+

CN114302396B - Data management methods, devices, equipment, storage media and systems - Google Patents

Data management methods, devices, equipment, storage media and systems Download PDF

Info

Publication number
CN114302396B
CN114302396B CN202111528603.5A CN202111528603A CN114302396B CN 114302396 B CN114302396 B CN 114302396B CN 202111528603 A CN202111528603 A CN 202111528603A CN 114302396 B CN114302396 B CN 114302396B
Authority
CN
China
Prior art keywords
node
user
information
edge
central
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111528603.5A
Other languages
Chinese (zh)
Other versions
CN114302396A (en
Inventor
徐治理
张雪贝
霍龙社
曹云飞
崔煜喆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202111528603.5A priority Critical patent/CN114302396B/en
Publication of CN114302396A publication Critical patent/CN114302396A/en
Application granted granted Critical
Publication of CN114302396B publication Critical patent/CN114302396B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a data management method, a device, equipment, a storage medium and a system, and relates to the field of communication. The method is applied to a first node in a UDM system, and comprises the following steps: acquiring authentication information of a first user; broadcasting authentication information of the first user; receiving first information respectively sent by at least one second node; the second node is a node other than the first node or a center node among the plurality of edge nodes; the first information is generated after the second node verifies whether the first user is a valid registered user according to the authentication information of the first user and the registration information of the first user stored in the second node; the first information is used for indicating whether authentication information of the first user passes verification of the second node; and determining an authentication result of the first user according to the first information which indicates the verification by the second node, the duty ratio in all the first information and the preset first proportion. The method is suitable for the authentication process and is used for improving the security of the UDM system.

Description

数据管理方法、装置、设备、存储介质及系统Data management methods, devices, equipment, storage media and systems

技术领域Technical field

本申请涉及通信领域,尤其涉及一种数据管理方法、装置、设备、存储介质及系统。The present application relates to the field of communications, and in particular, to a data management method, device, equipment, storage medium and system.

背景技术Background technique

统一数据管理(unified data management,UDM)网元是第五代移动通信技术(5thgeneration mobile communication technology,5G)核心网中的网元之一。UDM网元可以用于存储用户的签约数据、以及鉴权等。例如,UDM网元可以获取用户设备发送的鉴权信息,当用户设备发送的鉴权信息和UDM网元中预存的注册信息相同时,UDM网元可以确定该用户设备鉴权通过。鉴权通过之后,UDM网元可以根据该用户的签约数据中的服务信息为用户提供服务。例如,服务信息可以包括服务质量(quality of service,QoS)信息。The unified data management (UDM) network element is one of the network elements in the core network of the fifth generation mobile communication technology (5G). UDM network elements can be used to store user subscription data, authentication, etc. For example, the UDM network element can obtain the authentication information sent by the user equipment. When the authentication information sent by the user equipment is the same as the registration information prestored in the UDM network element, the UDM network element can determine that the user equipment has passed the authentication. After passing the authentication, the UDM network element can provide services to the user based on the service information in the user's subscription data. For example, the service information may include quality of service (QoS) information.

目前,部分用户需要建立柔性生产线,建立柔性生产线需要高可用性(highavailability,HA)的网络。为了给用户提供高可用性的网络,运营商提出了分布式UDM系统。分布式UDM系统可以包括中心UDM网元、以及边缘UDM网元。中心UDM网元和多个边缘UDM网元星型连接。每个边缘UDM网元可以从中心UDM网元中获取该边缘UDM网元对应的子网中的用户的注册信息和签约数据并存储。每个边缘UMD网元可以根据该边缘UDM网元对应的子网的用户的注册信息和签约数据,在该边缘UDM网元对应的子网中实现上述UDM网元的功能。Currently, some users need to establish flexible production lines, and establishing flexible production lines requires a high availability (HA) network. In order to provide users with a high-availability network, operators have proposed a distributed UDM system. The distributed UDM system can include central UDM network elements and edge UDM network elements. The central UDM network element and multiple edge UDM network elements are connected in star mode. Each edge UDM network element can obtain and store the registration information and subscription data of users in the subnet corresponding to the edge UDM network element from the central UDM network element. Each edge UMD network element can implement the functions of the above UDM network element in the subnet corresponding to the edge UDM network element based on the registration information and subscription data of the user in the subnet corresponding to the edge UDM network element.

但是,目前的分布式UDM系统中,可能存在边缘UDM网元的使用者恶意断开边缘UDM网元与中心UDM网元之间的连接,私自篡改边缘UDM网元中存储的用户的注册信息和签约数据的风险。However, in the current distributed UDM system, there may be users of edge UDM network elements maliciously disconnecting the edge UDM network element from the central UDM network element, and privately tampering with the user's registration information and information stored in the edge UDM network element. Risks of Contracting Data.

发明内容Contents of the invention

本申请提供一种数据管理方法、装置、设备及存储介质,可以防止边缘节点的使用者恶意断开边缘节点和中心节点的连接,私自篡改用户的注册信息,提高UDM系统的安全性。This application provides a data management method, device, equipment and storage medium, which can prevent users of edge nodes from maliciously disconnecting edge nodes and central nodes, tampering with user registration information privately, and improving the security of the UDM system.

第一方面,本申请提供一种数据管理方法,该方法应用于统一数据管理UDM系统中的第一节点,UDM系统包括中心节点、以及多个边缘节点;每个边缘节点与中心节点连接,且每个边缘节点与多个边缘节点中的至少一个其他边缘节点连接;第一节点是多个边缘节点中的一个。该方法包括:第一节点获取第一用户的鉴权信息,第一用户为第一节点对应的子网的用户;第一节点广播第一用户的鉴权信息;第一节点接收来自至少一个第二节点分别发送的第一信息;第二节点是多个边缘节点中除第一节点之外的节点、以及中心节点中的至少一个;第一信息是第二节点根据第一用户的鉴权信息、以及第二节点中存储的第一用户的注册信息,校验第一用户是否为有效注册用户之后生成的;第一信息用于指示第一用户的鉴权信息是否通过第二节点的校验;第一节点根据指示通过第二节点校验的第一信息,在所有第一信息中的占比、以及预设的第一比例,确定第一用户的鉴权结果。In the first aspect, this application provides a data management method, which is applied to the first node in the unified data management UDM system. The UDM system includes a central node and multiple edge nodes; each edge node is connected to the central node, and Each edge node is connected to at least one other edge node of the plurality of edge nodes; the first node is one of the plurality of edge nodes. The method includes: a first node obtains authentication information of a first user, and the first user is a user of a subnet corresponding to the first node; the first node broadcasts the authentication information of the first user; and the first node receives data from at least one The first information sent by the two nodes respectively; the second node is a node other than the first node among the plurality of edge nodes, and at least one of the central nodes; the first information is the authentication information of the second node based on the first user , and the registration information of the first user stored in the second node, generated after verifying whether the first user is a valid registered user; the first information is used to indicate whether the authentication information of the first user passes the verification of the second node. ; The first node determines the authentication result of the first user based on the proportion of the first information indicating that it has passed the verification of the second node in all the first information, and the preset first proportion.

一种可能的实现方式中,第一节点广播第一用户的鉴权信息之前,该方法还包括:第一节点根据第一用户的鉴权信息、以及第一节点中存储的第一用户的注册信息,确定第一用户为有效注册用户。In a possible implementation, before the first node broadcasts the authentication information of the first user, the method further includes: the first node broadcasts the authentication information of the first user based on the authentication information of the first user and the registration of the first user stored in the first node. information to determine that the first user is a valid registered user.

另一种可能的实现方式中,该方法还包括:在中心节点和边缘节点断开的情况下,第一节点接收来自除第一节点之外的边缘节点发送的,和/或,第一节点对应的子网的管理人员输入的第一用户的注册信息,并存储第一用户的注册信息。In another possible implementation, the method further includes: when the central node and the edge node are disconnected, the first node receives the data sent from the edge node other than the first node, and/or the first node The administrator of the corresponding subnet inputs the registration information of the first user and stores the registration information of the first user.

又一种可能的实现方式中,第一节点广播第一用户的鉴权信息,包括:第一节点根据第一用户的鉴权信息生成区块;区块包括第一用户的鉴权信息、以及第一节点的身份信息;第一节点的身份信息用于第二节点验证第一节点的身份;第一节点广播区块。In another possible implementation, the first node broadcasts the authentication information of the first user, including: the first node generates a block based on the authentication information of the first user; the block includes the authentication information of the first user, and The identity information of the first node; the identity information of the first node is used by the second node to verify the identity of the first node; the first node broadcasts the block.

又一种可能的实现方式中,第一节点广播第一用户的鉴权信息,包括:第一节点向第三节点发送第一用户的鉴权信息,以使得第三节点根据第一用户的鉴权信息生成区块,并广播区块;第三节点是多个边缘节点中除第一节点之外的边缘节点或者中心节点。In another possible implementation manner, the first node broadcasts the authentication information of the first user, including: the first node sends the authentication information of the first user to the third node, so that the third node performs the authentication according to the authentication information of the first user. Generate a block based on weight information and broadcast the block; the third node is an edge node or central node among multiple edge nodes except the first node.

又一种可能的实现方式中,第一节点与第一网络设备连接,第一节点存储有每个边缘节点对应的子网的用户的服务质量信息;第一用户的鉴权结果包括:通过或不通过;该方法还包括:第一节点确定第一用户为有效注册用户之后,根据每个边缘节点对应的子网的用户的服务质量信息,确定第一用户的服务质量信息并记录;当第一用户的鉴权结果为通过时,第一节点向第一网络设备发送第一用户的服务质量信息,以使得第一网络设备按照第一用户的服务质量信息为第一用户提供服务。In another possible implementation, the first node is connected to the first network device, and the first node stores service quality information of users of the subnet corresponding to each edge node; the authentication result of the first user includes: passing or Failure; the method also includes: after the first node determines that the first user is a valid registered user, determine and record the service quality information of the first user based on the service quality information of the user in the subnet corresponding to each edge node; when the first node When the authentication result of a user is passed, the first node sends the first user's quality of service information to the first network device, so that the first network device provides services for the first user according to the first user's quality of service information.

又一种可能的实现方式中,第一节点与第一网络设备连接,第一节点存储有每个边缘节点对应的子网的用户的服务质量信息;第一用户的鉴权结果包括:通过或不通过;该方法还包括:第一节点接收中心节点发送的第一指令,第一指令用于当第一用户的鉴权结果为通过时,命令第一节点向第一网络设备发送基础服务质量信息;第一指令是当第一节点连接的其他边缘节点的数量小于预设的数量阈值时由中心节点发送的;响应于第一指令,当第一用户的鉴权结果为通过时,第一节点向第一网络设备发送基础服务质量信息,以使得第一网络设备根据基础服务质量信息为第一用户提供服务。In another possible implementation, the first node is connected to the first network device, and the first node stores service quality information of users of the subnet corresponding to each edge node; the authentication result of the first user includes: passing or Not passed; the method also includes: the first node receives a first instruction sent by the central node, and the first instruction is used to instruct the first node to send the basic quality of service to the first network device when the authentication result of the first user is passed. Information; the first instruction is sent by the central node when the number of other edge nodes connected to the first node is less than the preset number threshold; in response to the first instruction, when the authentication result of the first user is passed, the first The node sends basic service quality information to the first network device, so that the first network device provides services for the first user according to the basic service quality information.

又一种可能的实现方式中,中心节点包括多个;多个中心节点相互连接;每个边缘节点与中心节点连接,是指:每个边缘节点与多个中心节点中的一个连接;第二节点是中心节点,是指:第二节点是多个中心节点中的一个。In another possible implementation, the central node includes multiple central nodes; multiple central nodes are connected to each other; each edge node is connected to the central node, which means: each edge node is connected to one of the multiple central nodes; second A node is a central node, which means: the second node is one of multiple central nodes.

本申请实施例提供的数据管理方法中,UDM系统中的中心节点和中心节点之间、中心节点和边缘节点之间、边缘节点和边缘节点之间均采用点对点(point to point,P2P)的形式连接,与现有的星型连接相比,P2P连接的鲁棒性更好。UDM系统中的中心节点、以及每个边缘节点中均可以存储有每个边缘节点对应的子网的用户的注册信息。UDM系统中的某个边缘节点(例如前文所述的第一节点)可以获取该边缘节点对应的子网中的用户的鉴权信息,并广播。UDM系统中的其他边缘节点或者中心节点(例如前文所述的第二节点)可以根据各自存储的每个边缘节点对应的子网的用户的注册信息对该用户的鉴权信息进行校验,生成第一信息并向广播用户的鉴权信息的边缘节点发送。广播用户的鉴权信息的边缘节点可以根据第一信息确定该用户的鉴权结果。广播用户的鉴权信息的边缘节点只有接收到其他边缘节点根据该用户的鉴权信息校验得到的第一信息才能进行正常鉴权,当某个边缘节点的使用者恶意断开该边缘节点和中心节点的连接,企图私自篡改用户的注册信息时,其他边缘节点中存储的该边缘节点对应的子网的用户与私自篡改之后的用户的注册信息不同,此时该边缘节点不会通过私自篡改注册信息的用户的鉴权。提高了UDM系统的安全性。In the data management method provided by the embodiment of the present application, point to point (P2P) is adopted between the central node and the central node, between the central node and the edge node, and between the edge node and the edge node in the UDM system. Connections, P2P connections are more robust than existing star connections. The central node and each edge node in the UDM system can store the user registration information of the subnet corresponding to each edge node. A certain edge node in the UDM system (such as the first node mentioned above) can obtain the authentication information of users in the subnet corresponding to the edge node and broadcast it. Other edge nodes or central nodes in the UDM system (such as the second node mentioned above) can verify the user's authentication information based on the user's registration information stored in the subnet corresponding to each edge node, and generate The first information is sent to the edge node that broadcasts the user's authentication information. The edge node that broadcasts the user's authentication information can determine the user's authentication result based on the first information. The edge node that broadcasts the user's authentication information can perform normal authentication only after receiving the first information verified by other edge nodes based on the user's authentication information. When a user of an edge node maliciously disconnects the edge node and When connecting to the central node and trying to tamper with the user's registration information privately, the user of the subnet corresponding to the edge node stored in other edge nodes is different from the user's registration information after private tampering. At this time, the edge node will not tamper with privately. Authentication of the user who registered the information. Improved UDM system security.

第二方面,本申请提供一种数据管理装置,该装置可以应用于上述第一方面所述的统一数据管理UDM系统中的第一节点,UDM系统包括中心节点、以及多个边缘节点;每个边缘节点与中心节点连接,且每个边缘节点与多个边缘节点中的至少一个其他边缘节点连接;第一节点是多个边缘节点中的一个。该装置可以包括:获取单元、发送单元、以及处理单元。获取单元,用于获取第一用户的鉴权信息,第一用户为第一节点对应的子网的用户。发送单元,用于广播第一用户的鉴权信息。获取单元,还用于接收来自至少一个第二节点分别发送的第一信息;第二节点是多个边缘节点中除第一节点之外的节点、以及中心节点中的至少一个;第一信息是第二节点根据第一用户的鉴权信息、以及第二节点中存储的第一用户的注册信息,校验第一用户是否为有效注册用户之后生成的;第一信息用于指示第一用户的鉴权信息是否通过第二节点的校验。处理单元,用于根据指示通过第二节点校验的第一信息,在所有第一信息中的占比、以及预设的第一比例,确定第一用户的鉴权结果。In a second aspect, this application provides a data management device, which can be applied to the first node in the unified data management UDM system described in the first aspect. The UDM system includes a central node and multiple edge nodes; each The edge nodes are connected to the central node, and each edge node is connected to at least one other edge node of the plurality of edge nodes; the first node is one of the plurality of edge nodes. The device may include: an acquisition unit, a sending unit, and a processing unit. The obtaining unit is used to obtain the authentication information of the first user, where the first user is a user of the subnet corresponding to the first node. A sending unit, configured to broadcast the authentication information of the first user. The acquisition unit is also configured to receive the first information respectively sent from at least one second node; the second node is a node other than the first node among the plurality of edge nodes, and at least one of the central nodes; the first information is The second node is generated after verifying whether the first user is a valid registered user based on the first user's authentication information and the first user's registration information stored in the second node; the first information is used to indicate the first user's Whether the authentication information passes the verification of the second node. The processing unit is configured to determine the authentication result of the first user based on the proportion of the first information indicating that it has passed the second node verification in all the first information, and the preset first proportion.

一种可能的实现方式中,处理单元,还用于在发送单元广播第一用户的鉴权信息之前,根据第一用户的鉴权信息、以及第一节点中存储的第一用户的注册信息,确定第一用户为有效注册用户。In a possible implementation, the processing unit is further configured to, before the sending unit broadcasts the authentication information of the first user, based on the authentication information of the first user and the registration information of the first user stored in the first node, The first user is determined to be a valid registered user.

另一种可能的实现方式中,获取单元,还用于在中心节点和边缘节点断开的情况下,接收来自除第一节点之外的边缘节点发送的,和/或,第一节点对应的子网的管理人员输入的第一用户的注册信息,并存储第一用户的注册信息。In another possible implementation, the acquisition unit is also configured to receive data sent from edge nodes other than the first node and/or corresponding to the first node when the central node and the edge node are disconnected. The administrator of the subnet inputs the registration information of the first user and stores the registration information of the first user.

又一种可能的实现方式中,发送单元,具体用于根据第一用户的鉴权信息生成区块,区块包括第一用户的鉴权信息、以及第一节点的身份信息;第一节点的而身份信息用于第二节点验证第一节点的身份;广播区块。In another possible implementation, the sending unit is specifically configured to generate a block based on the authentication information of the first user. The block includes the authentication information of the first user and the identity information of the first node; The identity information is used by the second node to verify the identity of the first node; broadcast the block.

又一种可能的实现方式中,发送单元,具体用于向第三节点发送第一用户的鉴权信息,以使得第三节点根据第一用户的鉴权信息生成区块,并广播;第三节点是多个边缘节点中除第一节点之外的边缘节点或者中心节点。In another possible implementation, the sending unit is specifically configured to send the first user's authentication information to the third node, so that the third node generates a block based on the first user's authentication information and broadcasts it; third The node is an edge node other than the first node or a central node among the plurality of edge nodes.

