管理簇进行更新。
  12. 根据权利要求6至11任一所述的方法,其特征在于,所述向所述代理设备发送所述客户端订阅管理簇,包括:
    当所述代理设备具有对所述源节点的代理浏览权限时,向所述代理设备发送所述客户端订阅管理簇;
    其中,所述代理浏览权限包括对所述源节点中除了ACL簇之外的其它资源的浏览权限。
  13. 根据权利要求6至11任一所述的方法,其特征在于,所述向所述代理设备发送所述客户端订阅管理簇,包括:
    当所述代理设备具有对所述源节点的浏览权限时,向所述代理设备发送所述客户端订阅管理簇;
    其中,所述浏览权限包括对所述源节点中除了ACL簇之外的其它资源的浏览权限。
  14. 根据权利要求5至13任一所述的方法,其特征在于,所述方法还包括:
    在所述代理设备成功订阅所述客户端订阅管理簇的情况下,当所述客户端订阅管理簇发生变更时,向所述代理设备发送第一更新通知,所述第一更新通知用于指示所述客户端订阅管理簇的更新情况。
  15. 根据权利要求4所述的方法,其特征在于,所述客户端订阅管理簇中还包含第一指令集;
    所述第一指令集用于根据所述客户端订阅管理簇,向代理设备提供对所述目标资源具有订阅权限的客户端设备的标识信息。
  16. 根据权利要求15所述的方法,其特征在于,所述第一指令集包括以下指令中的至少一种:
    客户端信息获取请求;所述客户端信息获取请求用于单次请求所述订阅权限信息;
    客户端信息获取响应;所述客户端信息获取响应用于携带所述订阅权限信息;
    客户端信息订阅请求;所述客户端信息订阅请求用于订阅所述订阅权限信息;
    客户端信息订阅响应;所述客户端信息订阅响应用于指示是否订阅成功;
    客户端信息报告;所述客户端信息报告用于携带对所述订阅权限信息,或者,携带第一变更信息;所述第一变更信息用于指示所述订阅权限信息的变更情况。
  17. 根据权利要求16所述的方法,其特征在于,所述向代理设备发送订阅权限信息,包括:
    在接收到所述代理设备发送的客户端信息获取请求时,向所述代理设备发送所述客户端信息获取响应。
  18. 根据权利要求16所述的方法,其特征在于,所述向代理设备发送订阅权限信息,包括:
    在接收到所述代理设备发送的所述客户端信息订阅请求,且确定所述代理设备成功时,向所述代理设备发送所述客户端信息订阅响应;
    向所述代理设备发送携带所述订阅权限信息的所述客户端信息报告。
  19. 根据权利要求16或18所述的方法,其特征在于,所述方法还包括:
    在所述代理设备成功订阅所述订阅权限信息的情况下,当所述客户端订阅管理簇中与所述目标资源相对应的客户端订阅管理条目发生变更时,向所述代理设备发送第二更新通知,所述第二更新通知用于指示与所述目标资源相对应的客户端订阅管理条目的变更情况。
  20. 根据权利要求19所述的方法,其特征在于,所述第二更新通知为包含所述第一变更信息的所述客户端信息报告。
  21. 根据权利要求1至3任一所述的方法,其特征在于,所述源节点中具有访问控制列表ACL订阅簇;
    所述ACL订阅簇包含第二指令集,所述第二指令集用于根据ACL簇,向代理设备提供对所述目标资源具有订阅权限的客户端设备的标识信息。
  22. 根据权利要求21所述的方法,其特征在于,所述第二指令集包括以下指令中的至少一种:
    访问控制条目ACE获取请求;所述ACE获取请求用于单次请求所述订阅权限信息;
    ACE获取响应;所述ACE获取响应用于携带根据所述ACL簇生成的所述订阅权限信息;
    ACE订阅请求;所述ACE订阅请求用于订阅所述订阅权限信息;
    ACE订阅响应;所述ACE订阅响应用于指示是否订阅成功;
    ACE报告;所述ACE报告用于携带根据所述ACL簇生成的所述订阅权限信息,或者,携带第二变更信息,所述第二变更信息用于指示所述订阅权限信息的变更情况。
