Question number :202206-3 The title of the test question : Role authorization The time limit :5.0s Memory limit :512.0MB Problem description :Students who want to check the real problems and solutions of other problems can go to check :CCF-CSP True problem with complete solution
In response to the national initiative to develop new infrastructure , West West iver data center has been built on West West iver island , Based on this, the company has operated sisi Aifu cloud . As the operation and maintenance party of the data center ,
The company attaches great importance to its network security management . as everyone knows , It is difficult to have both security and convenience , meanwhile ,
A confusing permission model may cause people to be granted unnecessary permissions , Thus causing safety risks . Therefore, I work in the network security department of West iver cloud company C
A scientific permission model is specially designed .
This security model divides the verification process into two steps . The first step is to verify the user's identity ( To identify ), The second step is to verify the user's permissions ( to grant authorization ). In the first step ,
First, verify whether a user is the identity claimed by the user . for example , By verifying the password provided by the user (Password) Whether it is right , Or verify whether the smart card provided by the user is legal and valid .
Next , In the authorization step , Permission policies are retrieved to determine whether a visiting user can operate a resource in the system .
In order to flexibly express the relationship between users and Authorization , Sisi evercloud has designed a simple and flexible authorization model : Role based authorization model . The idea is : First set up several roles ,
A list is indicated in each role , Indicates the types of resources that are allowed to be accessed 、 The name of the resource and the operation on the resource ; Then associate the user identified in the previous step with one or more roles .
What a user can do , Is the union of the allowed operations in all roles associated with it .
Small C It's up to you to implement the authorization model , I hope you can realize them .
user Represents an identified principal in the authorization model , The identification process is completed by the previous identification process . A user has the following elements :
An act to be authorized , Include the following elements :
Read
、Open
、Close
etc. ;Door
、File
etc. ; In a particular resource category , The resource name uniquely identifies a resource . It should be noted that , The subject information of an action to be authorized , That is, the user name and the user group to which they belong , It is completed by the identification process of the previous step . therefore , During each authorization process ,
Each behavior to be authorized will contain the information of the principal user and its associated user group . Due to other factors in the authentication process , Users with the same name may belong to different user groups in the two behaviors to be authorized ,
It is not possible to store or memorize every previous act to be authorized , The association between users and user groups , It should be judged independently according to the information given in each act to be authorized .
role Is the basic unit of this authorization model , It indicates what a user can do , The list of roles describes the actions allowed by the role . A role contains the following elements :
The process of determining whether a role can perform an operation on a resource is :
*
, Then the operation cannot be performed ;*
, Then the operation cannot be performed ; for example , Suppose there is a role Doorman
, The allowed operations are Open
and Close
, The resource types that are allowed to operate are Door
, The allowed resource names are FrontDoor
and BackDoor
.
If a user is associated with this role , Then the user can perform a query named FrontDoor
Of Door
perform Open
operation , But it can't be right BackDoor
Of Door
perform Delete
operation .
meanwhile , The operations allowed by a role can be represented by wildcards . for example , Another role Admin
, The allowed operations are *
, The resource types allowed to operate are *
, The list of allowed resource names is empty ,
Then all users associated with this role can perform any action . It is worth noting that , A list of actions for a role , You can only list the allowed operations of this role in the form of an allow list , You cannot prohibit a role from performing an operation .
Role Association Indicates the relationship between a user and one or more roles . A role Association contains the following elements :
The process of determining whether a user can perform an operation is :
thus it can be seen , A role association can associate a role with multiple users or user groups . for example , If there is a role Association , Its associated role name is Doorman
, The list of associated users and user groups is
user foo1
、 user foo2
、 User group bar
. Then these users will interact with Doorman
Role Association :
foo1
Users of , Belongs to the user group bar
;foo2
Users of , Belongs to the user group barz
;foo3
Users of , Belongs to the user group bar
and barz
. however , Belongs to the user group barz
The name is foo4
Users of cannot interact with Doorman
Role associations for .
From the above judgment rules, we can know , A user may be associated with multiple roles , under these circumstances , The operations allowed by the user are a collection of the operations allowed by these roles Combine .
Reading data from standard input .
The first line of input contains three positive integers n、m、q, Each represents the number of roles 、 The number of role associations and the number of operations to be checked .
Enter the next n In line , Each line represents a role , Include several elements separated by spaces , In turn :
Enter the next m In line , Each row represents a role Association , Include several elements separated by spaces , In turn :
u
or g
, It indicates that the authorization object is a user name or a user group name , The last string is user name or user group name .Enter the next q In line , Each line represents an action to be authorized , Include several elements separated by spaces , In turn :
Output to standard output .
Output q That's ok , Each line indicates whether an operation can be performed ,0
To indicate that it is impossible to execute ,1
Indicates that... Can be executed .
1 2 3
op 1 open 1 door 0
op 1 g sre
op 1 u xiaop
xiaoc 2 sre ops open door room302
xiaop 1 ops open door room501
xiaoc 2 sre ops remove door room302
1
1
0
In this case , Defines a name op
Role , Granted to any door
Type of object open
Authority to operate , Two points are defined at the same time op
Role associations for .
Be careful , You can define more than one role Association for a role . This example shows three behaviors to be authorized . among , The first act , The authorized principal user is xiaoc
,
The user group to which the user belongs sre
Be associated op
role , Therefore, the door opening action can be performed . In the second act , The authorized principal user is xiaop
,
The user is directly associated with op
role , Therefore, you can also open the door . In the third act , The authorized principal user is still xiaoc
, The associated role is still op
. however ,
because op
The role has not been granted remove
Authority to operate , So the action was rejected .
about 20% The data of , Yes n=m=1, And the roles given are similar to those used for examples in the body of the topic Admin
, Allow any operation , And nv=no=ns=ng=1、nn=0.
about 40% The data of , Yes 1≤n,m≤50, And nv=no=ns=1、ng≤40、nn=0.
about 70% The data of , Yes 1≤n,m≤50, And nv,no,ns,ng≤40、nn≤400.
about 100% The data of , Yes :
*
, Or contain only capital letters 、 Lowercase letters 、 Numbers (A-Za-z0-9
), And the number of characters shall not exceed 10.The real question comes from : Role authorization
Interested students can go in and practice
20 Sub topic solution :
n, m, q = map(int, input().split())
peoples = [[i for i in map(str,input().split())] for j in range(n)]
datas = [[i for i in map(str,input().split())] for j in range(m)]
points = [[i for i in map(str,input().split())] for j in range(q)]
for point in points:
temp = 0
for data in datas:
for people in peoples:
if data[2] == 'g':
if point[2] == data[3]:
temp = 1
if data[2] == 'u':
if point[0] == data[3]:
temp = 1
if temp == 1:
print(1)
else:
print(0)
Running results :
ccf-csp Practice column
https://blog.csdn.net/weixin_53919192/category_11828479.html?spm=1001.2014.3001.5482https://blog.csdn.net/weixin_53919192/category_11828479.html?spm=1001.2014.3001.5482