又一种可能的实现方式中,第一节点与第一网络设备连接,第一节点存储有每个边缘节点对应的子网的用户的服务质量信息;第一用户的鉴权结果包括:通过或不通过。处理单元,还用于确定第一用户为有效注册用户之后,根据每个边缘节点对应的子网的用户的服务质量信息,确定第一用户的服务质量信息并记录。发送单元,还用于当第一用户的鉴权结果为通过时,向第一网络设备发送第一用户的服务质量信息,以使得第一网络设备按照第一用户的服务质量信息为第一用户提供服务。In another possible implementation, the first node is connected to the first network device, and the first node stores service quality information of users of the subnet corresponding to each edge node; the authentication result of the first user includes: passing or Fail. The processing unit is also configured to determine and record the service quality information of the first user based on the service quality information of the user in the subnet corresponding to each edge node after determining that the first user is a valid registered user. The sending unit is also configured to send the first user's quality of service information to the first network device when the first user's authentication result is passed, so that the first network device provides the first user with the first user's quality of service information according to the first user's quality of service information. Provide services.

又一种可能的实现方式中,获取单元,还用于接收中心节点发送的第一指令,第一指令用于当第一用户的鉴权结果为通过时,命令第一节点向第一网络设备发送基础服务质量信息;第一指令是当第一节点连接的其他边缘节点的数量小于预设的数量阈值时由中心节点发送的。发送单元,还用于响应于第一指令,当第一用户的鉴权结果为通过时,向第一网络设备发送基础服务质量信息,以使得第一网络设备根据基础服务质量信息为第一用户提供服务。In yet another possible implementation, the acquisition unit is further configured to receive a first instruction sent by the central node. The first instruction is used to instruct the first node to send the authentication request to the first network device when the authentication result of the first user is passed. Send basic service quality information; the first instruction is sent by the central node when the number of other edge nodes connected to the first node is less than a preset quantity threshold. The sending unit is also configured to respond to the first instruction, when the authentication result of the first user is passed, send basic service quality information to the first network device, so that the first network device provides the first user with basic service quality information based on the basic service quality information. Provide services.

又一种可能的实现方式中,中心节点包括多个;多个中心节点相互连接。每个边缘节点与中心节点连接,是指:每个边缘节点与多个中心节点中的一个连接。第二节点是中心节点,是指:第二节点是多个中心节点中的一个。In another possible implementation, the central node includes multiple central nodes; multiple central nodes are connected to each other. Each edge node is connected to a central node, which means: each edge node is connected to one of multiple central nodes. The second node is a central node, which means that the second node is one of multiple central nodes.

第三方面,本申请提供一种数据管理方法,该方法可以应用于UDM系统中的第二节点,UDM系统包括中心节点、以及多个边缘节点;每个边缘节点与中心节点连接,且每个边缘节点与多个边缘节点中的至少一个其他边缘节点连接;第二节点是多个边缘节点中除第一节点之外的节点、以及中心节点中的至少一个,第一节点是多个边缘节点中的一个。该方法包括:第二节点接收第一节点广播的第一用户的鉴权信息,第一用户为第一节点对应的子网的用户;第二节点根据第一用户的鉴权信息、以及第二节点中存储的第一用户的注册信息,校验第一用户是否为有效注册用户;第二节点根据校验第一用户是否为有效注册用户的结果,生成第一信息;第一信息用于指示第二节点通过或不通过第一用户的鉴权信息;第二节点向第一节点发送第一信息,以使得第一节点根据指示通过第二节点校验的第一信息,在所有第一信息中的占比、以及预设的第一比例,确定第一用户的鉴权结果。In the third aspect, this application provides a data management method, which can be applied to the second node in the UDM system. The UDM system includes a central node and multiple edge nodes; each edge node is connected to the central node, and each The edge node is connected to at least one other edge node among the plurality of edge nodes; the second node is a node among the plurality of edge nodes except the first node, and at least one of the central nodes, and the first node is the plurality of edge nodes. one of the. The method includes: the second node receives the authentication information of the first user broadcast by the first node, and the first user is a user of the subnet corresponding to the first node; the second node receives the authentication information of the first user according to the authentication information of the first user, and the second node The registration information of the first user stored in the node is used to verify whether the first user is a valid registered user; the second node generates the first information based on the result of verifying whether the first user is a valid registered user; the first information is used to indicate The second node passes or fails the first user's authentication information; the second node sends the first information to the first node, so that the first node passes the first information verified by the second node according to the instruction, and in all the first information The proportion in , and the preset first proportion determine the authentication result of the first user.

一种可能的实现方式中,第二节点接收的第一节点广播的第一用户的鉴权信息,是第一节点根据第一用户的鉴权信息、以及第一节点中存储的第一用户的注册信息,确定第一用户为有效注册用户之后发送的。In a possible implementation, the authentication information of the first user broadcast by the first node received by the second node is based on the authentication information of the first user and the authentication information of the first user stored in the first node. Registration information, sent after confirming that the first user is a valid registered user.

另一种可能的实现方式中,在中心节点和边缘节点断开的情况下,第一节点中存储的第一用户的注册信息是第一节点之外的边缘节点发送的,和/或,第一节点对应的子网的管理人员输入的。In another possible implementation, when the central node and the edge node are disconnected, the registration information of the first user stored in the first node is sent by an edge node other than the first node, and/or the Input by the administrator of the subnet corresponding to a node.

又一种可能的实现方式中,第二节点接收第一节点广播的第一用户的鉴权信息,包括:第二节点接收第一节点广播的区块,区块是第一节点根据第一用户的鉴权信息生成的,区块包括第一用户的鉴权信息、以及第一节点的身份信息;第一节点的身份信息用于第二节点验证第一节点的身份。In yet another possible implementation, the second node receives the authentication information of the first user broadcast by the first node, including: the second node receives the block broadcast by the first node, and the block is the first node's authentication information based on the first user's information. Generated with authentication information, the block includes the authentication information of the first user and the identity information of the first node; the identity information of the first node is used by the second node to verify the identity of the first node.

又一种可能的实现方式中,第二节点接收第一节点广播的第一用户的鉴权信息,包括:第二节点接收第三节点广播的区块,该区块是第一节点向第三节点发送第一用户的鉴权信息之后,由第三节点根据第一用户的鉴权信息生成的,区块包括第一用户的鉴权信息、以及第三节点的身份信息;第三节点的身份信息用于中心节点、以及边缘节点验证第三节点的身份;第三节点是多个边缘节点中除第一节点之外的边缘节点或者中心节点。In yet another possible implementation, the second node receives the authentication information of the first user broadcast by the first node, including: the second node receives a block broadcast by the third node, and the block is the block broadcast by the first node to the third node. After the node sends the authentication information of the first user, it is generated by the third node based on the authentication information of the first user. The block includes the authentication information of the first user and the identity information of the third node; the identity of the third node The information is used by the central node and edge nodes to verify the identity of the third node; the third node is an edge node or a central node other than the first node among multiple edge nodes.

又一种可能的实现方式中,第二节点存储有每个边缘节点对应的子网的用户的服务质量信息;第二节点根据第一用户的鉴权信息、以及第二节点中存储的第一用户的注册信息,校验第一用户是否为有效注册用户之后,该方法还包括:当第二节点确定第一用户是有效注册用户时,第二节点根据第二边缘节点中存储的每个边缘节点对应的子网的用户的服务质量信息,确定第一用户的服务质量信息并记录。In another possible implementation, the second node stores the service quality information of the users of the subnet corresponding to each edge node; the second node determines the quality of service based on the authentication information of the first user and the first user stored in the second node. The user's registration information, after verifying whether the first user is a valid registered user, the method also includes: when the second node determines that the first user is a valid registered user, the second node determines according to each edge stored in the second edge node The service quality information of the users of the subnet corresponding to the node determines the service quality information of the first user and records it.

又一种可能的实现方式中,中心节点包括多个;多个中心节点相互连接。每个边缘节点与中心节点连接,是指:每个边缘节点与多个中心节点中的一个连接。第二节点是中心节点,是指:第二节点是多个中心节点中的一个。In another possible implementation, the central node includes multiple central nodes; multiple central nodes are connected to each other. Each edge node is connected to a central node, which means: each edge node is connected to one of multiple central nodes. The second node is a central node, which means that the second node is one of multiple central nodes.

第四方面,本申请提供一种数据管理装置,该装置可以应用于上述第三方面所述的UDM系统中的第二节点,UDM系统包括中心节点、以及多个边缘节点;每个边缘节点与中心节点连接,且每个边缘节点与多个边缘节点中的至少一个其他边缘节点连接;第二节点是多个边缘节点中除第一节点之外的节点、以及中心节点中的至少一个,第一节点是多个边缘节点中的一个。该装置可以包括:获取单元、处理单元、以及发送单元。获取单元,用于接收第一节点广播的第一用户的鉴权信息,第一用户为第一节点对应的子网的用户。处理单元,用于根据第一用户的鉴权信息、以及第二节点中存储的第一用户的注册信息,校验第一用户是否为有效注册用户;根据校验第一用户是否为有效注册用户的结果,生成第一信息,第一信息用于指示第一用户的鉴权信息是否通过第二节点的校验。发送单元,用于向第一节点发送第一信息,以使得第一节点根据指示通过第二节点校验的第一信息,在所有第一信息中的占比、以及预设的第一比例,确定第一用户的鉴权结果。In the fourth aspect, the present application provides a data management device, which can be applied to the second node in the UDM system described in the third aspect. The UDM system includes a central node and multiple edge nodes; each edge node and The central nodes are connected, and each edge node is connected to at least one other edge node among the plurality of edge nodes; the second node is a node among the plurality of edge nodes except the first node, and at least one of the central nodes, and A node is one of multiple edge nodes. The device may include: an acquisition unit, a processing unit, and a sending unit. The obtaining unit is configured to receive the authentication information of the first user broadcast by the first node. The first user is a user of the subnet corresponding to the first node. A processing unit configured to verify whether the first user is a valid registered user based on the authentication information of the first user and the registration information of the first user stored in the second node; to verify whether the first user is a valid registered user based on As a result, first information is generated, and the first information is used to indicate whether the authentication information of the first user passes the verification of the second node. A sending unit configured to send the first information to the first node, so that the first node passes the first information verified by the second node according to the instruction, the proportion of all the first information, and the preset first proportion, Determine the authentication result of the first user.

一种可能的实现方式中,第二节点接收的第一节点广播的第一用户的鉴权信息,是第一节点根据第一用户的鉴权信息、以及第一节点中存储的第一用户的注册信息,确定第一用户为有效注册用户之后发送的。In a possible implementation, the authentication information of the first user broadcast by the first node received by the second node is based on the authentication information of the first user and the authentication information of the first user stored in the first node. Registration information, sent after confirming that the first user is a valid registered user.

另一种可能的实现方式中,在中心节点和边缘节点断开的情况下,第一节点中存储的第一用户的注册信息是第一节点之外的边缘节点发送的,和/或,第一节点对应的子网的管理人员输入的。In another possible implementation, when the central node and the edge node are disconnected, the registration information of the first user stored in the first node is sent by an edge node other than the first node, and/or the Input by the administrator of the subnet corresponding to a node.

又一种可能的实现方式中,获取单元,具体用于接收第一节点广播的区块,区块是第一节点根据第一用户的鉴权信息生成的,区块包括第一用户的鉴权信息、以及第一节点的身份信息;第一节点的身份信息用于第二节点验证第一节点的身份。In another possible implementation, the acquisition unit is specifically configured to receive a block broadcast by the first node. The block is generated by the first node based on the authentication information of the first user, and the block includes the authentication information of the first user. information, and the identity information of the first node; the identity information of the first node is used by the second node to verify the identity of the first node.

又一种可能的实现方式中,获取单元,具体用于接收第三节点广播的区块,该区块是第一节点向第三节点发送第一用户的鉴权信息之后,由第三节点根据第一用户的鉴权信息生成的;第三节点是多个边缘节点中除第一节点之外的边缘节点或者中心节点。In another possible implementation, the acquisition unit is specifically configured to receive a block broadcast by a third node. The block is obtained by the third node according to the first node's authentication information after the first node sends the first user's authentication information to the third node. The authentication information of the first user is generated; the third node is an edge node or a central node among the plurality of edge nodes except the first node.

又一种可能的实现方式中,第二节点存储有每个边缘节点对应的子网的用户的服务质量信息。处理单元,还用于当确定第一用户是有效注册用户时,根据第二节点中存储的每个边缘节点对应的子网的用户的服务质量信息,确定第一用户的服务质量信息并记录。In another possible implementation manner, the second node stores the service quality information of users of the subnet corresponding to each edge node. The processing unit is also configured to, when it is determined that the first user is a valid registered user, determine and record the service quality information of the first user based on the service quality information of the user of the subnet corresponding to each edge node stored in the second node.

又一种可能的实现方式中,中心节点包括多个;多个中心节点相互连接。每个边缘节点与中心节点连接,是指:每个边缘节点与多个中心节点中的一个连接。第二节点是中心节点,是指:第二节点是多个中心节点中的一个。In another possible implementation, the central node includes multiple central nodes; multiple central nodes are connected to each other. Each edge node is connected to a central node, which means: each edge node is connected to one of multiple central nodes. The second node is a central node, which means that the second node is one of multiple central nodes.

第五方面,本申请提供一种数据管理方法,该方法可以应用于UDM系统中的中心节点,UDM系统包括中心节点、以及多个边缘节点;每个边缘节点与中心节点连接,且每个边缘节点与多个边缘节点中的至少一个其他边缘节点连接;边缘节点与第一机构的身份信息一一对应。该方法包括:中心节点获取系统日志集,系统日志集包括边缘节点、以及边缘节点对应的事件信息。对每一个边缘节点,当系统日志集中,边缘节点对应的事件信息满足预设条件时,中心节点确定边缘节点为恶意节点,并生成第一请求。中心节点广播第一请求、以及第一请求对应的第一日志,第一请求用于请求揭示恶意节点对应的第一机构的身份信息,第一日志为系统日志集中记录了恶意节点对应的事件信息的日志。中心节点获取边缘节点对第一请求的投票。当投票中,同意第一请求的比例大于预设的第二比例时,中心节点广播第一请求对应的恶意节点所对应的第一机构的身份信息。In the fifth aspect, this application provides a data management method, which can be applied to the central node in the UDM system. The UDM system includes a central node and multiple edge nodes; each edge node is connected to the central node, and each edge node The node is connected to at least one other edge node among the plurality of edge nodes; the edge node has a one-to-one correspondence with the identity information of the first organization. The method includes: a central node obtains a system log set, and the system log set includes edge nodes and event information corresponding to the edge nodes. For each edge node, when the system logs are concentrated and the event information corresponding to the edge node meets the preset conditions, the central node determines that the edge node is a malicious node and generates the first request. The central node broadcasts the first request and the first log corresponding to the first request. The first request is used to request to reveal the identity information of the first organization corresponding to the malicious node. The first log is a system log that centrally records the event information corresponding to the malicious node. log. The central node obtains the vote of the edge node for the first request. When during the voting, the proportion that agrees to the first request is greater than the preset second proportion, the central node broadcasts the identity information of the first organization corresponding to the malicious node corresponding to the first request.

第六方面,本申请提供一种数据管理装置,该装置可以应用于上述第五方面所述的UDM系统中的中心节点,UDM系统包括中心节点、以及多个边缘节点;每个边缘节点与中心节点连接,且每个边缘节点与多个边缘节点中的至少一个其他边缘节点连接;边缘节点与第一机构的身份信息一一对应。该装置包括:获取单元、处理单元、以及发送单元。获取单元,用于获取系统日志集,系统日志集包括边缘节点、以及边缘节点对应的事件信息。处理单元,用于对每一个边缘节点,当系统日志集中,边缘节点对应的事件信息满足预设条件时,确定边缘节点为恶意节点,并生成第一请求。发送单元,用于广播第一请求、以及第一请求对应的第一日志,第一请求用于请求揭示恶意节点对应的第一机构的身份信息,第一日志为系统日志集中记录了恶意节点对应的事件信息的日志。获取单元,还用于获取边缘节点对第一请求的投票。发送单元,还用于当投票中,同意第一请求的比例大于预设的第二比例时,广播第一请求对应的恶意节点所对应的第一机构的身份信息。In a sixth aspect, the present application provides a data management device, which can be applied to the central node in the UDM system described in the fifth aspect. The UDM system includes a central node and multiple edge nodes; each edge node is connected to the central node. The nodes are connected, and each edge node is connected to at least one other edge node among the plurality of edge nodes; the edge node has a one-to-one correspondence with the identity information of the first organization. The device includes: an acquisition unit, a processing unit, and a sending unit. The acquisition unit is used to acquire a system log set. The system log set includes edge nodes and event information corresponding to the edge nodes. The processing unit is used for each edge node, when the system logs are concentrated and the event information corresponding to the edge node meets the preset conditions, determine that the edge node is a malicious node, and generate a first request. The sending unit is used to broadcast the first request and the first log corresponding to the first request. The first request is used to request to reveal the identity information of the first organization corresponding to the malicious node. The first log is a system log that centrally records the correspondence of the malicious node. Log of event information. The acquisition unit is also used to obtain the vote of the edge node for the first request. The sending unit is also configured to broadcast the identity information of the first organization corresponding to the malicious node corresponding to the first request when the proportion agreeing to the first request is greater than the preset second proportion in the voting.