  23. 根据权利要求22所述的方法,其特征在于,所述向代理设备发送订阅权限信息之前,还包括:
    根据所述源节点的ACL簇生成所述订阅权限信息。
  24. 根据权利要求23所述的方法,其特征在于,
    所述根据所述源节点的ACL簇生成所述订阅权限信息,包括:
    在接收到所述代理设备发送的所述ACE获取请求时,根据所述源节点的ACL簇生成所述订阅权限信息;
    所述向代理设备发送订阅权限信息,包括:
    向所述代理设备发送所述ACE获取响应。
  25. 根据权利要求23所述的方法,其特征在于,
    所述根据所述源节点的ACL簇生成所述订阅权限信息,包括:
    在接收到所述代理设备发送的所述ACE订阅请求,且确定所述代理设备订阅成功时,根据所述源节点的ACL簇生成所述订阅权限信息;
    所述向代理设备发送订阅权限信息,包括:
    向所述代理设备发送携带所述订阅权限信息的所述ACE报告。
  26. 根据权利要求23或25所述的方法,其特征在于,所述方法还包括:
    在所述代理设备成功订阅所述订阅权限信息的情况下,当所述源节点的ACL簇中,具有对所述目标资源的订阅权限的客户端设备的标识信息发生变更时,向所述代理设备发送第三更新通知,所述第三更新通知用于指示具有对所述源节点中的资源的订阅权限的客户端设备的标识信息的变更情况。
  27. 根据权利要求26所述的方法,其特征在于,所述第三更新通知为包含所述第二变更信息的所述ACE报告。
  28. 根据权利要求21至27任一所述的方法,其特征在于,所述向代理设备发送订阅权限信息,包括:
    若所述代理设备的设备类型是代理类型,且所述代理设备具有执行所述源节点的功能的权限,则向代理设备发送所述订阅权限信息。
  29. 一种订阅权限信息处理方法,其特征在于,所述方法由代理设备执行,所述方法包括:
    接收源节点发送的订阅权限信息,所述订阅权限信息用于指示对所述源节点中的目标资源具有订阅权限的客户端设备。
  30. 根据权利要求29所述的方法,其特征在于,所述订阅权限信息中包含对所述目标资源具有订阅权限的客户端设备的标识信息。
  31. 根据权利要求30所述的方法,其特征在于,所述订阅权限信息中还包含以下两种信息中的至少一种:
    所述目标资源的资源标识信息,或者,所述源节点的安全域索引信息。
  32. 根据权利要求29至31任一所述的方法,其特征在于,所述接收源节点发送的订阅权限信息,包括:
    接收所述源节点发送的所述客户端订阅管理簇;所述客户端订阅管理簇中包含对所述目标资源具有订阅权限的客户端设备的标识信息。
  33. 根据权利要求32所述的方法,其特征在于,所述方法还包括:
    在所述代理设备成功订阅所述客户端订阅管理簇的情况下,接收所述源节点发送的第一更新通知,所述第一更新通知用于指示所述客户端订阅管理簇的更新情况。
  34. 根据权利要求33所述的方法,其特征在于,所述方法还包括:
    当所述第一更新通知指示从所述客户端订阅管理簇中删除第三客户端设备的标识信息时,移除与所述第三客户端设备对应的订阅关系。
  35. 根据权利要求29至31任一所述的方法,其特征在于,所述在接收源节点发送的订阅权限信息之前,还包括:
    向所述源节点发送客户端信息获取请求;所述客户端信息获取请求用于单次请求所述订阅权限信息;
    所述接收源节点发送的订阅权限信息,包括:
    接收所述源节点发送的客户端信息获取响应;所述客户端信息获取响应中包含所述权限订阅信息;所述权限订阅信息由所述源节点根据所述源节点中的客户端订阅管理簇生成。
  36. 根据权利要求29至31任一所述的方法,其特征在于,所述在接收源节点发送的订阅权限信息之前,还包括:
    向所述源节点发送客户端信息订阅请求;所述客户端信息订阅请求用于订阅所述订阅权限信息;
    接收所述源节点发送的客户端信息订阅响应,所述客户端信息订阅响应用于指示是否订阅成功;
    所述接收源节点发送的订阅权限信息,包括:
    在所述客户端信息订阅响应指示订阅成功的情况下,接收所述源节点发送的,包含所述权限订阅信息的客户端信息报告;所述权限订阅信息由所述源节点根据所述源节点中的客户端订阅管理簇生成。
  37. 根据权利要求36所述的方法,其特征在于,所述方法还包括:
    在所述代理设备成功订阅所述订阅权限信息的情况下,接收所述源节点发送的第二更新通知;所述第二更新通知是所述源节点在所述客户端订阅管理簇中与所述目标资源相对应的客户端订阅管理条目发生变更时发送的,所述第二更新通知用于指示与所述目标资源相对应的客户端订阅管理条目的变更情况。
  38. 根据权利要求37所述的方法,其特征在于,所述第二更新通知为包含第一变更信息的客户端信息报告;所述第一变更信息用于指示所述订阅权限信息的变更情况。
  39. 根据权利要求37或38所述的方法,其特征在于,所述方法还包括:
    当所述第二更新通知指示从所述客户端订阅管理簇中删除第四客户端设备的标识信息时,移除与所述第四客户端设备对应的订阅关系。
  40. 根据权利要求29至31任一所述的方法,其特征在于,所述在接收源节点发送的订阅权限信息之前,还包括:
    向所述源节点发送ACE获取请求;所述ACE获取请求用于单次请求所述订阅权限信息;
    所述接收源节点发送的订阅权限信息,包括:
    接收所述源节点发送的ACE获取响应;所述ACE获取响应中包含所述权限订阅信息;所述权限订阅信息由所述源节点根据所述源节点中的ACL簇生成。
  41. 根据权利要求29至31任一所述的方法,其特征在于,所述在接收源节点发送的订阅权限信息之前,还包括:
    向所述源节点发送ACE订阅请求;所述ACE订阅请求用于订阅所述订阅权限信息;
    接收所述源节点发送的ACE订阅响应,所述ACE订阅响应用于指示是否订阅成功;
    所述接收源节点发送的订阅权限信息,包括:
    在所述ACE订阅响应指示订阅成功的情况下,接收所述源节点发送的,包含所述权限订阅信息的ACE报告;所述权限订阅信息由所述源节点根据所述源节点中的ACL簇生成。
  42. 根据权利要求41所述的方法,其特征在于,所述方法还包括:
    在所述代理设备成功订阅所述订阅权限信息的情况下,接收所述源节点发送的第三更新通知;所述第三更新通知是所述源节点在所述ACL簇中,具有对所述目标资源的订阅权限的客户端设备的标识信息发生变更时发送的,所述第三更新通知用于指示具有对所述源节点中的资源的订阅权限的客户端设备的标识信息的变更情况。
  43. 根据权利要求42所述的方法,其特征在于,所述第三更新通知为包含第二变更信息的ACE报告;所述第二变更信息用于指示所述订阅权限信息的变更情况。
  44. 根据权利要求42或43所述的方法,其特征在于,所述方法还包括:
    当所述第三更新通知指示从所述客户端订阅管理簇中删除第五客户端设备的标识信息时,移除与所述第五客户端设备对应的订阅关系。
  45. 根据权利要求29至44任一所述的方法,其特征在于,所述方法还包括:
    在接收到第六客户端设备发送的资源订阅请求,且所述订阅权限信息指示所述第六客户端设备具有对所述源节点中的所述目标资源的订阅权限时,建立所述第六客户端设备对所述目标资源进行订阅的订阅关系。
  46. 一种订阅权限信息处理装置,其特征在于,所述装置包括:
    发送模块,用于向代理设备发送订阅权限信息,所述订阅权限信息用于指示对所述源节点中的目标资源具有订阅权限的客户端设备。