第七方面,本申请提供一种统一数据管理UDM系统,UDM系统包括中心节点、以及多个边缘节点;每个边缘节点与中心节点连接,且每个边缘节点与多个边缘节点中的至少一个其他边缘节点连接;第一节点获取第一用户的鉴权信息,第一用户为第一节点对应的子网的用户;第一节点是多个边缘节点中的一个;第一节点广播第一用户的鉴权信息;第二节点根据第一用户的鉴权信息、以及第二节点中存储的第一用户的注册信息,校验第一用户是否为有效注册用户;第二节点是多个边缘节点中除第一节点之外的节点或者中心节点;第二节点根据校验第一用户是否为有效注册用户的结果,生成第一信息;第一信息用于指示第一用户的鉴权信息是否通过第二节点的校验;第二节点向第一节点发送第一信息;第一节点根据指示通过第二节点校验的第一信息,在所有第一信息中的占比、以及预设的第一比例,确定第一用户的鉴权结果。In a seventh aspect, this application provides a unified data management UDM system. The UDM system includes a central node and multiple edge nodes; each edge node is connected to the central node, and each edge node is connected to at least one of the multiple edge nodes. Other edge nodes are connected; the first node obtains the authentication information of the first user, and the first user is a user of the subnet corresponding to the first node; the first node is one of multiple edge nodes; the first node broadcasts the first user authentication information; the second node verifies whether the first user is a valid registered user based on the authentication information of the first user and the registration information of the first user stored in the second node; the second node is a plurality of edge nodes A node or central node other than the first node; the second node generates the first information based on the result of verifying whether the first user is a valid registered user; the first information is used to indicate whether the first user's authentication information has passed Verification of the second node; the second node sends the first information to the first node; the first node passes the first information verified by the second node according to the instructions, the proportion of all the first information, and the preset third A ratio to determine the authentication result of the first user.

另外,本申请提供的统一数据管理UDM系统还可以执行上述第一方面中第一节点、上述第三方面中的第二节点、以及上述第五方面中的中心节点所执行的步骤,以实现上述第一方面中第一节点、上述第三方面中的第二节点、以及上述第五方面中的中心节点的全部功能,在此不再一一赘述。In addition, the unified data management UDM system provided by this application can also perform the steps performed by the first node in the first aspect, the second node in the third aspect, and the central node in the fifth aspect to achieve the above. All functions of the first node in the first aspect, the second node in the above-mentioned third aspect, and the central node in the above-mentioned fifth aspect will not be repeated here.

第八方面,本申请提供一种计算机程序产品,当该计算机程序产品在计算机上运行时,使得计算机执行上述第一方面、或者第三方面、又或者第五方面所述相关方法的步骤,以实现上述第一方面、或者第三方面、又或者第五方面所述的方法。In an eighth aspect, the present application provides a computer program product. When the computer program product is run on a computer, it causes the computer to execute the steps of the related method described in the first aspect, the third aspect, or the fifth aspect, so as to Implement the method described in the above first aspect, or the third aspect, or the fifth aspect.

第九方面,本申请提供一种网络设备,该网络设备包括:处理器和存储器;存储器存储有处理器可执行的指令;处理器被配置为执行指令时,使得网络设备实现上述第一方面、或者第三方面、又或者第五方面所述的方法。In a ninth aspect, the present application provides a network device, which includes: a processor and a memory; the memory stores instructions executable by the processor; when the processor is configured to execute the instructions, the network device implements the above first aspect, Or the method described in the third aspect, or the fifth aspect.

第十方面,本申请提供一种计算机可读存储介质,该计算机可读存储介质包括:计算机软件指令;当计算机软件指令在网络设备中运行时,使得网络设备实现上述第一方面、或者第三方面、又或者第五方面所述的方法。In a tenth aspect, the present application provides a computer-readable storage medium. The computer-readable storage medium includes: computer software instructions; when the computer software instructions are run in a network device, the network device enables the network device to implement the first aspect or the third aspect. aspect, or the method described in the fifth aspect.

上述第二方面至第十方面的有益效果可以参考第一方面所述,不再赘述。The beneficial effects of the above-mentioned second to tenth aspects can be referred to those described in the first aspect, and will not be described again.

附图说明Description of the drawings

为了更清楚地说明本申请实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to explain the embodiments of the present application or the technical solutions in the prior art more clearly, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings in the following description are only These are some embodiments of the present application. For those of ordinary skill in the art, other drawings can be obtained based on these drawings without exerting creative efforts.

图1为分布式UDM系统的连接示意图;Figure 1 is a schematic diagram of the connection of the distributed UDM system;

图2为本申请提供的UDM系统的连接示意图;Figure 2 is a schematic connection diagram of the UDM system provided by this application;

图3为本申请实施例提供的数据管理方法的流程示意图;Figure 3 is a schematic flow chart of the data management method provided by the embodiment of the present application;

图4为本申请实施例提供的数据管理方法的另一种流程示意图;Figure 4 is another schematic flow chart of the data management method provided by the embodiment of the present application;

图5为本申请实施例提供的区块组成示意图;Figure 5 is a schematic diagram of block composition provided by the embodiment of the present application;

图6为本申请实施例提供的数据管理方法的又一种流程示意图;Figure 6 is another schematic flow chart of the data management method provided by the embodiment of the present application;

图7为本申请实施例提供的另一种区块组成示意图;Figure 7 is a schematic diagram of another block composition provided by an embodiment of the present application;

图8为本申请实施例提供的又一种区块组成示意图;Figure 8 is a schematic diagram of another block composition provided by an embodiment of the present application;

图9为本申请实施例提供的第一节点的组成示意图;Figure 9 is a schematic diagram of the composition of the first node provided by the embodiment of the present application;

图10为本申请实施例提供的数据管理方法的又一种流程示意图;Figure 10 is another schematic flow chart of the data management method provided by the embodiment of the present application;

图11为本申请实施例提供的数据管理方法的又一种流程示意图;Figure 11 is another schematic flow chart of the data management method provided by the embodiment of the present application;

图12为本申请实施例提供的数据管理装置的组成示意图;Figure 12 is a schematic diagram of the composition of the data management device provided by the embodiment of the present application;

图13为本申请实施例提供的另一种数据管理装置的组成示意图;Figure 13 is a schematic diagram of the composition of another data management device provided by an embodiment of the present application;

图14为本申请实施例提供的又一种数据管理装置的组成示意图;Figure 14 is a schematic diagram of the composition of another data management device provided by an embodiment of the present application;

图15为本申请实施例提供的网络设备的结构示意图。Figure 15 is a schematic structural diagram of a network device provided by an embodiment of the present application.

具体实施方式Detailed ways

下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application. Obviously, the described embodiments are only some of the embodiments of the present application, rather than all of the embodiments. Based on the embodiments in this application, all other embodiments obtained by those of ordinary skill in the art without creative efforts fall within the scope of protection of this application.

需要说明的是,本申请实施例中,“示例性地”或者“例如”等词用于表示作例子、例证或说明。本申请实施例中被描述为“示例性地”或者“例如”的任何实施例或设计方案不应被解释为比其它实施例或设计方案更优选或更具优势。确切而言,使用“示例性地”或者“例如”等词旨在以具体方式呈现相关概念。It should be noted that in the embodiments of this application, words such as "exemplarily" or "for example" are used to represent examples, illustrations or explanations. Any embodiment or design described as "exemplary" or "such as" in the embodiments of the present application is not to be construed as being preferred or advantageous over other embodiments or designs. Rather, the use of the words "exemplarily" or "for example" is intended to present the relevant concepts in a concrete manner.

为了便于清楚描述本申请实施例的技术方案,在本申请的实施例中,采用了“第一”、“第二”等字样对功能和作用基本相同的相同项或相似项进行区分,本领域技术人员可以理解“第一”、“第二”等字样并不是在对数量和执行次序进行限定。In order to facilitate a clear description of the technical solutions of the embodiments of the present application, in the embodiments of the present application, words such as “first” and “second” are used to distinguish the same or similar items with basically the same functions and effects. Skilled persons can understand that words such as "first" and "second" do not limit the quantity and execution order.

统一数据管理(unified data management,UDM)网元是第五代移动通信技术(5thgeneration mobile communication technology,5G)核心网中的网元之一。UDM网元可以与运营商具有对应关系。例如,UDM网元可以与运营商一一对应。UDM网元可以用于存储用户的签约数据、以及注册信息、以及根据存储的用户的注册信息进行鉴权等。The unified data management (UDM) network element is one of the network elements in the core network of the fifth generation mobile communication technology (5G). UDM network elements can have corresponding relationships with operators. For example, UDM network elements can correspond to operators one-to-one. UDM network elements can be used to store user subscription data and registration information, and perform authentication based on the stored user registration information.

例如,UDM网元可以获取用户设备发送的鉴权信息,当用户设备发送的鉴权信息和UDM网元中存储的注册信息匹配时,UDM网元可以确定该用户设备鉴权通过。鉴权通过之后,UDM网元可以向数据平面的网元发送该用户的签约数据中的服务信息,以使得数据平面的网元根据该用户的签约数据中的服务信息为该用户提供服务。例如,数据平面的网元可以包括数据网络(data network,DN)。For example, the UDM network element can obtain the authentication information sent by the user equipment. When the authentication information sent by the user equipment matches the registration information stored in the UDM network element, the UDM network element can determine that the user equipment has passed the authentication. After passing the authentication, the UDM network element can send the service information in the user's subscription data to the data plane network element, so that the data plane network element can provide services to the user based on the service information in the user's subscription data. For example, network elements of the data plane may include a data network (DN).

其中,服务信息可以包括服务质量(quality of service,QoS)信息。The service information may include quality of service (QoS) information.

示例性地,以服务质量信息包括时延、吞吐量、以及丢包率为例,则用户的服务质量信息可以如下述表1所示。For example, taking the quality of service information including delay, throughput, and packet loss rate as an example, the user's quality of service information may be as shown in Table 1 below.

表1Table 1

如表1所示,用户的服务质量信息可以包括时延、吞吐量、以及丢包率。用户可以包括用户1、用户2、用户3、用户4、以及用户5等。As shown in Table 1, the user's quality of service information may include delay, throughput, and packet loss rate. Users may include user 1, user 2, user 3, user 4, user 5, etc.

其中,用户1对应的服务质量信息可以包括:时延小于(“<”表示小于)1毫秒(ms)、吞吐量为1千兆比特每秒(Gbps)、以及丢包率小于10-5;用户2对应的服务质量信息可以包括:时延小于5ms、吞吐量为1Gbps、以及丢包率小于10-5;用户3对应的服务质量信息可以包括:时延小于10ms、吞吐量为500兆比特每秒(Mbps)、以及丢包率小于10-5;用户4对应的服务质量信息可以包括:时延小于20ms、吞吐量为300Mbps、以及丢包率小于10-4;用户5对应的服务质量信息可以包括:时延小于25ms、吞吐量为150Mbps、以及丢包率小于10-3Among them, the service quality information corresponding to user 1 may include: the delay is less than ("<" means less than) 1 millisecond (ms), the throughput is 1 gigabit per second (Gbps), and the packet loss rate is less than 10 -5 ; The service quality information corresponding to user 2 may include: the delay is less than 5ms, the throughput is 1Gbps, and the packet loss rate is less than 10 -5 ; the service quality information corresponding to user 3 may include: the delay is less than 10ms, the throughput is 500 Mbits per second (Mbps), and the packet loss rate is less than 10 -5 ; the service quality information corresponding to user 4 can include: the delay is less than 20ms, the throughput is 300Mbps, and the packet loss rate is less than 10 -4 ; the service quality information corresponding to user 5 The information may include: delay less than 25ms, throughput 150Mbps, and packet loss rate less than 10 -3 .

柔性生产线是指把多台可以调整的机床联结起来,配以自动运送装置组成的生产线。柔性生产线依靠计算机管理。计算机管理柔性生产线需要高可用性(highavailability,HA)的网络。为了给用户提供高可用性的网络,运营商提出了分布式UDM系统。分布式UDM系统可以包括中心UDM网元、以及边缘UDM网元。中心UDM网元可以和多个边缘UDM网元星型连接。A flexible production line refers to a production line composed of multiple adjustable machine tools connected together with automatic transportation devices. Flexible production lines rely on computer management. Computer management of flexible production lines requires a high availability (HA) network. In order to provide users with a high-availability network, operators have proposed a distributed UDM system. The distributed UDM system can include central UDM network elements and edge UDM network elements. The central UDM network element can be connected to multiple edge UDM network elements in star mode.

其中,中心UDM网元可以存储有每个边缘UDM网元分别对应的子网的用户注册信息、以及签约数据。每个边缘UDM网元可以从中心UDM网元中获取该边缘UDM网元对应的子网中的用户的注册信息和签约数据并存储。每个边缘UMD网元可以根据该边缘UDM网元对应的子网的用户的注册信息和签约数据,在该边缘UDM网元对应的子网中实现上述UDM网元的功能。Among them, the central UDM network element can store user registration information and contract data of the subnet corresponding to each edge UDM network element. Each edge UDM network element can obtain and store the registration information and subscription data of users in the subnet corresponding to the edge UDM network element from the central UDM network element. Each edge UMD network element can implement the functions of the above UDM network element in the subnet corresponding to the edge UDM network element based on the registration information and subscription data of the user in the subnet corresponding to the edge UDM network element.

但是,目前的分布式UDM系统中,可能存在边缘UDM网元的使用者恶意断开边缘UDM网元与中心UDM网元之间的连接,私自篡改边缘UDM网元中存储的用户的注册信息和签约数据的风险。However, in the current distributed UDM system, there may be users of edge UDM network elements maliciously disconnecting the edge UDM network element from the central UDM network element, and privately tampering with the user's registration information and information stored in the edge UDM network element. Risks of Contracting Data.

示例性地,图1为分布式UDM系统的连接示意图。如图1所示,分布式UDM系统可以包括一个中心UDM网元(图中以中心UDM网元1为例示出)、以及多个边缘UDM网元(图中以8个为例示出,也即边缘UDM网元1、边缘UDM网元2、边缘UDM网元3、边缘UDM网元4、边缘UDM网元5、边缘UDM网元6、边缘UDM网元7、以及边缘UDM网元8)。By way of example, Figure 1 is a schematic connection diagram of a distributed UDM system. As shown in Figure 1, the distributed UDM system can include a central UDM network element (the central UDM network element 1 is shown as an example in the figure), and multiple edge UDM network elements (eight are shown as an example in the figure), that is, Edge UDM network element 1, edge UDM network element 2, edge UDM network element 3, edge UDM network element 4, edge UDM network element 5, edge UDM network element 6, edge UDM network element 7, and edge UDM network element 8).

其中,边缘UDM网元1、边缘UDM网元2、边缘UDM网元3、边缘UDM网元4、边缘UDM网元5、边缘UDM网元6、边缘UDM网元7、以及边缘UDM网元8可以分别对应一个子网。中心UDM网元1可以存储边缘UDM网元1、边缘UDM网元2、边缘UDM网元3、边缘UDM网元4、边缘UDM网元5、边缘UDM网元6、边缘UDM网元7、以及边缘UDM网元8对应的子网的用户的注册信息和签约数据。边缘UDM网元1、边缘UDM网元2、边缘UDM网元3、边缘UDM网元4、边缘UDM网元5、边缘UDM网元6、边缘UDM网元7、以及边缘UDM网元8可以分别从中心UDM网元1中获取各自对应的子网的用户的注册信息和签约数据。并根据用户的注册信息和签约数据,对各自对应的子网的用户进行鉴权。Among them, edge UDM network element 1, edge UDM network element 2, edge UDM network element 3, edge UDM network element 4, edge UDM network element 5, edge UDM network element 6, edge UDM network element 7, and edge UDM network element 8 Each can correspond to a subnet. Center UDM network element 1 can store edge UDM network element 1, edge UDM network element 2, edge UDM network element 3, edge UDM network element 4, edge UDM network element 5, edge UDM network element 6, edge UDM network element 7, and Registration information and subscription data of users in the subnet corresponding to edge UDM network element 8. Edge UDM network element 1, edge UDM network element 2, edge UDM network element 3, edge UDM network element 4, edge UDM network element 5, edge UDM network element 6, edge UDM network element 7, and edge UDM network element 8 can be respectively Obtain the registration information and contract data of users of respective subnets from the central UDM network element 1. And authenticate users in corresponding subnets based on the user's registration information and contract data.

以边缘UDM网元1,以及边缘UDM网元1对应的子网的用户包括用户1为例,边缘UDM网元1的使用者可以恶意断开边缘UDM网元1与中心UDM网元1的连接,并私自篡改边缘UDM网元1中用户1的注册信息,以使得用户1可以按照私自篡改之后的注册信息进行鉴权并获得私自篡改之后的注册信息对应的服务。Taking edge UDM network element 1 and the users of the subnet corresponding to edge UDM network element 1, including user 1, as an example, the user of edge UDM network element 1 can maliciously disconnect the edge UDM network element 1 from the central UDM network element 1. , and privately tamper with the registration information of user 1 in edge UDM network element 1, so that user 1 can authenticate according to the privately tampered registration information and obtain services corresponding to the privately tampered registration information.

在此背景技术下,本申请提供一种数据管理方法,该方法可以应用于UDM系统。UDM系统可以包括一个或多个中心UDM网元、以及多个边缘UDM网元。当中心UDM网元有多个时,多个中心UDM网元可以彼此互相连接。每个边缘UDM网元可以和一个中心UDM网元连接。例如,边缘UDM网元和相邻的中心UDM网元连接。对每个边缘UDM网元,该边缘UDM网元可以与一个或多个边缘UDM网元连接。例如,该边缘UDM网元与相邻的一个或多个边缘UDM网元连接。当中心UDM网元仅有一个时,所有的边缘UDM网元可以与该中心UDM网元连接。Against this background technology, this application provides a data management method, which can be applied to UDM systems. The UDM system may include one or more central UDM network elements and multiple edge UDM network elements. When there are multiple central UDM network elements, multiple central UDM network elements can be connected to each other. Each edge UDM network element can be connected to a central UDM network element. For example, edge UDM network elements are connected to adjacent central UDM network elements. For each edge UDM network element, the edge UDM network element can be connected to one or more edge UDM network elements. For example, the edge UDM network element is connected to one or more adjacent edge UDM network elements. When there is only one central UDM network element, all edge UDM network elements can be connected to the central UDM network element.

中心UDM网元可以存储有每个边缘UDM网元分别对应的子网的用户注册信息、以及签约数据。The central UDM network element can store the user registration information and contract data of the subnet corresponding to each edge UDM network element.

边缘UDM网元也可以存储有每个边缘UDM网元分别对应的子网的用户注册信息、以及签约数据。例如,边缘UDM网元可以获取该边缘UDM网元对应的子网的管理人员输入的用户的注册信息、以及签约数据并存储。再例如,边缘UDM网元还可以获取中心UDM网元发送的用户的注册信息、以及签约数据并存储。又例如,边缘UDM网元还可以获取与该边缘UDM网元连接的其他边缘UDM网元发送的其他边缘UDM网元分别对应的子网的用户的注册信息、以及签约数据并存储。The edge UDM network element can also store user registration information and contract data of the subnet corresponding to each edge UDM network element. For example, the edge UDM network element can obtain the user's registration information and contract data input by the administrator of the subnet corresponding to the edge UDM network element and store them. For another example, the edge UDM network element can also obtain the user's registration information and contract data sent by the central UDM network element and store them. For another example, the edge UDM network element can also obtain and store the user registration information and subscription data of the subnets corresponding to the other edge UDM network elements sent by other edge UDM network elements connected to the edge UDM network element.

对某一个边缘UDM网元,该边缘UDM网元还可以获取用户的鉴权信息。该边缘UDM网元还可以向UDM系统中的其他UDM网元广播该用户的鉴权信息。UDM系统中的其他UDM网元可以根据该用户的鉴权信息、以及UDM系统中的其他UDM网元存储的该用户的注册信息,生成第一信息。该边缘UDM网元可以接收UDM系统中的其他UDM网元发送的第一信息,并根据第一信息确定该用户的鉴权结果。For a certain edge UDM network element, the edge UDM network element can also obtain the user's authentication information. The edge UDM network element can also broadcast the user's authentication information to other UDM network elements in the UDM system. Other UDM network elements in the UDM system can generate the first information based on the user's authentication information and the user's registration information stored in other UDM network elements in the UDM system. The edge UDM network element can receive the first information sent by other UDM network elements in the UDM system, and determine the authentication result of the user based on the first information.

例如,以上述柔性生产线为例。边缘UDM网元1对应子网1,子网1对应工厂1,工厂1包括机床1、机床2、机床3、计算机1、计算机2、以及计算机3。计算机1控制机床1,计算机2控制机床2,计算机3控制机床3。生产产品A需要机床1和机床2,生产产品B需要机床2和机床3。假设由需要生产产品A变为需要生产产品B,则需要对计算机2和计算机3重新鉴权,计算机2和计算机3可以分别向边缘UDM网元1发送鉴权请求,鉴权请求包括计算机2和计算机3的鉴权信息。边缘UDM网元1可以对计算机2和计算机3进行鉴权。鉴权结果可以包括通过和不通过。当鉴权结果为通过时,计算机2和计算机3可以接入子网1并分别控制机床2和机床3,以使得机床2和机床3配合生产产品B。For example, take the above-mentioned flexible production line as an example. Edge UDM network element 1 corresponds to subnet 1, and subnet 1 corresponds to factory 1. Factory 1 includes machine tool 1, machine tool 2, machine tool 3, computer 1, computer 2, and computer 3. Computer 1 controls machine tool 1, computer 2 controls machine tool 2, and computer 3 controls machine tool 3. To produce product A, machine tool 1 and machine tool 2 are required, and to produce product B, machine tool 2 and machine tool 3 are required. Assuming that the need to produce product A changes to the need to produce product B, computer 2 and computer 3 need to be re-authenticated. Computer 2 and computer 3 can respectively send authentication requests to edge UDM network element 1. The authentication requests include computer 2 and computer 3. Authentication information of computer 3. Edge UDM network element 1 can authenticate computers 2 and 3. Authentication results can include pass and fail. When the authentication result is passed, computer 2 and computer 3 can access subnet 1 and control machine tool 2 and machine tool 3 respectively, so that machine tool 2 and machine tool 3 cooperate to produce product B.

以下对本申请实施例提供的数据管理方法进行详细介绍。The data management method provided by the embodiment of the present application is introduced in detail below.

示例性地,图2为本申请提供的UDM系统的连接示意图。如图2所示,UDM系统可以包括一个或多个中心节点(图中以三个为例示出,也即中心节点1、中心节点2、以及中心节点3)、以及多个边缘节点(图中以四个为例示出,也即边缘节点1、边缘节点2、边缘节点3、以及边缘节点4)。For example, Figure 2 is a connection diagram of the UDM system provided by this application. As shown in Figure 2, the UDM system may include one or more central nodes (three are shown as an example in the figure, namely central node 1, central node 2, and central node 3), and multiple edge nodes (in the figure Four are shown as an example, namely edge node 1, edge node 2, edge node 3, and edge node 4).

其中,中心节点1、中心节点2、以及中心节点3可以彼此互相连接。边缘节点1可以和中心节点1、以及边缘节点2连接。边缘节点2可以和中心节点2、边缘节点1、以及边缘节点3连接。边缘节点3可以和中心节点3、边缘节点2、以及边缘节点4连接。边缘节点4可以和中心节点3、以及边缘节点3连接。Among them, the central node 1, the central node 2, and the central node 3 can be connected to each other. Edge node 1 can be connected to center node 1 and edge node 2. Edge node 2 can be connected to center node 2, edge node 1, and edge node 3. Edge node 3 can be connected to center node 3, edge node 2, and edge node 4. Edge node 4 can be connected to center node 3 and edge node 3.

需要说明的是,中心节点可以是上述图1中的中心UDM网元。边缘节点可以是上述图1中的边缘UDM网元。中心节点也可以是上述中心UDM网元中的节点。也即,中心UDM网元可以由多个中心节点组成。例如,同样以上述图2所述的UDM系统的连接示意图为例,中心节点1、中心节点2、以及中心节点3也可以是某一个中心UDM网元中的三个节点。It should be noted that the central node may be the central UDM network element in Figure 1 above. The edge node may be the edge UDM network element in Figure 1 above. The central node may also be a node in the above-mentioned central UDM network element. That is, the central UDM network element can be composed of multiple central nodes. For example, taking the connection diagram of the UDM system described in Figure 2 as an example, the central node 1, the central node 2, and the central node 3 can also be three nodes in a certain central UDM network element.

可选地,中心节点可以归属于运营商,且中心节点在UDM系统中占有的比例可以在20%至50%之间,以保障UDM系统的稳定性和可信度。Optionally, the central node can belong to the operator, and the proportion of the central node in the UDM system can be between 20% and 50% to ensure the stability and credibility of the UDM system.

图3为本申请实施例提供的数据管理方法的流程示意图。如图3所示,该方法可以包括S301至S306。Figure 3 is a schematic flowchart of a data management method provided by an embodiment of the present application. As shown in Figure 3, the method may include S301 to S306.

S301、第一节点获取第一用户的鉴权信息。S301. The first node obtains the authentication information of the first user.

其中,第一节点可以是UDM系统中的任意一个边缘节点。第一用户可以是第一节点对应的子网的用户。The first node can be any edge node in the UDM system. The first user may be a user of the subnet corresponding to the first node.

S302、第一节点广播第一用户的鉴权信息。S302. The first node broadcasts the authentication information of the first user.

相对应地,第二节点可以接收第一节点广播的第一用户的鉴权信息。Correspondingly, the second node may receive the authentication information of the first user broadcast by the first node.

其中,第二节点可以是多个边缘节点中除第一节点之外的节点、以及中心节点中的至少一个。The second node may be at least one of a plurality of edge nodes other than the first node and a central node.

S303、第二节点根据第一用户的鉴权信息、以及第二节点中存储的第一用户的注册信息,校验第一用户是否为有效注册用户。S303. The second node verifies whether the first user is a valid registered user based on the authentication information of the first user and the registration information of the first user stored in the second node.

例如,当第一用户的鉴权信息与第二节点中存储的第一用户的注册信息匹配时,第二节点可以确定第一用户为有效注册用户。当第一用户的鉴权信息与第二节点中存储的第一用户的注册信息不匹配时,第二节点可以确定第一用户为无效注册用户。For example, when the authentication information of the first user matches the registration information of the first user stored in the second node, the second node may determine that the first user is a valid registered user. When the authentication information of the first user does not match the registration information of the first user stored in the second node, the second node may determine that the first user is an invalid registered user.

一种可能的实现方式中,用户的注册信息可以直接存储在UDM系统中的中心节点、以及边缘节点中。第二节点可以直接根据第一用户的鉴权信息、以及存储的第二用户的注册信息,校验第一用户是否为有效注册用户。In a possible implementation, the user's registration information can be directly stored in the central node and edge node in the UDM system. The second node may directly verify whether the first user is a valid registered user based on the authentication information of the first user and the stored registration information of the second user.

另一种可能的实现方式中,用户的注册信息可以加密后存储在UDM系统中的中心节点、以及边缘节点中。第二节点根据第一用户的鉴权信息、以及第二节点中存储的第一用户的注册信息,校验第一用户是否为有效注册用户,可以包括:第二节点对第一用户的注册信息解密;第二节点根据第一用户的鉴权信息、以及解密之后的第一用户的注册信息,校验第一用户是否为有效注册用户。In another possible implementation, the user's registration information can be encrypted and stored in the central node and edge nodes in the UDM system. The second node verifies whether the first user is a valid registered user based on the first user's authentication information and the first user's registration information stored in the second node, which may include: the second node's registration information of the first user Decrypt; the second node verifies whether the first user is a valid registered user based on the first user's authentication information and the decrypted first user's registration information.

可选地,UDM系统中的中心节点、以及边缘节点可以利用数据加密标准(dataencryption standard,DES)算法、三重数据加密标准(triple data encryptionstandard,3DES)算法、国际数据加密算法(international data encryption algorithm,IDEA)、以及数字签名算法(digital signature algorithm,DSA)等对用户的注册信息进行加密。本申请实施例对UDM系统中的中心节点、以及边缘节点的具体加密手段不做限制。Optionally, the central node and edge nodes in the UDM system can use the data encryption standard (DES) algorithm, the triple data encryption standard (triple data encryption standard, 3DES) algorithm, and the international data encryption algorithm (international data encryption algorithm). IDEA), and digital signature algorithm (DSA) to encrypt the user's registration information. The embodiments of this application do not limit the specific encryption methods of the central node and edge nodes in the UDM system.

S304、第二节点根据校验第一用户是否为有效注册用户的结果,生成第一信息。S304. The second node generates the first information based on the result of verifying whether the first user is a valid registered user.

其中,如上所述,第二节点校验第一用户是否为有效注册用户的结果可以包括:第一用户是有效注册用户或不是有效注册用户。相对应地,第一信息可以用于指示第二节点通过或不通过第一用户的鉴权信息,或者说,第一信息用于指示第一用户的鉴权信息是否通过第二节点的校验。Wherein, as mentioned above, the result of the second node verifying whether the first user is a valid registered user may include: the first user is a valid registered user or not a valid registered user. Correspondingly, the first information may be used to indicate whether the second node passes or fails the authentication information of the first user, or in other words, the first information is used to indicate whether the authentication information of the first user passes the verification of the second node. .

S305、第二节点向第一节点发送第一信息。S305. The second node sends the first information to the first node.

相对应地,第一节点接收第二节点发送的第一信息。Correspondingly, the first node receives the first information sent by the second node.

需要说明的是,向第一节点发送第一信息的第二节点可以包括一个或多个。也即,第二节点向第一节点发送第一信息,可以包括:至少一个第二节点向第一节点发送第一信息。It should be noted that the second node that sends the first information to the first node may include one or more. That is, the second node sending the first information to the first node may include: at least one second node sending the first information to the first node.

S306、第一节点根据第一信息确定第一用户的鉴权结果。S306. The first node determines the authentication result of the first user based on the first information.

其中,第一用户的鉴权结果可以包括通过或不通过。The authentication result of the first user may include pass or fail.

一种可能的实现方式中,第一节点根据第一信息确定第一用户的鉴权结果,可以包括:第一节点根据第一信息、以及预设的第一比例,确定第一用户的鉴权结果。In a possible implementation, the first node determines the authentication result of the first user based on the first information, which may include: the first node determines the authentication result of the first user based on the first information and a preset first ratio. result.

其中,第一比例可以由管理人员预设。例如,第一比例为50%、或者70%等。本申请实施例对第一比例的具体数值不作限制。Among them, the first ratio can be preset by the manager. For example, the first ratio is 50%, 70%, etc. The embodiments of this application do not limit the specific numerical value of the first ratio.

可选地,如上所述,第一信息可以用于指示第二节点通过或不通过第一用户的鉴权信息。第一节点根据第一信息、以及预设的第一比例,确定第一用户的鉴权结果,可以包括:第一节点根据指示通过第二节点校验的第一信息,在所有第一信息中的占比、以及预设的第一比例,确定第一用户的鉴权结果。Optionally, as mentioned above, the first information may be used to indicate whether the second node passes or fails the authentication information of the first user. The first node determines the authentication result of the first user based on the first information and the preset first ratio, which may include: the first node passes the first information verified by the second node according to the instruction, among all the first information and the preset first ratio to determine the authentication result of the first user.

示例性地,同样以上述图2所示的UDM系统为例,假设第一节点为边缘节点2,预设的第一比例为50%,边缘节点2接收到边缘节点1的第一信息中指示第一用户为无效注册用户,边缘节点2接收到中心节点2的第一信息中指示第一用户为有效注册用户,边缘节点2接收到边缘节点3的第一信息中指示第一用户为有效注册用户。则边缘节点2可以根据指示第一用户为有效注册用户的第一信息的比例为66.7%,大于预设的第一比例50%,确定第一用户的鉴权结果为通过。Illustratively, taking the UDM system shown in Figure 2 above as an example, assume that the first node is edge node 2, the preset first ratio is 50%, and edge node 2 receives the indication in the first information of edge node 1 The first user is an invalid registered user. The edge node 2 receives the first information from the central node 2 indicating that the first user is a valid registered user. The edge node 2 receives the first information from the edge node 3 indicating that the first user is a valid registered user. user. Then the edge node 2 may determine that the authentication result of the first user is passed based on the fact that the proportion of the first information indicating that the first user is a valid registered user is 66.7%, which is greater than the preset first proportion of 50%.

示例性地,同样以上述图2所示的UDM系统为例,假设第一节点为边缘节点2,预设的第一比例为50%,边缘节点2接收的到边缘节点1的第一信息中指示第一用户为无效注册用户,边缘节点2接收到中心节点2中的第一信息中指示第一用户为无效注册用户,边缘节点2接收到边缘节点3中的第一信息中指示第一用户为有效注册用户。则边缘节点2可以根据指示第一用户为有效注册用户的第一信息的比例为33.3%,小于预设的第一比例50%,确定第一用户的鉴权结果为不通过。Illustratively, taking the UDM system shown in Figure 2 above as an example, assuming that the first node is edge node 2, the preset first ratio is 50%, and the first information received by edge node 2 is received by edge node 1. Indicates that the first user is an invalid registered user. The edge node 2 receives the first information from the central node 2 indicating that the first user is an invalid registered user. The edge node 2 receives the first information from the edge node 3 indicating that the first user is an invalid registered user. Be a valid registered user. Then the edge node 2 may determine that the authentication result of the first user is failed based on the fact that the proportion of the first information indicating that the first user is a valid registered user is 33.3%, which is less than the preset first proportion of 50%.

示例性地,同样以上述图2所示的UDM系统为例,假设第一节点为边缘节点1,预设的第一比例为100%,中心节点1与边缘节点1之间的连接断开,边缘节点1接收到边缘节点2的第一信息中指示第一用户为有效注册用户。则边缘节点1可以根据指示第一用户为有效注册用户的第一信息的比例为100%,等于预设的第一比例100%,确定第一用户的鉴权结果为通过。Illustratively, taking the UDM system shown in Figure 2 above as an example, assuming that the first node is edge node 1, the preset first ratio is 100%, and the connection between center node 1 and edge node 1 is disconnected, The first information received by edge node 1 from edge node 2 indicates that the first user is a valid registered user. Then the edge node 1 may determine that the authentication result of the first user is passed based on the fact that the proportion of the first information indicating that the first user is a valid registered user is 100%, which is equal to the preset first proportion of 100%.

本申请实施例提供的数据管理方法中,UDM系统中的中心节点和中心节点之间、中心节点和边缘节点之间、边缘节点和边缘节点之间均采用点对点(point to point,P2P)的形式连接,与现有的星型连接相比,P2P连接的鲁棒性更好。UDM系统中的中心节点、以及每个边缘节点中均可以存储有每个边缘节点对应的子网的用户的注册信息。UDM系统中的某个边缘节点(例如前文所述的第一节点)可以获取该边缘节点对应的子网中的用户的鉴权信息,并广播。UDM系统中的其他边缘节点或者中心节点(例如前文所述的第二节点)可以根据各自存储的每个边缘节点对应的子网的用户的注册信息对该用户的鉴权信息进行校验,生成第一信息并向广播用户的鉴权信息的边缘节点发送。广播用户的鉴权信息的边缘节点可以根据第一信息确定该用户的鉴权结果。广播用户的鉴权信息的边缘节点只有接收到其他边缘节点根据该用户的鉴权信息校验得到的第一信息才能进行正常鉴权,当某个边缘节点的使用者恶意断开该边缘节点和中心节点的连接,企图私自篡改用户的注册信息时,其他边缘节点中存储的该边缘节点对应的子网的用户与私自篡改之后的用户的注册信息不同,此时该边缘节点不会通过私自篡改注册信息的用户的鉴权。提高了UDM系统的安全性。In the data management method provided by the embodiment of the present application, point to point (P2P) is adopted between the central node and the central node, between the central node and the edge node, and between the edge node and the edge node in the UDM system. Connections, P2P connections are more robust than existing star connections. The central node and each edge node in the UDM system can store the user registration information of the subnet corresponding to each edge node. A certain edge node in the UDM system (such as the first node mentioned above) can obtain the authentication information of users in the subnet corresponding to the edge node and broadcast it. Other edge nodes or central nodes in the UDM system (such as the second node mentioned above) can verify the user's authentication information based on the user's registration information stored in the subnet corresponding to each edge node, and generate The first information is sent to the edge node that broadcasts the user's authentication information. The edge node that broadcasts the user's authentication information can determine the user's authentication result based on the first information. The edge node that broadcasts the user's authentication information can perform normal authentication only after receiving the first information verified by other edge nodes based on the user's authentication information. When a user of an edge node maliciously disconnects the edge node and When connecting to the central node and trying to tamper with the user's registration information privately, the user of the subnet corresponding to the edge node stored in other edge nodes is different from the user's registration information after private tampering. At this time, the edge node will not tamper with privately. Authentication of the user who registered the information. Improved UDM system security.