  47. 根据权利要求46所述的装置,其特征在于,所述订阅权限信息中包含对所述目标资源具有订阅权限的客户端设备的标识信息。
  48. 根据权利要求47所述的装置,其特征在于,所述订阅权限信息中还包含以下两种信息中的至少一种:
    所述目标资源的资源标识信息,或者,所述源节点的安全域索引信息。
  49. 根据权利要求46至48任一所述的装置,其特征在于,所述源节点中具有客户端订阅管理簇;
    所述客户端订阅管理簇中包含对所述目标资源具有订阅权限的客户端设备的标识信息。
  50. 根据权利要求49所述的装置,其特征在于,所述发送模块,用于向所述代理设备发送所述客户端订阅管理簇,所述客户端订阅管理簇包含所述订阅权限信息。
  51. 根据权利要求50所述的装置,其特征在于,所述装置还包括:
    第一更新模块,用于当所述源节点的ACL簇中,具有对指定类型资源的订阅权限的客户端设备的标识信息发生变更时,对应所述源节点的ACL簇的变更情况,对所述客户端订阅管理簇进行更新;
    其中,所述目标资源属于所述指定类型资源。
  52. 根据权利要求51所述的装置,其特征在于,
    所述第一更新模块,用于当所述源节点的ACL簇中,具有对第一资源的订阅权限的客户端设备的标识信息发生变更时,对应所述源节点中的ACL簇的变更情况,对所述客户端订阅管理簇中,与所述第一资源相对应的客户端订阅管理条目进行更新;
    其中,所述第一资源属于所述指定类型资源。
  53. 根据权利要求52所述的装置,其特征在于,
    所述第一更新模块,用于当所述源节点的ACL簇中,具有对所述第一资源的订阅权限的第一客户端的标识信息被移除时,从与所述第一资源相对应的客户端订阅管理条目中删除所述第一客户端设备的标识信息。
  54. 根据权利要求52所述的装置,其特征在于,
    所述第一更新模块,用于当所述源节点的ACL簇中,增加了具有对所述第一资源的订阅权限的第二客户端的标识信息时,在与所述第一资源相对应的客户端订阅管理条目中增加所述第二客户端设备的标识信息。
  55. 根据权利要求51至54任一所述的装置,其特征在于,所述指定类型资源包括与所述源节点的设备功能对应的应用簇。
  56. 根据权利要求50所述的装置,其特征在于,所述装置还包括:
    接收模块,用于接收配置设备发送的更新指令,所述更新指令用于指示对所述客户端订阅管理簇进行更新;
    第二更新模块,用于对所述客户端订阅管理簇进行更新。
  57. 根据权利要求51至56任一所述的装置,其特征在于,
    所述发送模块,用于当所述代理设备具有对所述源节点的代理浏览权限时,向所述代理设备发送所述客户端订阅管理簇;
    其中,所述代理浏览权限包括对所述源节点中除了ACL簇之外的其它资源的浏览权限。
  58. 根据权利要求57所述的装置,其特征在于,
    所述发送模块,用于当所述代理设备具有对所述源节点的浏览权限时,向所述代理设备发送所述客户端订阅管理簇;
    其中,所述浏览权限包括对所述源节点中除了ACL簇之外的其它资源的浏览权限。
  59. 根据权利要求50至58任一所述的装置,其特征在于,所述发送模块,还用于在所述代理设备成功订阅所述客户端订阅管理簇的情况下,当所述客户端订阅管理簇发生变更时,向所述代理设备发送第一更新通知,所述第一更新通知用于指示所述客户端订阅管理簇的更新情况。
  60. 根据权利要求49所述的装置,其特征在于,所述客户端订阅管理簇中还包含第一指令集;
    所述第一指令集用于根据所述客户端订阅管理簇,向代理设备提供对所述目标资源具有订阅权限的客户端设备的标识信息。
  61. 根据权利要求60所述的装置,其特征在于,所述第一指令集包括以下指令中的至少一种:
    客户端信息获取请求;所述客户端信息获取请求用于单次请求所述订阅权限信息;