可选地,在S302中第一节点广播第一用户的鉴权信息之前,第一节点还可以根据第一用户的鉴权信息、以及第一节点中存储的第一用户的注册信息,初步判断第一用户是否为有效注册用户。当第一节点初步判断第一用户为有效注册用户之后,第一节点才触发广播第一用户的鉴权信息的步骤。也即,在第一节点广播第一用户的鉴权信息之前,该方法还可以包括:第一节点根据第一用户的鉴权信息、以及第一节点中存储的第一用户的注册信息,确定第一用户为有效注册用户。Optionally, before the first node broadcasts the authentication information of the first user in S302, the first node may also make a preliminary judgment based on the authentication information of the first user and the registration information of the first user stored in the first node. Whether the first user is a valid registered user. After the first node initially determines that the first user is a valid registered user, the first node triggers the step of broadcasting the first user's authentication information. That is, before the first node broadcasts the authentication information of the first user, the method may further include: the first node determines based on the authentication information of the first user and the registration information of the first user stored in the first node. The first user is a valid registered user.

需要说明的是,第一节点根据第一用户的鉴权信息、以及第一节点中存储的第一用户的注册信息,初步判断第一用户是否为有效注册用户可以参照上述S303中第二节点根据第一用户的鉴权信息、以及第二节点中存储的第一用户的注册信息,校验第一用户是否为有效注册用户的步骤所述,此处不再赘述。It should be noted that, based on the authentication information of the first user and the registration information of the first user stored in the first node, the first node can preliminarily determine whether the first user is a valid registered user by referring to the second node in S303 above. The authentication information of the first user and the registration information of the first user stored in the second node are as described in the steps of verifying whether the first user is a valid registered user, which will not be described again here.

本申请实施例提供的数据管理方法中,第一节点获取到第一用户的鉴权信息之后,可以首先根据第一用户的鉴权信息、以及第一节点中存储的第一用户的注册信息,初步判断第一用户是否为有效注册用户。当确定第一用户是有效注册用户之后,第一节点触发广播第一用户的鉴权信息的步骤,第一节点广播的第一用户的鉴权信息通过第二节点的校验的可能性较高,整体上提高了UDM系统对第一用户鉴权的效率。In the data management method provided by the embodiment of the present application, after the first node obtains the authentication information of the first user, it may first use the authentication information of the first user and the registration information of the first user stored in the first node, Preliminarily determine whether the first user is a valid registered user. After determining that the first user is a valid registered user, the first node triggers the step of broadcasting the first user's authentication information. The first user's authentication information broadcast by the first node has a higher probability of passing the verification of the second node. , which overall improves the efficiency of the UDM system in authenticating the first user.

可选地,如上所述,边缘节点可以获取该边缘节点对应的子网的管理人员输入的、以及其他边缘节点发送的用户的注册信息、以及签约数据并存储。也即,在中心节点和边缘节点断开的情况下,第一节点可以接收来自除第一节点之外的边缘节点发送的,和/或,第一节点对应的子网的管理人员输入的第一用户的注册信息、以及签约数据。Optionally, as mentioned above, the edge node can obtain and store the user's registration information and subscription data input by the administrator of the subnet corresponding to the edge node and sent by other edge nodes. That is, in the case where the central node and the edge node are disconnected, the first node may receive a third message sent from an edge node other than the first node and/or input by a manager of the subnet corresponding to the first node. A user’s registration information and contract data.

类似地,在中心节点和边缘节点断开的情况下,第二节点可以接收第一节点发送的第一用户的注册信息、以及签约数据;第一节点发送的第一用户的注册信息、以及签约数据,可以是第一节点对应的子网的管理人员输入第一节点并由第一节点保存的。Similarly, when the central node and the edge node are disconnected, the second node can receive the registration information and subscription data of the first user sent by the first node; the registration information and subscription data of the first user sent by the first node The data may be input by the administrator of the subnet corresponding to the first node and saved by the first node.

本申请实施例提供的数据管理方法中,当中心节点或者中心节点与边缘节点之间的连接发生故障,且有新注册的用户或者有需要变更注册信息的老用户时,UDM系统中的边缘节点可以从管理人员获取新注册的用户的注册信息或者变更后的老用户的注册信息,并向UDM系统的其他边缘节点同步更新。更新之后也可以按照上述图3所示的过程对新注册的用户或者变更注册信息的老用户进行鉴权。整体上提高了UDM系统的可用性。In the data management method provided by the embodiment of this application, when the central node or the connection between the central node and the edge node fails, and there are newly registered users or old users who need to change the registration information, the edge node in the UDM system The registration information of newly registered users or the changed registration information of old users can be obtained from the administrator and updated synchronously to other edge nodes of the UDM system. After the update, you can also authenticate newly registered users or old users who have changed their registration information according to the process shown in Figure 3 above. Overall the usability of the UDM system is improved.

一些可能的实施例中,上述UDM系统中的中心节点和边缘节点还可以划分为主节点和从节点。主节点的数量可以是一个。从节点可以包括UDM系统中不同于主节点的边缘节点、或者中心节点。主节点可以根据第一用户的鉴权信息生成区块,并向从节点广播。从节点可以分别根据判断的第一用户是否为有效注册用户的结果对该区块投票。第一节点可以获取投票的结果,并根据投票的结果确定第一用户的鉴权结果。In some possible embodiments, the central node and edge nodes in the above UDM system can also be divided into master nodes and slave nodes. The number of master nodes can be one. The slave node may include an edge node different from the master node in the UDM system, or a central node. The master node can generate a block based on the first user's authentication information and broadcast it to the slave node. The slave nodes can vote for the block based on the result of judging whether the first user is a valid registered user. The first node can obtain the voting results and determine the authentication result of the first user based on the voting results.

可选地,UDM系统中的中心节点、以及边缘节点可以按照随机队列担任主节点。例如,UDM系统中的某个中心节点、或者某个边缘节点(可以称为队列节点)可以以时间戳为种子生产随机队列,UDM系统中的中心节点、以及边缘节点可以按照该随机队列中的顺序依次担任主节点。当UDM系统中的中心节点、以及边缘节点均按照该随机队列中的顺序担任过一次主节点之后,UDM系统中的另一个节点可以再次以时间戳为种子生成新的随机队列,UDM系统中的中心节点、以及边缘节点可以按照该新的随机队列中的顺序依次担任主节点,并以此循环。Optionally, the central node and edge nodes in the UDM system can serve as master nodes according to random queues. For example, a central node or an edge node (can be called a queue node) in the UDM system can use the timestamp as a seed to generate a random queue. The central node and edge nodes in the UDM system can generate random queues according to the random queue. Serve as the master node in sequence. After the central node and edge nodes in the UDM system have served as the master node once in the order of the random queue, another node in the UDM system can use the timestamp as the seed again to generate a new random queue. The central node and the edge node can serve as the master node in sequence in the new random queue, and the cycle continues.

一种可能的实现方式中,主节点可以由第一节点担任。也即,第一节点为主节点,第二节点为从节点。图4为本申请实施例提供的数据管理方法的另一种流程示意图。如图4所示,当第一节点担任主节点时,该方法可以包括S401至S407。In a possible implementation, the primary node may be the first node. That is, the first node is the master node and the second node is the slave node. Figure 4 is another schematic flow chart of the data management method provided by the embodiment of the present application. As shown in Figure 4, when the first node serves as the master node, the method may include S401 to S407.

S401、第一节点获取第一用户的鉴权信息。S401. The first node obtains the authentication information of the first user.

S401可以参照上述S301所述,此处不再赘述。S401 may refer to the above-mentioned S301, and will not be described again here.

S402、第一节点根据第一用户的鉴权信息生成区块。S402. The first node generates a block based on the authentication information of the first user.

其中,区块可以包括第一用户的鉴权信息、以及第一节点的身份信息,第一节点的身份信息用于第二节点验证第一节点的身份。The block may include the authentication information of the first user and the identity information of the first node. The identity information of the first node is used by the second node to verify the identity of the first node.

示例性地,图5为本申请实施例提供的区块组成示意图。如图5所示,第一节点生成的区块可以包括区块头(block header)、块数据(block data)、以及区块元数据(blockmetadata)。其中,区块头可以包括区块编号、区块哈希值、以及前一区块哈希值。块数据可以包括第一用户的鉴权信息。区块元数据可以包括主节点(区块创建者,此处可以是第一节点)的身份信息。主节点的身份信息可以包括主节点的证书、以及主节点的数字签名等。节点的证书可以在注册安装时由运营商分配,用于验证节点的身份。数字签名与节点具有对应关系。Exemplarily, FIG. 5 is a schematic diagram of block composition provided by the embodiment of the present application. As shown in Figure 5, the block generated by the first node may include a block header, block data, and block metadata. Among them, the block header can include the block number, block hash value, and previous block hash value. The block data may include authentication information of the first user. Block metadata can include the identity information of the master node (block creator, here it can be the first node). The identity information of the master node may include the certificate of the master node, the digital signature of the master node, etc. The node's certificate can be assigned by the operator during registration installation and is used to verify the node's identity. Digital signatures have a corresponding relationship with nodes.

S403、第一节点广播区块。S403. The first node broadcasts the block.

需要说明的是,S402和S403也即上述S302的一种可能的实现方式。或者说,第一节点广播第一用户的鉴权信息,可以包括:第一节点根据第一用户的鉴权信息生成区块,区块包括第一用户的鉴权信息、以及第一节点的身份信息,第一节点的身份信息用于第二节点验证第一节点的身份,第一节点广播该区块。It should be noted that S402 and S403 are also a possible implementation manner of the above-mentioned S302. In other words, the first node broadcasting the authentication information of the first user may include: the first node generates a block based on the authentication information of the first user, and the block includes the authentication information of the first user and the identity of the first node. Information, the identity information of the first node is used by the second node to verify the identity of the first node, and the first node broadcasts the block.

相对应地,第二节点可以接收第一节点广播的区块。Correspondingly, the second node may receive the block broadcast by the first node.

S404、第二节点根据第一用户的鉴权信息、以及第二节点中存储的第一用户的注册信息,校验第一用户是否为有效注册用户。S404. The second node verifies whether the first user is a valid registered user based on the authentication information of the first user and the registration information of the first user stored in the second node.

S404可以参照上述S303所述,此处不再赘述。S404 may refer to the above-mentioned S303, and will not be described again here.

S405、第二节点根据校验第一用户是否为有效注册用户的结果,生成第一信息。S405. The second node generates the first information based on the result of verifying whether the first user is a valid registered user.

S405可以参照上述S304所述,此处不再赘述。S405 may refer to the above-mentioned S304, and will not be described again here.

S406、第二节点向第一节点发送第一信息。S406. The second node sends the first information to the first node.

S406可以参照上述S305所述,此处不再赘述。S406 may refer to the above-mentioned S305, and will not be described again here.

需要说明的是,如上所述,主节点可以生成区块,从节点可以对区块投票。S404至S406中第二节点根据第一用户的鉴权信息、以及第二节点中存储的第一用户的注册信息,校验第一用户是否为有效注册用户,根据校验第一用户是否为有效注册用户的结果,生成第一信息并向第一节点发送,可以看作是第二节点(从节点)对区块投票的一种形式。It should be noted that, as mentioned above, master nodes can generate blocks and slave nodes can vote for blocks. In S404 to S406, the second node verifies whether the first user is a valid registered user based on the authentication information of the first user and the registration information of the first user stored in the second node. The result of registering the user, generating the first information and sending it to the first node, can be regarded as a form of voting for the block by the second node (slave node).

S407、第一节点根据第一信息确定第一用户的鉴权结果。S407. The first node determines the authentication result of the first user based on the first information.

S407可以参照上述S306所述,此处不再赘述。S407 may refer to the above-mentioned S306, and will not be described again here.

另一种可能的实现方式中,主节点可以由UDM系统中除第一节点之外的边缘节点、或者中心节点担任。例如,第三节点是多个边缘节点中除第一节点之外的节点或者中心节点,第三节点是主节点,UDM系统中除第三节点之外的节点均为从节点。图6为本申请实施例提供的数据管理方法的又一种流程示意图。如图6所示,当第三节点担任主节点时,该方法可以包括S601至S608。In another possible implementation, the master node may be an edge node other than the first node or a central node in the UDM system. For example, the third node is a node other than the first node or the central node among multiple edge nodes, the third node is the master node, and the nodes in the UDM system except the third node are all slave nodes. Figure 6 is another schematic flowchart of the data management method provided by the embodiment of the present application. As shown in Figure 6, when the third node serves as the master node, the method may include S601 to S608.

S601、第一节点获取第一用户的鉴权信息。S601. The first node obtains the authentication information of the first user.

S601可以参照上述S301所述,此处不再赘述。S601 may refer to the above-mentioned S301, and will not be described again here.

S602、第一节点向第三节点发送第一用户的鉴权信息。S602. The first node sends the authentication information of the first user to the third node.

可选地,第一节点向第三节点发送第一用户的鉴权信息,可以包括:第一节点通过广播的形式向第三节点发送第一用户的鉴权信息。Optionally, the first node sending the authentication information of the first user to the third node may include: the first node sending the authentication information of the first user to the third node in the form of broadcast.

S603、第三节点根据第一用户的鉴权信息生成区块。S603. The third node generates a block based on the authentication information of the first user.

其中,第三节点生成的区块可以参照上述图5所示,此处不再赘述。Among them, the block generated by the third node can be referred to as shown in Figure 5 above, and will not be described again here.

S604、第三节点广播区块。S604. The third node broadcasts the block.

需要说明的是,上述S602至S604也即上述S303的一种可能的实现方式。或者说,第一节点广播第一用户的鉴权信息,可以包括:第一节点向第三节点发送第一用户的鉴权信息,以使得第三节点根据第一用户的鉴权信息生成区块,并广播该区块。It should be noted that the above-mentioned S602 to S604 is also a possible implementation manner of the above-mentioned S303. In other words, the first node broadcasting the authentication information of the first user may include: the first node sending the authentication information of the first user to the third node, so that the third node generates a block based on the authentication information of the first user. , and broadcast the block.

相对应地,第二节点可以接收第三节点广播的区块。Correspondingly, the second node may receive the block broadcast by the third node.

S605、第二节点根据第一用户的鉴权信息、以及第二节点中存储的第一用户的注册信息,校验第一用户是否为有效注册用户。S605. The second node verifies whether the first user is a valid registered user based on the authentication information of the first user and the registration information of the first user stored in the second node.

S605可以参照上述S303所述,此处不再赘述。S605 may refer to the above-mentioned S303, and will not be described again here.

S606、第二节点根据校验第一用户是否为有效注册用户的结果,生成第一信息。S606. The second node generates the first information based on the result of verifying whether the first user is a valid registered user.

S606可以参照上述S304所述,此处不再赘述。S606 may refer to the above-mentioned S304, and will not be described again here.

S607、第二节点向第一节点发送第一信息。S607. The second node sends the first information to the first node.

需要说明的是,和上述S404至S406类似的理由,S605至S607也可以看作是第二节点(从节点)对区块投票的一种形式。It should be noted that, for similar reasons to S404 to S406 above, S605 to S607 can also be regarded as a form of the second node (slave node) voting for the block.

同样需要说明的是,上述S606至S607也即第二节点根据校验第一用户是否为有效注册用户的结果,生成第一信息之后,直接向第一节点发送第一信息进行投票。It should also be noted that the above-mentioned S606 to S607 means that after the second node generates the first information based on the result of verifying whether the first user is a valid registered user, it directly sends the first information to the first node for voting.

可选地,第二节点在根据校验第一用户是否为有效注册用户的结果,生成第一信息之后,还可以向第三节点发送第一信息,由第三节点向第一节点转发第二节点发送的第一信息进行投票。Optionally, after the second node generates the first information based on the result of verifying whether the first user is a valid registered user, the second node may also send the first information to the third node, and the third node forwards the second information to the first node. The first message sent by the node is voted on.

S608、第一节点根据第一信息确定第一用户的鉴权结果。S608. The first node determines the authentication result of the first user based on the first information.

S608可以参照上述S306所述,此处不再赘述。S608 may refer to the above-mentioned S306, and will not be described again here.

可选地,当从节点对区块的投票的结果中通过的比例大于预设的第一比例时,主节点(例如上述的第一节点或者第三节点)还可以将该区块作为最高区块加入区块链。Optionally, when the proportion of votes passed by slave nodes on a block is greater than the preset first proportion, the master node (such as the above-mentioned first node or third node) can also use the block as the highest zone Blocks are added to the blockchain.

本申请实施例提供的数据管理方法中,UDM系统中的边缘节点、以及中心节点还可以划分为主节点和从节点。主节点可以根据第一用户的鉴权信息生成区块,并向从节点广播。区块可以包括区块头、块数据、以及区块元数据,区块元数据中可以包括区块创建者的身份信息,UDM系统中的边缘节点、以及中心节点可以根据区块中的区块创建者的身份信息对第一用户的鉴权进行监督,整体上提高了UDM系统的安全性。In the data management method provided by the embodiment of this application, the edge nodes and central nodes in the UDM system can also be divided into master nodes and slave nodes. The master node can generate a block based on the first user's authentication information and broadcast it to the slave node. Blocks can include block headers, block data, and block metadata. Block metadata can include the identity information of the block creator. Edge nodes and central nodes in the UDM system can be created based on the blocks in the block. The user's identity information is used to supervise the authentication of the first user, which improves the security of the UDM system as a whole.

另外,从节点可以分别根据判断的第一用户是否为有效注册的结果对该区块投票。主节点可汇总从节点的投票。第一节点可以获取投票的结果,并根据投票的结果确定第一用户的鉴权结果。将鉴权过程与共识过程相结合,并且该共识过程仅包括生成区块和对区块投票,与传统的实用拜占庭容错算法(practical byzantine fault tolerance,PBFT)的共识过程相比,本申请的共识过程的步骤更少。In addition, the slave nodes can vote for the block based on the result of judging whether the first user is validly registered. The master node aggregates the votes of slave nodes. The first node can obtain the voting results and determine the authentication result of the first user based on the voting results. The authentication process is combined with the consensus process, and the consensus process only includes generating blocks and voting for blocks. Compared with the consensus process of the traditional practical byzantine fault tolerance algorithm (practical byzantine fault tolerance, PBFT), the consensus of this application The process has fewer steps.

需要说明的是,上述S301中的第一节点获取第一用户的鉴权信息、以及S302中的第一节点广播第一用户的鉴权信息,任意一个第二节点也可以获取第一用户的鉴权信息。也即,在第一节点确定第一用户是有效注册用户之后,UDM系统中的每个中心节点和边缘节点均可以获取到第一用户的鉴权信息。It should be noted that, the first node in S301 obtains the authentication information of the first user, and the first node in S302 broadcasts the authentication information of the first user, any second node can also obtain the authentication information of the first user. rights information. That is, after the first node determines that the first user is a valid registered user, each central node and edge node in the UDM system can obtain the authentication information of the first user.

可选地,UDM系统中的中心节点和边缘节点在获取到第一用户的鉴权信息之后,可以将第一用户的鉴权信息记录在临时账本中。主节点根据第一用户的鉴权信息生成区块,可以包括:主节点根据记录在临时账本中的第一用户的鉴权信息生成区块。Optionally, after obtaining the authentication information of the first user, the central node and the edge node in the UDM system can record the authentication information of the first user in the temporary account book. The master node generating the block based on the authentication information of the first user may include: the master node generating the block based on the authentication information of the first user recorded in the temporary ledger.

一种可能的实现方式中,区块中的用户的鉴权信息可以包括一个。也即,当主节点获取到第一用户的鉴权信息并将第一用户的鉴权信息记录在临时账本时,主节点就可以触发根据第一用户的鉴权信息生成区块的步骤。图7为本申请实施例提供的另一种区块组成示意图。如图7所示,同样以上述图5所示的区块的组成为例,假设第一用户为用户1,则主节点生成的区块中的块数据可以包括用户1的鉴权信息。In a possible implementation, the user's authentication information in the block may include one. That is, when the master node obtains the first user's authentication information and records the first user's authentication information in the temporary ledger, the master node can trigger the step of generating a block based on the first user's authentication information. Figure 7 is a schematic diagram of another block composition provided by an embodiment of the present application. As shown in Figure 7, taking the composition of the block shown in Figure 5 above as an example, assuming that the first user is user 1, the block data in the block generated by the master node may include the authentication information of user 1.

另一种可能的实现方式中,区块中的用户的鉴权信息可以包括多个,当当前时间与前一区块的生成时间的时间差达到第一周期时,主节点就可以触发根据第一用户的鉴权信息生成区块的步骤。也即,主节点根据记录在临时账本中的第一用户的鉴权信息生成区块,可以包括:主节点根据记录在临时账本中的第一周期内的第一用户的鉴权信息生成区块。图8为本申请实施例提供的又一种区块组成示意图。如图8所示,同样以上述图5所示的区块的组成为例,假设主节点的临时账本中的第一周期内的用户的鉴权信息包括用户1的鉴权信息、用户2的鉴权信息、用户3的鉴权信息、以及用户4的鉴权信息,则主节点根据记录在临时账本中的第一周期内的第一用户的鉴权信息生成的区块中的块数据,可以包括用户1的鉴权信息、用户2的鉴权信息、用户3的鉴权信息、以及用户4的鉴权信息。In another possible implementation, the user's authentication information in the block can include multiple pieces. When the time difference between the current time and the generation time of the previous block reaches the first period, the master node can trigger the first cycle. Steps to generate blocks of user authentication information. That is, the master node generates a block based on the authentication information of the first user recorded in the temporary ledger, which may include: the master node generates the block based on the authentication information of the first user recorded in the temporary ledger within the first period. . Figure 8 is another schematic diagram of block composition provided by an embodiment of the present application. As shown in Figure 8, taking the composition of the block shown in Figure 5 above as an example, assume that the user's authentication information in the first cycle in the master node's temporary ledger includes user 1's authentication information, user 2's Authentication information, user 3’s authentication information, and user 4’s authentication information, then the block data in the block generated by the master node based on the first user’s authentication information recorded in the temporary ledger in the first cycle, It may include the authentication information of user 1, the authentication information of user 2, the authentication information of user 3, and the authentication information of user 4.

其中,第一周期可以由管理人员预设。例如,第一周期为1秒、2秒等。本申请实施例对第一周期的具体时长不作限制。Among them, the first period can be preset by the manager. For example, the first period is 1 second, 2 seconds, etc. The embodiment of this application does not limit the specific duration of the first cycle.

本申请实施例提供的数据管理方法中,在第一节点广播第一用户的鉴权信息之后,UDM系统中的节点均可以获取到第一用户的鉴权信息,并将第一用户的鉴权信息记录在临时账本中。主节点可以根据记录在临时账本中的第一周期内的第一用户的鉴权信息生成区块,可以避免频繁生成区块、以及频繁对区块进行投票,整体上提高了UDM系统对用户鉴权的效率。In the data management method provided by the embodiment of the present application, after the first node broadcasts the authentication information of the first user, all nodes in the UDM system can obtain the authentication information of the first user and transfer the authentication information of the first user to Information is recorded in a temporary ledger. The master node can generate blocks based on the authentication information of the first user in the first cycle recorded in the temporary ledger, which can avoid frequent block generation and frequent voting on blocks, and overall improve the user authentication of the UDM system. efficiency of power.

一些可能的实施例中,第一节点中还存储有每个边缘节点对应的子网的用户的服务质量信息。当第一节点确定第一用户为有效注册用户之后,第一节点还可以根据第一节点中存储的每个边缘节点对应的子网的用户的服务质量信息,确定第一用户的服务质量信息并记录。类似地,当第二节点确定第一用户为有效注册用户之后,第二节点还可以根据第二节点中存储的每个边缘节点对应的子网的用户的服务质量信息,确定第一用户的服务质量信息并记录。In some possible embodiments, the first node also stores service quality information of users of the subnet corresponding to each edge node. After the first node determines that the first user is a valid registered user, the first node may also determine the service quality information of the first user based on the service quality information of the user of the subnet corresponding to each edge node stored in the first node and Record. Similarly, after the second node determines that the first user is a valid registered user, the second node can also determine the service of the first user based on the service quality information of the users of the subnet corresponding to each edge node stored in the second node. Quality information and records.

示例性地,以第一节点为例,第一用户的鉴权信息可以包括第一用户的身份标识。第一用户的身份标识可以与第一用户的服务质量信息一一对应。当第一节点确定第一用户的鉴权结果为通过时,第一节点可以根据第一用户的身份标识查询第一节点中存储的每个边缘节点对应的子网的用户的服务质量信息,确定第一用户的服务质量信息并记录。Illustratively, taking the first node as an example, the authentication information of the first user may include the identity of the first user. The identity of the first user may be in one-to-one correspondence with the service quality information of the first user. When the first node determines that the authentication result of the first user is passed, the first node can query the service quality information of the user of the subnet corresponding to each edge node stored in the first node according to the identity of the first user, and determine The service quality information of the first user is recorded.

本申请实施例提供的数据管理方法中,当第一节点确定第一用户为有效注册用户之后,第一节点还可以根据第一节点中存储的服务质量信息确定第一用户的服务质量信息并记录。当第二节点确定第一用户为有效注册用户之后,第二节点可以根据第二节点中存储的服务质量信息确定第一用户的服务质量信息并记录。第二节点可以对第一用户的服务质量信息进行第三方记录和监督,并且当第一用户对自己实际获得的服务质量产生疑问时,可以根据第一节点和第二节点分别记录的第一用户的服务质量信息进行印证,从而提高服务的透明性和可信性。In the data management method provided by the embodiment of the present application, after the first node determines that the first user is a valid registered user, the first node can also determine the service quality information of the first user based on the service quality information stored in the first node and record it. . After the second node determines that the first user is a valid registered user, the second node can determine the service quality information of the first user based on the service quality information stored in the second node and record it. The second node can conduct third-party recording and supervision of the service quality information of the first user, and when the first user has doubts about the service quality actually obtained by the first user, the second node can record and supervise the service quality information of the first user according to the first user's service quality information recorded by the first node and the second node respectively. The service quality information is verified, thereby improving the transparency and credibility of the service.

可选地,上述第一节点执行的步骤可以由第一节点中的功能模块来执行。图9为本申请实施例提供的第一节点的组成示意图。如图9所示,第一节点可以包括服务管理(service manager)模块。第一节点获取第一用户的鉴权信息,可以包括:第一节点中的服务管理模块获取第一用户的鉴权信息。例如,第一用户的终端设备接入第一节点对应的子网时连接服务管理模块,并通过服务管理模块向第一节点发送第一用户的鉴权信息。Optionally, the above steps performed by the first node may be performed by a functional module in the first node. Figure 9 is a schematic diagram of the composition of the first node provided by the embodiment of the present application. As shown in Figure 9, the first node may include a service manager module. The first node obtaining the authentication information of the first user may include: the service management module in the first node obtaining the authentication information of the first user. For example, when the first user's terminal device accesses the subnet corresponding to the first node, it connects to the service management module, and sends the first user's authentication information to the first node through the service management module.

可选地,UDM系统中的边缘节点还可以与数据平面的网元连接。当第一节点确定第一用户的鉴权结果为通过时,第一节点可以向数据平面的网元发送第一用户的服务质量信息,以使得数据平面的网元根据第一用户的服务质量信息为第一用户提供服务。Optionally, edge nodes in the UDM system can also be connected to network elements on the data plane. When the first node determines that the authentication result of the first user is passed, the first node may send the first user's quality of service information to the network element of the data plane, so that the network element of the data plane can use the first user's quality of service information according to the first user's authentication result. Provide services to first users.

例如,数据平面的网元可以布置在第一网络设备上。当第一节点确定第一用户的鉴权结果为通过时,第一节点向数据平面的网元发送第一用户的服务质量信息,以使得数据平面的网元根据第一用户的服务质量信息为第一用户提供服务,可以包括:当第一节点确定第一用户的鉴权结果为通过时,第一节点向第一网络设备发送第一用户的服务质量信息,以使得第一网络设备根据第一用户的服务质量信息为第一用户提供服务。For example, the network elements of the data plane may be arranged on the first network device. When the first node determines that the authentication result of the first user is passed, the first node sends the service quality information of the first user to the network element of the data plane, so that the network element of the data plane according to the service quality information of the first user is The first user providing services may include: when the first node determines that the first user's authentication result is passed, the first node sends the first user's quality of service information to the first network device, so that the first network device determines according to the first user's authentication result. The service quality information of one user provides services to the first user.

又例如,第一节点可以通过服务管理模块向第一网络设备发送第一用户的签约数据中的服务质量信息,以使得第一网络设备根据第一用户的签约数据中的服务质量信息为第一用户提供服务。For another example, the first node may send the service quality information in the first user's subscription data to the first network device through the service management module, so that the first network device provides the first service quality information based on the service quality information in the first user's subscription data. Users provide services.

示例性地,数据平面的网元可以包括数据网络(data network,DN)。For example, the network element of the data plane may include a data network (DN).

一些可能的实施例中,在第一节点向第一网络设备发送第一用户的服务质量信息,以使得第一网络设备根据第一用户的服务质量信息为第一用户提供服务之前,中心节点还可以获取第一节点连接的其他边缘节点(除第一节点之外的边缘节点)的数量。当第一节点连接的其他边缘节点的数量小于预设的数量阈值时,中心节点可以控制第一节点向第一网络设备发送基础服务质量信息,以使得第一网络设备根据基础服务质量信息为第一用户提供服务。In some possible embodiments, before the first node sends the first user's quality of service information to the first network device, so that the first network device provides services to the first user based on the first user's quality of service information, the central node also The number of other edge nodes (edge nodes other than the first node) connected to the first node can be obtained. When the number of other edge nodes connected to the first node is less than the preset quantity threshold, the central node may control the first node to send basic service quality information to the first network device, so that the first network device provides the first network device with basic service quality information based on the basic service quality information. A user provides services.

其中,数量阈值可以由运营商预设。例如,数量阈值为3个、或者4个等。本申请实施例对数量阈值的具体数值不作限制。The quantity threshold can be preset by the operator. For example, the quantity threshold is 3, or 4, etc. The embodiments of this application do not limit the specific numerical value of the quantity threshold.

一种可能的实现方式中,中心节点获取第一节点连接的其他边缘节点的数量的步骤可以在S301之前执行。图10为本申请实施例提供的数据管理方法的又一种流程示意图。如图10所示,该方法可以包括新的边缘节点注册、新的边缘节点启动、新的边缘节点建立与老的边缘节点的P2P连接、新的边缘节点建立与中心节点的P2P连接、同步用户注册信息、更新节点连接状态、接收用户鉴权信息、完成用户鉴权等部分。In a possible implementation, the step of the central node obtaining the number of other edge nodes connected to the first node may be performed before S301. Figure 10 is another schematic flowchart of the data management method provided by the embodiment of the present application. As shown in Figure 10, the method may include new edge node registration, new edge node startup, new edge node establishing P2P connection with the old edge node, new edge node establishing P2P connection with the central node, synchronizing users Register information, update node connection status, receive user authentication information, complete user authentication, etc.

1、对新的边缘节点注册部分:1. For the new edge node registration part:

第一机构可以根据第一机构的身份信息向运营商申请新的边缘节点。新的边缘节点在首次安装时,可以获得运营商根据第一机构的身份信息分配的证书,证书和第一机构的身份信息一一对应,证书用于验证节点、以及第一机构的身份。UDM系统中的中心节点可以存储第一机构的身份信息。The first organization can apply to the operator for a new edge node based on the identity information of the first organization. When a new edge node is installed for the first time, it can obtain a certificate assigned by the operator based on the identity information of the first organization. The certificate corresponds to the identity information of the first organization one-to-one. The certificate is used to verify the identity of the node and the first organization. The central node in the UDM system can store the identity information of the first organization.

其中,第一机构可以包括任意一个单位或个人。Among them, the first organization can include any unit or individual.

示例性地,第一机构的身份信息可以如下述表2所示。For example, the identity information of the first organization may be as shown in Table 2 below.

表2Table 2

边缘节点edge node 证书Certificate 第一机构的身份信息First institution’s identity information 边缘节点1Edge node 1 证书1Certificate 1 身份信息1Identity information 1 边缘节点2Edge node 2 证书2Certificate 2 身份信息2Identity information 2 边缘节点3Edge node 3 证书3Certificate 3 身份信息3Identity information 3

如表2所示,该表可以包括边缘节点项、证书项、以及第一机构的身份信息项。其中,边缘节点项可以包括边缘节点1、边缘节点2、边缘节点3等边缘节点。证书项可以包括证书1、证书2、以及证书3等证书。第一机构的身份信息项可以包括身份信息1、身份信息2、以及身份信息3等第一机构的身份信息。边缘节点1、证书1、以及身份信息1具有对应关系。边缘节点2、证书2、以及身份信息2具有对应关系。边缘节点3、证书3、以及身份信息3具有对应关系。As shown in Table 2, the table may include edge node items, certificate items, and identity information items of the first organization. The edge node items may include edge nodes such as edge node 1, edge node 2, edge node 3, etc. Certificate items may include certificates such as certificate 1, certificate 2, and certificate 3. The identity information items of the first organization may include identity information of the first organization such as identity information 1, identity information 2, and identity information 3. Edge node 1, certificate 1, and identity information 1 have a corresponding relationship. Edge node 2, certificate 2, and identity information 2 have a corresponding relationship. Edge node 3, certificate 3, and identity information 3 have a corresponding relationship.

2、对新的边缘节点启动部分:2. Start the new edge node part:

新的边缘节点首次安装之后,可以首次启动,并接受管理人员的配置。After the new edge node is installed for the first time, it can be started for the first time and accept configuration from the administrator.

3、对新的边缘节点建立与老的边缘节点的P2P连接部分:3. Establish a P2P connection between the new edge node and the old edge node:

新的边缘节点首次启动,并接受管理人员的配置之后,可以和地理上临近的其他子网的老的边缘节点建立P2P连接。例如,边缘节点处于同一个城区、或者边缘节点处于同一个城市、再或者边缘节点处于同一个省份、又或者边缘节点间的直线距离小于预设的距离阈值可以称为地理上临近。本申请实施例对地理上临近的具体标准不作限制。After the new edge node is started for the first time and accepts the configuration from the administrator, it can establish P2P connections with the old edge nodes in other geographically adjacent subnets. For example, edge nodes in the same urban area, or edge nodes in the same city, or edge nodes in the same province, or the straight-line distance between edge nodes is less than a preset distance threshold can be called geographical proximity. The embodiments of this application do not limit the specific criteria of geographical proximity.

4、对新的边缘节点建立与中心节点的P2P连接部分:4. Establish a P2P connection between the new edge node and the central node:

新的边缘节点可以获取首次启动后和地理上临近的其他子网的老的边缘节点建立P2P连接的网络拓扑信息;新的边缘节点可以向中心节点发送自己的证书、以及该网络拓扑信息。中心节点对新的边缘节点的证书验证通过之后,可以建立新的边缘节点和中心节点的P2P连接。The new edge node can obtain the network topology information for establishing P2P connections with the old edge nodes in other geographically adjacent subnets after the first startup; the new edge node can send its own certificate and the network topology information to the central node. After the central node passes the certificate verification of the new edge node, a P2P connection between the new edge node and the central node can be established.