    客户端信息获取响应;所述客户端信息获取响应用于携带所述订阅权限信息;
    客户端信息订阅请求;所述客户端信息订阅请求用于订阅所述订阅权限信息;
    客户端信息订阅响应;所述客户端信息订阅响应用于指示是否订阅成功;
    客户端信息报告;所述客户端信息报告用于携带对所述订阅权限信息,或者,携带第一变更信息;所述第一变更信息用于指示所述订阅权限信息的变更情况。
  62. 根据权利要求61所述的装置,其特征在于,
    所述发送模块,用于在接收到所述代理设备发送的客户端信息获取请求时,向所述代理设备发送所述客户端信息获取响应。
  63. 根据权利要求61所述的装置,其特征在于,
    所述发送模块,用于在接收到所述代理设备发送的所述客户端信息订阅请求,且确定所述代理设备成功时,向所述代理设备发送所述客户端信息订阅响应;
    所述发送模块,还用于向所述代理设备发送携带所述订阅权限信息的所述客户端信息报告。
  64. 根据权利要求61或63所述的装置,其特征在于,
    所述发送模块,还用于在所述代理设备成功订阅所述订阅权限信息的情况下,当所述客户端订阅管理簇中与所述目标资源相对应的客户端订阅管理条目发生变更时,向所述代理设备发送第二更新通知,所述第二更新通知用于指示与所述目标资源相对应的客户端订阅管理条目的变更情况。
  65. 根据权利要求64所述的装置,其特征在于,所述第二更新通知为包含所述第一变更信息的所述客户端信息报告。
  66. 根据权利要求46至48任一所述的装置,其特征在于,所述源节点中具有访问控制列表ACL订阅簇;
    所述ACL订阅簇包含第二指令集,所述第二指令集用于根据ACL簇,向代理设备提供对所述目标资源具有订阅权限的客户端设备的标识信息。
  67. 根据权利要求66所述的装置,其特征在于,所述第二指令集包括以下指令中的至少一种:
    访问控制条目ACE获取请求;所述ACE获取请求用于单次请求所述订阅权限信息;
    ACE获取响应;所述ACE获取响应用于携带根据所述ACL簇生成的所述订阅权限信息;
    ACE订阅请求;所述ACE订阅请求用于订阅所述订阅权限信息;
    ACE订阅响应;所述ACE订阅响应用于指示是否订阅成功;
    ACE报告;所述ACE报告用于携带根据所述ACL簇生成的所述订阅权限信息,或者,携带第二变更信息,所述第二变更信息用于指示所述订阅权限信息的变更情况。
  68. 根据权利要求67所述的装置,其特征在于,所述装置还包括:
    生成模块,用于在所述发送模块向代理设备发送订阅权限信息之前,根据所述源节点的ACL簇生成所述订阅权限信息。
  69. 根据权利要求68所述的装置,其特征在于,
    所述生成模块,用于在接收到所述代理设备发送的所述ACE获取请求时,根据所述源节点的ACL簇生成所述订阅权限信息;
    所述发送模块,用于向所述代理设备发送所述ACE获取响应。
  70. 根据权利要求68所述的装置,其特征在于,
    所述生成模块,用于在接收到所述代理设备发送的所述ACE订阅请求,且确定所述代理设备订阅成功时,根据所述源节点的ACL簇生成所述订阅权限信息;
    所述发送模块,用于向所述代理设备发送携带所述订阅权限信息的所述ACE报告。
  71. 根据权利要求68或70所述的装置,其特征在于,
    所述发送模块,还用于在所述代理设备成功订阅所述订阅权限信息的情况下,当所述源节点的ACL簇中,具有对所述目标资源的订阅权限的客户端设备的标识信息发生变更时,向所述代理设备发送第三更新通知,所述第三更新通知用于指示具有对所述源节点中的资源的订阅权限的客户端设备的标识信息的变更情况。
  72. 根据权利要求71所述的装置,其特征在于,所述第三更新通知为包含所述第二变更信息的所述ACE报告。
  73. 根据权利要求66至72任一所述的装置,其特征在于,