可以理解的是,上述中心节点获取第一节点连接的其他边缘节点的数量,可以由中心节点根据第一节点建立与中心节点的P2P连接部分时,由第一节点向中心节点发送的网络拓扑信息获得。It can be understood that the above-mentioned central node obtains the number of other edge nodes connected to the first node by the central node according to the network topology information sent by the first node to the central node when the first node establishes the P2P connection part with the central node. get.

5、对同步用户注册信息部分:5. For the synchronized user registration information part:

如上所述,UDM系统中的边缘节点可以从管理人员、中心节点、以及与该边缘节点连接的其他边缘节点获取其他边缘节点对应的子网的用户的注册信息、以及运营商网络的用户的签约数据,UDM系统中的边缘节点之间可以定期同步更新用户的注册信息。As mentioned above, the edge node in the UDM system can obtain the registration information of users of the subnets corresponding to other edge nodes and the subscriptions of users of the operator network from managers, central nodes, and other edge nodes connected to the edge node. Data, edge nodes in the UDM system can regularly synchronize and update user registration information.

6、对更新节点连接状态部分:6. For the update node connection status part:

UDM系统中相互连接的节点之间可以定时互相发送心跳包,定期检查连接是否正常。当某个边缘节点无法正常地接收到与该节点连接的其他边缘节点发送的心跳包时,该边缘节点可以确定与无法正常地接收到的心跳包对应的边缘节点的连接故障,并向中心节点上报该无法正常地接收到的心跳包对应的边缘节点的证书。Nodes connected to each other in the UDM system can regularly send heartbeat packets to each other and regularly check whether the connection is normal. When an edge node cannot normally receive heartbeat packets sent by other edge nodes connected to the node, the edge node can determine the connection failure of the edge node corresponding to the heartbeat packet that cannot be received normally, and notify the central node Report the certificate of the edge node corresponding to the heartbeat packet that cannot be received normally.

可以理解的是,上述中心节点获取第一节点连接的其他边缘节点的数量,还可以根据UDM系统中的边缘节点上报的无法正常地接收到的心跳包对应的边缘节点的证书获得。It can be understood that the above-mentioned central node obtains the number of other edge nodes connected to the first node, and can also obtain it based on the certificate of the edge node corresponding to the heartbeat packet reported by the edge node in the UDM system that cannot be received normally.

7、对接收用户鉴权请求部分:7. For the part receiving user authentication requests:

如上述S301所述,此处不再赘述。As described in S301 above, details will not be repeated here.

8、对完成用户鉴权部分:8. Complete the user authentication part:

如上述图3、图4、以及图6所示的实施例中所述,此处不再赘述。As described in the embodiments shown in FIG. 3 , FIG. 4 , and FIG. 6 , details will not be described again here.

可选地,如上所述,第一节点根据第一信息确定的第一用户的鉴权结果可以包括通过和不通过。当第一节点连接的其他边缘节点的数量小于预设的数量阈值时,中心节点可以向第一节点发送第一指令,第一指令用于当第一用户的鉴权结果为通过时,命令第一节点向第一网络设备发送基础服务质量信息,以使得第一网络设备根据基础服务质量信息为第一用户提供服务。Optionally, as mentioned above, the authentication result of the first user determined by the first node based on the first information may include pass and fail. When the number of other edge nodes connected to the first node is less than a preset number threshold, the central node may send a first instruction to the first node. The first instruction is used to command the first user when the authentication result of the first user is passed. A node sends basic service quality information to the first network device, so that the first network device provides services for the first user according to the basic service quality information.

例如,当第一节点连接的其他边缘节点的数量小于预设的数量阈值时,中心节点向第一节点中的服务管理模块发送第一指令。服务管理模块可以接收第一指令。服务管理模块,还可以用于响应第一指令,当第一节点确定第一用户的鉴权结果为通过时,向第一网络设备发送基础服务质量信息,以使得第一网络设备根据基础服务质量信息为第一用户提供服务。For example, when the number of other edge nodes connected to the first node is less than a preset quantity threshold, the central node sends a first instruction to the service management module in the first node. The service management module can receive the first instruction. The service management module may also be configured to respond to the first instruction, and when the first node determines that the authentication result of the first user is passed, send basic service quality information to the first network device, so that the first network device determines the first network device according to the basic service quality. Information is provided to the first user.

本申请实施例提供的数据管理方法中,中心节点可以获取第一节点连接的其他边缘节点的数量。当第一节点确定第一用户的鉴权结果为通过,且第一节点连接的其他边缘节点的数量小于预设的数量阈值时,中心节点可以控制第一节点向第一网络设备发送基础服务质量信息,以使得第一网络设备根据基础服务质量信息为第一用户提供服务。当第一节点连接的其他边缘节点数量过少时,存在子网使用者恶意断开边缘节点与其他边缘节点、以及中心节点的连接,私自篡改用户的服务质量信息的风险。此时限制第一节点对应的子网的用户的服务质量信息,可以防止子网使用者恶意断开边缘节点与其他边缘节点、以及中心节点的连接,私自篡改服务质量信息,提高UDM系统的安全性。In the data management method provided by the embodiment of the present application, the central node can obtain the number of other edge nodes connected to the first node. When the first node determines that the authentication result of the first user is passed and the number of other edge nodes connected to the first node is less than the preset quantity threshold, the central node may control the first node to send the basic quality of service to the first network device. information, so that the first network device provides services for the first user according to the basic service quality information. When the number of other edge nodes connected to the first node is too small, there is a risk that subnet users maliciously disconnect the edge node from other edge nodes and the central node, and privately tamper with the user's service quality information. At this time, limiting the service quality information of users in the subnet corresponding to the first node can prevent subnet users from maliciously disconnecting edge nodes from other edge nodes and central nodes, and privately tampering with service quality information, thus improving the security of the UDM system. sex.

如上所述,第一机构可以根据第一机构的身份信息向运营商申请新的边缘节点。新的边缘节点在首次安装时,可以获得运营商根据第一机构的身份信息分配的证书,证书和第一机构的身份信息一一对应,证书用于验证节点、以及第一机构的身份。UDM系统中的中心节点可以存储有第一机构的身份信息。且主节点可以根据第一用户的鉴权信息生成区块,并向从节点广播。从节点可以分别根据判断的第一用户是否为有效注册用户的结果对该区块投票。As mentioned above, the first organization can apply to the operator for a new edge node based on the identity information of the first organization. When a new edge node is installed for the first time, it can obtain a certificate assigned by the operator based on the identity information of the first organization. The certificate corresponds to the identity information of the first organization one-to-one. The certificate is used to verify the identity of the node and the first organization. The central node in the UDM system can store the identity information of the first organization. And the master node can generate a block based on the first user's authentication information and broadcast it to the slave node. The slave nodes can vote for the block based on the result of judging whether the first user is a valid registered user.

一些可能的实施例中,从节点对该区块的投票可以以匿名投票的方式进行。边缘节点间可以通过证书来验证身份。也即,从节点分别根据判断的第一用户是否为有效注册用户的结果对该区块投票,可以包括:从节点分别根据判断的第一用户是否为有效注册用户的结果对该区块匿名投票。In some possible embodiments, slave nodes can vote anonymously on the block. Certificates can be used to verify identities between edge nodes. That is, the slave nodes vote for the block based on the result of judging whether the first user is a valid registered user, which may include: the slave nodes vote anonymously for the block based on the result of judging whether the first user is a valid registered user. .

可选地,UDM系统中的中心节点、以及边缘节点还可以分别将每一次鉴权的过程记录在各自的系统日志集中。系统日志集可以包括一条或多条日志。日志可以包括边缘节点、以及边缘节点对应的事件信息。Optionally, the central node and edge node in the UDM system can also record each authentication process in their respective system log sets. A system log set can include one or more logs. The log may include edge nodes and event information corresponding to the edge nodes.

可选地,UDM系统中的中心节点、以及边缘节点还可以获取系统日志集中的事件信息,当系统日志中的节点对应的事件信息满足预设条件时,UDM系统中的中心节点、以及边缘节点可以进行投票揭示边缘节点对应的第一机构的身份信息。Optionally, the central node and edge nodes in the UDM system can also obtain the event information in the system log set. When the event information corresponding to the nodes in the system log meets the preset conditions, the central node and edge nodes in the UDM system Voting can be conducted to reveal the identity information of the first organization corresponding to the edge node.

以下以UDM系统中的中心节点发起投票揭示边缘节点对应的第一机构的身份信息为例进行说明。图11为本申请实施例提供的数据管理方法的又一种流程示意图。如图11所示,该方法还可以包括S1101至S1104。The following description takes the central node in the UDM system as an example to initiate a vote to reveal the identity information of the first organization corresponding to the edge node. Figure 11 is another schematic flowchart of the data management method provided by the embodiment of the present application. As shown in Figure 11, the method may also include S1101 to S1104.

S1101、中心节点获取第一请求、以及第一请求对应的第一日志。S1101. The central node obtains the first request and the first log corresponding to the first request.

其中,第一请求用于请求揭示恶意节点对应的第一机构的身份信息。第一日志可以包括系统日志集中记录了恶意节点对应的事件信息的日志。The first request is used to request to reveal the identity information of the first organization corresponding to the malicious node. The first log may include a system log that centrally records event information corresponding to the malicious node.

一种可能的实现方式中,第一请求可以由中心节点生成。也即,中心节点获取第一请求,可以包括:中心节点根据系统日志集生成第一请求。In a possible implementation, the first request may be generated by a central node. That is, obtaining the first request by the central node may include: the central node generates the first request according to the system log set.

例如,对每一个边缘节点,当系统日志集中,该边缘节点对应的事件信息满足预设条件时,中心节点可以确定该边缘节点为恶意节点,并生成第一请求。For example, for each edge node, when the system logs are concentrated and the event information corresponding to the edge node meets the preset conditions, the central node can determine that the edge node is a malicious node and generate a first request.

其中,预设条件可以包括:Among them, preset conditions can include:

1、边缘节点广播错误鉴权信息次数大于预设次数阈值。1. The number of times an edge node broadcasts incorrect authentication information is greater than the preset threshold.

2、边缘节点担任主节点生成区块失败次数大于预设次数阈值。2. The number of failures of the edge node acting as the master node to generate blocks is greater than the preset threshold.

3、边缘节点连接的节点数量小于数量阈值的时长大于预设时长阈值。3. The number of nodes connected to the edge node is less than the number threshold and the duration is longer than the preset duration threshold.

需要说明的是,次数阈值、以及时长阈值等均可以由管理人员预设在UDM系统中的节点中。例如,次数阈值为3次、或者5次等。时长阈值为一周、或者一个月等。本申请实施例对次数阈值、以及时长阈值的具体数值不做限制。It should be noted that the frequency threshold, duration threshold, etc. can be preset by the administrator in the nodes in the UDM system. For example, the number threshold is 3 times, 5 times, etc. The duration threshold is one week, one month, etc. The embodiments of this application do not place any restrictions on the specific numerical values of the times threshold and the duration threshold.

同样需要说明的是,上述预设条件中,边缘节点广播错误鉴权信息对应的次数阈值、以及边缘节点担任主节点生成区块失败对应的次数阈值可以相同也可以不同,本申请实施例对此不作限制。It should also be noted that in the above preset conditions, the threshold of times corresponding to the edge node broadcasting incorrect authentication information and the threshold of times corresponding to the failure of the edge node to act as the master node to generate blocks can be the same or different. The embodiments of this application have No restrictions.

另一种可能的实现方式中,第一请求可以由边缘节点生成。也即,中新节点获取第一请求,可以包括:中心节点接收边缘节点发送的第一请求,第一请求是边缘节点根据系统日志集生成的。In another possible implementation, the first request may be generated by an edge node. That is, obtaining the first request by the central node may include: the central node receives the first request sent by the edge node, and the first request is generated by the edge node according to the system log set.

需要说明的是,边缘节点生成第一请求的步骤可以参照上述中心节点生成第一请求的步骤中所述,此处不再赘述。It should be noted that the steps for the edge node to generate the first request may refer to the steps for the central node to generate the first request, and will not be described again here.

S1102、中心节点广播第一请求、以及第一请求对应的第一日志。S1102. The central node broadcasts the first request and the first log corresponding to the first request.

S1103、中心节点获取边缘节点对第一请求的投票。S1103. The central node obtains the vote of the edge node for the first request.

其中,边缘节点对第一请求的投票可以包括同意第一请求、或者不同意第一请求。The edge node's vote on the first request may include agreeing to the first request or not agreeing to the first request.

S1104、当边缘节点对第一请求的投票中,同意第一请求的比例大于预设的第二比例时,中心节点广播第一请求对应的恶意节点所对应的第一机构的身份信息。S1104. When the edge node votes for the first request and the proportion agreeing to the first request is greater than the preset second proportion, the central node broadcasts the identity information of the first organization corresponding to the malicious node corresponding to the first request.

其中,第二比例可以由管理人员预设在UDM系统中的节点中。例如,第二比例为50%、或者70%等。本申请实施例对第二比例的具体数值不作限制。Wherein, the second ratio can be preset in the node in the UDM system by the administrator. For example, the second ratio is 50%, 70%, etc. The embodiments of the present application do not limit the specific numerical value of the second ratio.

需要说明的是,当同意第一请求的节点的比例小于预设的第二比例时,中心节点可以驳回第一请求。也即,对UDM系统中的每个边缘节点,中心节点获取该边缘节点发送的对第一请求的投票之后,还可以根据同意第一请求的边缘节点的比例、以及预设的第二比例,判断是否广播第一请求对应的恶意节点所对应的第一机构的身份信息。It should be noted that when the proportion of nodes agreeing to the first request is less than the preset second proportion, the central node may reject the first request. That is, for each edge node in the UDM system, after the central node obtains the vote for the first request sent by the edge node, it can also based on the proportion of edge nodes that agree to the first request and the preset second proportion, Determine whether to broadcast the identity information of the first organization corresponding to the malicious node corresponding to the first request.

本申请实施例提供的数据管理方法中,当UDM系统存在恶意节点时,UDM系统中的中心节点、以及边缘节点还可以分别将每一次鉴权的过程记录在各自的系统日志集中,并根据系统日志集确定恶意节点,投票揭示恶意节点对应的第一机构的身份信息,从而防止恶意节点对应的第一机构持续利用恶意节点干扰UDM系统的正常鉴权。In the data management method provided by the embodiment of the present application, when there is a malicious node in the UDM system, the central node and the edge node in the UDM system can also record each authentication process in their respective system log sets, and record the authentication process according to the system log set. The log set determines the malicious node, and the voting reveals the identity information of the first organization corresponding to the malicious node, thereby preventing the first organization corresponding to the malicious node from continuing to use malicious nodes to interfere with the normal authentication of the UDM system.

在示例性的实施例中,上述第一节点中的功能模块还可以集成为单元。本申实施例提供一种数据管理装置,该装置可以应用于上述方法实施例中的第一节点。图12为本申请实施例提供的数据管理装置的组成示意图。如图12所示,该数据管理装置1200可以包括:获取单元1201、发送单元1202、以及处理单元1203。获取单元1201,可以用于获取第一用户的鉴权信息,第一用户为第一节点对应的子网的用户。发送单元1202,可以用于广播第一用户的鉴权信息。获取单元1201,还可以用于接收来自至少一个第二节点分别发送的第一信息;第二节点是多个边缘节点中除第一节点之外的节点、以及中心节点中的至少一个;第一信息是第二节点根据第一用户的鉴权信息、以及第二节点中存储的第一用户的注册信息,校验第一用户是否为有效注册用户之后生成的;第一信息可以用于指示第一用户的鉴权信心是否通过第二节点的校验。处理单元1203,可以用于根据指示通过第二节点校验的第一信息,在所有第一信息中的占比、以及预设的第一比例,确定第一用户的鉴权结果。In an exemplary embodiment, the functional modules in the above-mentioned first node can also be integrated into units. This embodiment of the present application provides a data management device, which can be applied to the first node in the above method embodiment. Figure 12 is a schematic diagram of the composition of a data management device provided by an embodiment of the present application. As shown in Figure 12, the data management device 1200 may include: an acquisition unit 1201, a sending unit 1202, and a processing unit 1203. The obtaining unit 1201 may be used to obtain authentication information of a first user, where the first user is a user of the subnet corresponding to the first node. The sending unit 1202 may be used to broadcast the authentication information of the first user. The acquisition unit 1201 may also be configured to receive the first information respectively sent from at least one second node; the second node is a node other than the first node among the plurality of edge nodes, and at least one of the central node; the first The information is generated by the second node after verifying whether the first user is a valid registered user based on the authentication information of the first user and the registration information of the first user stored in the second node; the first information can be used to indicate that the first user is a valid registered user. Whether a user's authentication confidence passes the verification of the second node. The processing unit 1203 may be configured to determine the authentication result of the first user based on the proportion of the first information indicating that it has passed the second node verification in all the first information, and the preset first proportion.

一些可能的实施例中,处理单元1203,还可以用于在发送单元1202广播第一用户的鉴权信息之前,根据第一用户的鉴权信息、以及第一节点中存储的第一用户的注册信息,确定第一用户为有效注册用户。In some possible embodiments, the processing unit 1203 may also be configured to, before the sending unit 1202 broadcasts the authentication information of the first user, based on the authentication information of the first user and the registration of the first user stored in the first node. information to determine that the first user is a valid registered user.

另一些可能的实施例中,获取单元1201,还可以用于在中心节点和边缘节点断开的情况下,接收来自除第一节点之外的边缘节点发送的,和/或,第一节点对应的子网的管理人员输入的第一用户的注册信息,并存储第一用户的注册信息。In other possible embodiments, the acquisition unit 1201 may also be used to receive data sent from edge nodes other than the first node when the central node and the edge node are disconnected, and/or the first node corresponds to The administrator of the subnet inputs the registration information of the first user and stores the registration information of the first user.