    所述发送模块,用于若所述代理设备的设备类型是代理类型,且所述代理设备具有执行所述源节点的功能的权限,则向代理设备发送所述订阅权限信息。
  74. 一种订阅权限信息处理装置,其特征在于,所述装置包括:
    接收模块,用于接收源节点发送的订阅权限信息,所述订阅权限信息用于指示对所述源节点中的目标资源具有订阅权限的客户端设备。
  75. 根据权利要求74所述的装置,其特征在于,所述订阅权限信息中包含对所述目标资源具有订阅权限的客户端设备的标识信息。
  76. 根据权利要求75所述的装置,其特征在于,所述订阅权限信息中还包含以下两种信息中的至少一种:
    所述目标资源的资源标识信息,或者,所述源节点的安全域索引信息。
  77. 根据权利要求74至76任一所述的装置,其特征在于,所述接收模块,用于接收所述源节点发送的所述客户端订阅管理簇;所述客户端订阅管理簇中包含对所述目标资源具有订阅权限的客户端设备的标识信息。
  78. 根据权利要求77所述的装置,其特征在于,
    所述接收模块,还用于在所述代理设备成功订阅所述客户端订阅管理簇的情况下,接收所述源节点发送的第一更新通知,所述第一更新通知用于指示所述客户端订阅管理簇的更新情况。
  79. 根据权利要求78所述的装置,其特征在于,所述装置还包括:
    第一移除模块,用于当所述第一更新通知指示从所述客户端订阅管理簇中删除第三客户端设备的标识信息时,移除与所述第三客户端设备对应的订阅关系。
  80. 根据权利要求74至76任一所述的装置,其特征在于,所述装置还包括:
    第一发送模块,用于在所述接收模块接收源节点发送的订阅权限信息之前,向所述源节点发送客户端信息获取请求;所述客户端信息获取请求用于单次请求所述订阅权限信息;
    所述接收模块,用于接收所述源节点发送的客户端信息获取响应;所述客户端信息获取响应中包含所述权限订阅信息;所述权限订阅信息由所述源节点根据所述源节点中的客户端订阅管理簇生成。
  81. 根据权利要求74至76任一所述的装置,其特征在于,所述装置还包括:
    第二发送模块,用于在所述接收模块接收源节点发送的订阅权限信息之前,向所述源节点发送客户端信息订阅请求;所述客户端信息订阅请求用于订阅所述订阅权限信息;
    所述接收模块,用于接收所述源节点发送的客户端信息订阅响应,所述客户端信息订阅响应用于指示是否订阅成功;
    所述接收模块,还用于在所述客户端信息订阅响应指示订阅成功的情况下,接收所述源节点发送的,包含所述权限订阅信息的客户端信息报告;所述权限订阅信息由所述源节点根据所述源节点中的客户端订阅管理簇生成。
  82. 根据权利要求81所述的装置,其特征在于,
    所述接收模块,还用于在所述代理设备成功订阅所述订阅权限信息的情况下,接收所述源节点发送的第二更新通知;所述第二更新通知是所述源节点在所述客户端订阅管理簇中与所述目标资源相对应的客户端订阅管理条目发生变更时发送的,所述第二更新通知用于指示与所述目标资源相对应的客户端订阅管理条目的变更情况。
  83. 根据权利要求82所述的装置,其特征在于,所述第二更新通知为包含第一变更信息的客户端信息报告;所述第一变更信息用于指示所述订阅权限信息的变更情况。
  84. 根据权利要求82或83所述的装置,其特征在于,所述装置还包括:
    第二移除模块,用于当所述第二更新通知指示从所述客户端订阅管理簇中删除第四客户端设备的标识信息时,移除与所述第四客户端设备对应的订阅关系。
  85. 根据权利要求74至76任一所述的装置,其特征在于,所述装置还包括:
    第三发送模块,用于在所述接收模块接收源节点发送的订阅权限信息之前,向所述源节点发送ACE获取请求;所述ACE获取请求用于单次请求所述订阅权限信息;
    所述接收模块,用于接收所述源节点发送的ACE获取响应;所述ACE获取响应中包含所述权限订阅信息;所述权限订阅信息由所述源节点根据所述源节点中的ACL簇生成。
  86. 根据权利要求74至76任一所述的装置,其特征在于,所述装置还包括:
    第四发送模块,用于在所述接收模块接收源节点发送的订阅权限信息之前,向所述源节点发送ACE订阅请求;所述ACE订阅请求用于订阅所述订阅权限信息;
    所述接收模块,用于接收所述源节点发送的ACE订阅响应,所述ACE订阅响应用于指示是否订阅成功;
    所述接收模块,还用于在所述ACE订阅响应指示订阅成功的情况下,接收所述源节点发送的,包含所述权限订阅信息的ACE报告;所述权限订阅信息由所述源节点根据所述源节点中的ACL簇生成。
  87. 根据权利要求86所述的装置,其特征在于,
    所述接收模块,还用于在所述代理设备成功订阅所述订阅权限信息的情况下,接收所述源节点发送的第三更新通知;所述第三更新通知是所述源节点在所述ACL簇中,具有对所述目标资源的订阅权限的客户端设备的标识信息发生变更时发送的,所述第三更新通知用于指示具有对所述源节点中的资源的订阅权限的客户端设备的标识信息的变更情况。
  88. 根据权利要求87所述的装置,其特征在于,所述第三更新通知为包含第二变更信息的ACE报告;所述第二变更信息用于指示所述订阅权限信息的变更情况。
  89. 根据权利要求87或88所述的装置,其特征在于,所述装置还包括:
    第三移除模块,用于当所述第三更新通知指示从所述客户端订阅管理簇中删除第五客户端设备的标识信息时,移除与所述第五客户端设备对应的订阅关系。
  90. 根据权利要求74至89任一所述的装置,其特征在于,所述装置还包括:
    关系建立模块,用于在接收到第六客户端设备发送的资源订阅请求,且所述订阅权限信息指示所述第六客户端设备具有对所述源节点中的所述目标资源的订阅权限时,建立所述第六客户端设备对所述目标资源进行订阅的订阅关系。
  91. 一种计算机设备,其特征在于,所述计算机设备包括处理器、存储器和收发器;
    所述存储器中存储有计算机程序,所述处理器执行所述计算机程序,以使得所述计算机设备实现如上述权利要求1至45任一所示的订阅权限信息处理方法。
  92. 一种计算机可读存储介质,其特征在于,所述存储介质中存储有计算机程序,所述计算机程序用于被处理器执行,以实现如权利要求1至45任一所示的订阅权限信息处理方法。
  93. 一种芯片,其特征在于,所述芯片用于在计算机设备中运行,以使得所述计算机设备执行如权利要求1至45任一所示的订阅权限信息处理方法。
  94. 一种计算机程序产品,其特征在于,所述计算机程序产品包括计算机指令,所述计算机指令存储在计算机可读存储介质中;计算机设备的处理器从所述计算机可读存储介质读取所述计算机指令,并执行所述计算机指令,使得所述计算机设备执行如权利要求1至45任一所示的订阅权限信息处理方法。
  95. 一种计算机程序,其特征在于,所述计算机程序由计算机设备的处理器执行,以实现如权利要求1至45任一所示的订阅权限信息处理方法。
PCT/CN2021/139321 2021-12-17 2021-12-17 订阅权限信息处理方法、装置、计算机设备及存储介质 WO2023108653A1 (zh)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202180103519.0A CN118140497A (zh) 2021-12-17 2021-12-17 订阅权限信息处理方法、装置、计算机设备及存储介质
PCT/CN2021/139321 WO2023108653A1 (zh) 2021-12-17 2021-12-17 订阅权限信息处理方法、装置、计算机设备及存储介质

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2021/139321 WO2023108653A1 (zh) 2021-12-17 2021-12-17 订阅权限信息处理方法、装置、计算机设备及存储介质

Publications (1)

Publication Number Publication Date
WO2023108653A1 true WO2023108653A1 (zh) 2023-06-22

Family

ID=86775345

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/139321 WO2023108653A1 (zh) 2021-12-17 2021-12-17 订阅权限信息处理方法、装置、计算机设备及存储介质

Country Status (2)

Country Link
CN (1) CN118140497A (zh)
WO (1) WO2023108653A1 (zh)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120117230A1 (en) * 2009-05-13 2012-05-10 Research In Motion Limited System and method for providing and managing a target list on behalf of a user agent client
CN103795689A (zh) * 2012-10-29 2014-05-14 中兴通讯股份有限公司 资源订阅方法及装置
CN110798471A (zh) * 2019-10-31 2020-02-14 宁波奥克斯电气股份有限公司 空调管理方法及相关装置
WO2020237548A1 (zh) * 2019-05-29 2020-12-03 Oppo广东移动通信有限公司 资源订阅方法、设备、服务器以及计算机存储介质
WO2021102691A1 (zh) * 2019-11-26 2021-06-03 Oppo广东移动通信有限公司 资源订阅方法、装置、计算机设备和存储介质

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120117230A1 (en) * 2009-05-13 2012-05-10 Research In Motion Limited System and method for providing and managing a target list on behalf of a user agent client
CN103795689A (zh) * 2012-10-29 2014-05-14 中兴通讯股份有限公司 资源订阅方法及装置
WO2020237548A1 (zh) * 2019-05-29 2020-12-03 Oppo广东移动通信有限公司 资源订阅方法、设备、服务器以及计算机存储介质
CN110798471A (zh) * 2019-10-31 2020-02-14 宁波奥克斯电气股份有限公司 空调管理方法及相关装置
WO2021102691A1 (zh) * 2019-11-26 2021-06-03 Oppo广东移动通信有限公司 资源订阅方法、装置、计算机设备和存储介质

Also Published As

Publication number Publication date
CN118140497A (zh) 2024-06-04

Similar Documents

Publication Publication Date Title
US11671328B2 (en) Systems and methods for network device management using device clustering
US11936743B2 (en) Device management services based on restful messaging
EP3493485B1 (en) Method, apparatus and system for notification
CN109417492B (zh) 一种网络功能nf管理方法及nf管理设备
US11246174B2 (en) Methods and systems for connecting a wireless device to a wireless network
WO2017157176A1 (zh) 一种资源分发方法及装置
US20230045914A1 (en) Method and apparatus for controlling device in internet of things, and gateway device and storage medium
WO2023005525A1 (zh) 设备控制权限的设置方法、装置、计算机设备和存储介质
WO2021134562A1 (zh) 配置设备更换方法、装置、设备及存储介质
WO2023108653A1 (zh) 订阅权限信息处理方法、装置、计算机设备及存储介质
WO2023201587A1 (zh) 设备控制方法、装置、设备及存储介质
WO2021249135A1 (zh) 获取mud文件的网络地址的方法、装置和存储介质
WO2022087796A1 (zh) Zigbee设备的属性订阅方法、装置及设备
WO2023092504A1 (zh) 订阅控制方法、装置、计算机设备及存储介质
WO2023082113A1 (zh) 对桥接设备进行配置的方法、装置、设备及存储介质
WO2023115584A1 (zh) 连接配置方法、连接建立方法、装置、设备及存储介质
WO2024031681A1 (zh) 设备绑定方法、装置、设备、存储介质及程序产品
WO2024103374A1 (zh) 用于代理订阅的处理方法、装置、计算机设备及存储介质
WO2024011634A1 (zh) 订阅消息处理方法、装置、设备、存储介质及程序产品
WO2024031682A1 (zh) 设备控制方法、装置、设备、存储介质及程序产品
WO2023184559A1 (zh) 设备共享方法、装置、设备、存储介质及程序产品
WO2023216035A1 (zh) 安全域管理方法、装置、设备、存储介质及程序产品
WO2023130405A1 (zh) 设备配置方法、装置、计算机设备及存储介质
WO2024031680A1 (zh) 设备解绑方法、装置、设备、存储介质及程序产品
WO2023115585A1 (zh) 订阅配置方法、装置、计算机设备及存储介质

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21967785

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 202180103519.0

Country of ref document: CN

NENP Non-entry into the national phase

Ref country code: DE