又一些可能的实施例中,发送单元1202,具体可以用于根据第一用户的鉴权信息生成区块,区块包括第一用户的鉴权信息、以及第一节点的身份信息;第一节点的而身份信息可以用于第二节点验证第一节点的身份;广播区块。In some possible embodiments, the sending unit 1202 may be configured to generate a block based on the authentication information of the first user. The block includes the authentication information of the first user and the identity information of the first node; the first node The identity information can be used by the second node to verify the identity of the first node; broadcast block.

又一些可能的实施例中,发送单元1202,具体可以用于向第三节点发送第一用户的鉴权信息,以使得第三节点根据第一用户的鉴权信息生成区块,并广播;第三节点是多个边缘节点中除第一节点之外的边缘节点或者中心节点。In some possible embodiments, the sending unit 1202 may be specifically configured to send the first user's authentication information to a third node, so that the third node generates a block based on the first user's authentication information and broadcasts it; The third node is an edge node or a central node among multiple edge nodes except the first node.

又一些可能的实施例中,第一节点与第一网络设备连接,第一节点存储有每个边缘节点对应的子网的用户的服务质量信息;第一用户的鉴权结果包括:通过或不通过。处理单元1203,还可以用于确定第一用户为有效注册用户之后,根据每个边缘节点对应的子网的用户的服务质量信息,确定第一用户的服务质量信息并记录。发送单元1202,还可以用于当第一用户的鉴权结果为通过时,向第一网络设备发送第一用户的服务质量信息,以使得第一网络设备按照第一用户的服务质量信息为第一用户提供服务。In some possible embodiments, the first node is connected to the first network device, and the first node stores service quality information of users of the subnet corresponding to each edge node; the authentication result of the first user includes: pass or fail. pass. The processing unit 1203 may also be configured to determine and record the service quality information of the first user based on the service quality information of the user in the subnet corresponding to each edge node after determining that the first user is a valid registered user. The sending unit 1202 may also be configured to send the first user's quality of service information to the first network device when the authentication result of the first user is passed, so that the first network device is the first user according to the first user's quality of service information. A user provides services.

又一些可能的实施例中,获取单元1201,还可以用于接收中心节点发送的第一指令,第一指令可以用于当第一用户的鉴权结果为通过时,命令第一节点向第一网络设备发送基础服务质量信息;第一指令是当第一节点连接的其他边缘节点的数量小于预设的数量阈值时由中心节点发送的。发送单元1202,还可以用于响应于第一指令,当第一用户的鉴权结果为通过时,向第一网络设备发送基础服务质量信息,以使得第一网络设备根据基础服务质量信息为第一用户提供服务。In some possible embodiments, the acquisition unit 1201 may also be used to receive a first instruction sent by the central node. The first instruction may be used to instruct the first node to send the first user to the first user when the authentication result is passed. The network device sends basic service quality information; the first instruction is sent by the central node when the number of other edge nodes connected to the first node is less than a preset quantity threshold. The sending unit 1202 may also be configured to respond to the first instruction and, when the authentication result of the first user is passed, send basic service quality information to the first network device, so that the first network device provides the first network device with the basic service quality information based on the basic service quality information. A user provides services.

又一些可能的实施例中,中心节点包括多个;多个中心节点相互连接。每个边缘节点与中心节点连接,是指:每个边缘节点与多个中心节点中的一个连接。第二节点是中心节点,是指:第二节点是多个中心节点中的一个。In some possible embodiments, the central node includes multiple central nodes; multiple central nodes are connected to each other. Each edge node is connected to a central node, which means: each edge node is connected to one of multiple central nodes. The second node is a central node, which means that the second node is one of multiple central nodes.

在示例性的实施例中,本申请实施例又提供一种数据管理装置,该装置可以应用于上述方法实施例中的第二节点。图13为本申请实施例提供的数据管理装置的组成示意图。如图13所示,该数据管理装置1300可以包括:获取单元1301、处理单元1302、以及发送单元1303。获取单元1301,可以用于接收第一节点广播的第一用户的鉴权信息,第一用户为第一节点对应的子网的用户。处理单元1302,可以用于根据第一用户的鉴权信息、以及第二节点中存储的第一用户的注册信息,校验第一用户是否为有效注册用户;根据校验第一用户是否为有效注册用户的结果,生成第一信息,第一信息可以用于指示第一用户的鉴权信息是否通过第二节点的校验。发送单元1303,可以用于向第一节点发送第一信息,以使得第一节点根据指示通过第二节点校验的第一信息,在所有第一信息中的占比、以及预设的第一比例,确定第一用户的鉴权结果。In an exemplary embodiment, the embodiment of the present application further provides a data management device, which can be applied to the second node in the above method embodiment. Figure 13 is a schematic diagram of the composition of a data management device provided by an embodiment of the present application. As shown in Figure 13, the data management device 1300 may include: an acquisition unit 1301, a processing unit 1302, and a sending unit 1303. The obtaining unit 1301 may be configured to receive the authentication information of the first user broadcast by the first node. The first user is a user of the subnet corresponding to the first node. The processing unit 1302 may be configured to verify whether the first user is a valid registered user based on the authentication information of the first user and the registration information of the first user stored in the second node; verify whether the first user is valid based on As a result of registering the user, first information is generated, and the first information can be used to indicate whether the authentication information of the first user passes the verification of the second node. The sending unit 1303 may be used to send the first information to the first node, so that the first node passes the first information verified by the second node according to the instruction, the proportion of all the first information, and the preset first Proportion to determine the authentication result of the first user.

一些可能的实施例中,第二节点接收的第一节点广播的第一用户的鉴权信息,是第一节点根据第一用户的鉴权信息、以及第一节点中存储的第一用户的注册信息,确定第一用户为有效注册用户之后发送的。In some possible embodiments, the authentication information of the first user broadcast by the first node received by the second node is based on the authentication information of the first user and the registration of the first user stored in the first node. Information, sent after confirming that the first user is a valid registered user.

另一些可能的实施例中,在中心节点和边缘节点断开的情况下,第一节点中存储的第一用户的注册信息是第一节点之外的边缘节点发送的,和/或,第一节点对应的子网的管理人员输入的。In other possible embodiments, when the central node and the edge node are disconnected, the registration information of the first user stored in the first node is sent by an edge node other than the first node, and/or the first Input by the administrator of the subnet corresponding to the node.

又一些可能的实施例中,获取单元1301,具体可以用于接收第一节点广播的区块,区块是第一节点根据第一用户的鉴权信息生成的,区块包括第一用户的鉴权信息、以及第一节点的身份信息;第一节点的身份信息可以用于第二节点验证第一节点的身份。In some possible embodiments, the acquisition unit 1301 may be configured to receive a block broadcast by the first node. The block is generated by the first node based on the authentication information of the first user. The block includes the authentication information of the first user. Rights information, and identity information of the first node; the identity information of the first node can be used by the second node to verify the identity of the first node.

又一些可能的实施例中,获取单元1301,具体可以用于接收第三节点广播的区块,该区块是第一节点向第三节点发送第一用户的鉴权信息之后,由第三节点根据第一用户的鉴权信息生成的;第三节点是多个边缘节点中除第一节点之外的边缘节点或者中心节点。In some possible embodiments, the acquisition unit 1301 may be specifically configured to receive a block broadcast by a third node. The block is obtained by the third node after the first node sends the first user's authentication information to the third node. Generated according to the authentication information of the first user; the third node is an edge node or a central node among the plurality of edge nodes other than the first node.

又一些可能的实施例中,第二节点存储有每个边缘节点对应的子网的用户的服务质量信息。处理单元1302,还可以用于当确定第一用户是有效注册用户时,根据第二节点中存储的每个边缘节点对应的子网的用户的服务质量信息,确定第一用户的服务质量信息并记录。In some possible embodiments, the second node stores service quality information of users of the subnet corresponding to each edge node. The processing unit 1302 may also be configured to, when it is determined that the first user is a valid registered user, determine the service quality information of the first user according to the service quality information of the user of the subnet corresponding to each edge node stored in the second node and Record.

又一些可能的实施例中,中心节点包括多个;多个中心节点相互连接。每个边缘节点与中心节点连接,是指:每个边缘节点与多个中心节点中的一个连接。第二节点是中心节点,是指:第二节点是多个中心节点中的一个。In some possible embodiments, the central node includes multiple central nodes; multiple central nodes are connected to each other. Each edge node is connected to a central node, which means: each edge node is connected to one of multiple central nodes. The second node is a central node, which means that the second node is one of multiple central nodes.

在示例性的实施例中,本申请实施例还提供一种数据管理装置,该装置可以应用于上述方法实施例中的中心节点。图14为本申请实施例提供的数据管理装置的组成示意图。如图14所示,该数据管理装置1400可以包括:获取单元1401、处理单元1402、以及发送单元1403。获取单元1401,可以用于获取系统日志集,系统日志集包括边缘节点、以及边缘节点对应的事件信息。处理单元1402,可以用于对每一个边缘节点,当系统日志集中,边缘节点对应的事件信息满足预设条件时,确定边缘节点为恶意节点,并生成第一请求。发送单元1403,可以用于广播第一请求、以及第一请求对应的第一日志,第一请求可以用于请求揭示恶意节点对应的第一机构的身份信息,第一日志为系统日志集中记录了恶意节点对应的事件信息的日志。获取单元1401,还可以用于获取边缘节点对第一请求的投票。发送单元1403,还可以用于当投票中,同意第一请求的比例大于预设的第二比例时,广播第一请求对应的恶意节点所对应的第一机构的身份信息。In an exemplary embodiment, the embodiment of the present application also provides a data management device, which can be applied to the central node in the above method embodiment. Figure 14 is a schematic diagram of the composition of a data management device provided by an embodiment of the present application. As shown in Figure 14, the data management device 1400 may include: an acquisition unit 1401, a processing unit 1402, and a sending unit 1403. The acquisition unit 1401 can be used to acquire a system log set, which includes edge nodes and event information corresponding to the edge nodes. The processing unit 1402 may be configured to determine, for each edge node, that the edge node is a malicious node and generate a first request when the system logs are concentrated and the event information corresponding to the edge node meets preset conditions. The sending unit 1403 can be used to broadcast the first request and the first log corresponding to the first request. The first request can be used to request to reveal the identity information of the first organization corresponding to the malicious node. The first log is a centralized record of the system log. Logs of event information corresponding to malicious nodes. The obtaining unit 1401 may also be used to obtain the vote of the edge node for the first request. The sending unit 1403 may also be configured to broadcast the identity information of the first organization corresponding to the malicious node corresponding to the first request when the proportion agreeing to the first request is greater than the preset second proportion in the voting.

在示例性的实施例中,本申请实施例还提供了一种统一数据管理UDM系统,该UDM系统包括中心节点、以及多个边缘节点;每个边缘节点与中心节点连接,且每个边缘节点与多个边缘节点中的至少一个其他边缘节点连接;第一节点获取第一用户的鉴权信息,第一用户为第一节点对应的子网的用户;第一节点是多个边缘节点中的一个;第一节点广播第一用户的鉴权信息;第二节点根据第一用户的鉴权信息、以及第二节点中存储的第一用户的注册信息,校验第一用户是否为有效注册用户;第二节点根据校验第一用户是否为有效注册用户的结果,生成第一信息;第一信息用于指示第一用户的鉴权信息是否通过第二节点的校验;第一节点根据指示通过第二节点校验的第一信息,在所有第一信息中的占比、以及预设的第一比例,确定第一用户的鉴权结果。In an exemplary embodiment, the embodiment of the present application also provides a unified data management UDM system. The UDM system includes a central node and multiple edge nodes; each edge node is connected to the central node, and each edge node Connected to at least one other edge node among the plurality of edge nodes; the first node obtains the authentication information of the first user, and the first user is a user of the subnet corresponding to the first node; the first node is one of the plurality of edge nodes. One; the first node broadcasts the authentication information of the first user; the second node verifies whether the first user is a valid registered user based on the authentication information of the first user and the registration information of the first user stored in the second node ; The second node generates the first information based on the result of verifying whether the first user is a valid registered user; the first information is used to indicate whether the authentication information of the first user passes the verification of the second node; the first node generates the first information according to the instruction The authentication result of the first user is determined based on the proportion of the first information verified by the second node in all the first information and the preset first proportion.

需要说明的是,本申请实施例提供的统一数据管理UDM系统还可以执行上述方法实施例中第一节点、第二节点、以及中心节点等所执行的步骤,以实现上述方法实施例中第一节点、第二节点、以及中心节点等的全部功能,在此不再一一赘述。It should be noted that the unified data management UDM system provided by the embodiment of the present application can also perform the steps performed by the first node, the second node, the central node, etc. in the above method embodiment to realize the first step in the above method embodiment. All functions of the node, the second node, and the central node will not be described one by one here.

在示例性的实施例中,本申请实施例还提供了一种计算机程序产品,当该计算机程序产品在计算机上运行时,使得计算机执行上述相关方法步骤,以实现上述实施例中的数据管理方法。In an exemplary embodiment, the embodiment of the present application also provides a computer program product. When the computer program product is run on a computer, it causes the computer to execute the above related method steps to implement the data management method in the above embodiment. .

在示例性的实施例中,本申请实施例还提供了一种网络设备。图15为本申请实施例提供的网络设备的结构示意图。如图15所示,该网络设备可以包括:处理器1501和存储器1502;存储器1502存储有处理器1501可执行的指令;处理器1501被配置为执行指令时,使得网络设备实现如前述方法实施例中所述的方法。In an exemplary embodiment, the embodiment of the present application also provides a network device. Figure 15 is a schematic structural diagram of a network device provided by an embodiment of the present application. As shown in Figure 15, the network device may include: a processor 1501 and a memory 1502; the memory 1502 stores instructions executable by the processor 1501; when the processor 1501 is configured to execute the instructions, the network device implements the foregoing method embodiments. the method described in .

在示例性的实施例中,本申请实施例还提供一种计算机可读存储介质,其上存储有计算机程序指令;当所述计算机程序指令被网络设备执行时,使得网络设备实现如前述实施例中所述的方法。计算机可读存储介质可以是非临时性计算机可读存储介质,例如,所述非临时性计算机可读存储介质可以是ROM、随机存取存储器(RAM)、CD-ROM、磁带、软盘和光数据存储设备等。In an exemplary embodiment, embodiments of the present application also provide a computer-readable storage medium on which computer program instructions are stored; when the computer program instructions are executed by a network device, the network device implements the foregoing embodiments the method described in . The computer-readable storage medium may be a non-transitory computer-readable storage medium, for example, the non-transitory computer-readable storage medium may be a ROM, a random access memory (RAM), a CD-ROM, a magnetic tape, a floppy disk, and an optical data storage device wait.

以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何在本申请揭露的技术范围内的变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应该以权利要求的保护范围为准。The above are only specific embodiments of the present application, but the protection scope of the present application is not limited thereto. Any changes or substitutions within the technical scope disclosed in the present application shall be covered by the protection scope of the present application. . Therefore, the protection scope of this application should be subject to the protection scope of the claims.

Claims (11)

1.一种数据管理方法,其特征在于,所述方法应用于统一数据管理UDM系统中的第一节点,所述UDM系统包括中心节点、以及多个边缘节点;每个所述边缘节点与所述中心节点连接,且每个所述边缘节点与所述多个边缘节点中的至少一个其他边缘节点连接;所述第一节点是多个所述边缘节点中的一个;1. A data management method, characterized in that the method is applied to the first node in a unified data management UDM system. The UDM system includes a central node and a plurality of edge nodes; each of the edge nodes is connected to the first node in the unified data management UDM system. The central node is connected, and each of the edge nodes is connected to at least one other edge node among the plurality of edge nodes; the first node is one of the plurality of edge nodes; 所述方法包括:The methods include: 所述第一节点获取第一用户的鉴权信息,所述第一用户为所述第一节点对应的子网的用户;The first node obtains authentication information of a first user, and the first user is a user of the subnet corresponding to the first node; 所述第一节点广播所述第一用户的鉴权信息;The first node broadcasts the authentication information of the first user; 所述第一节点接收来自至少一个第二节点分别发送的第一信息;所述第二节点是多个所述边缘节点中除所述第一节点之外的节点或者所述中心节点;所述第一信息是所述第二节点根据所述第一用户的鉴权信息、以及第二节点中存储的所述第一用户的注册信息,校验所述第一用户是否为有效注册用户之后生成的;所述第一信息用于指示所述第一用户的鉴权信息是否通过所述第二节点的校验;The first node receives the first information respectively sent from at least one second node; the second node is a node other than the first node among the plurality of edge nodes or the central node; The first information is generated after the second node verifies whether the first user is a valid registered user based on the authentication information of the first user and the registration information of the first user stored in the second node. ; the first information is used to indicate whether the authentication information of the first user passes the verification of the second node; 所述第一节点根据指示通过所述第二节点校验的所述第一信息,在所有所述第一信息中的占比、以及预设的第一比例,确定所述第一用户的鉴权结果;The first node determines the authentication of the first user based on the proportion of the first information that is indicated to be verified by the second node in all the first information, and a preset first proportion. right result; 在所述中心节点和所述边缘节点断开的情况下,所述第一节点接收来自除所述第一节点之外的边缘节点发送的,和/或,所述第一节点对应的子网的管理人员输入的所述第一用户的注册信息,并存储所述第一用户的注册信息。When the central node and the edge node are disconnected, the first node receives data sent from edge nodes other than the first node, and/or the subnet corresponding to the first node The registration information of the first user input by the administrator, and the registration information of the first user is stored. 2.根据权利要求1所述的方法,其特征在于,所述第一节点广播所述第一用户的鉴权信息之前,所述方法还包括:2. The method according to claim 1, characterized in that before the first node broadcasts the authentication information of the first user, the method further includes: 所述第一节点根据所述第一用户的鉴权信息、以及所述第一节点中存储的所述第一用户的注册信息,确定所述第一用户为有效注册用户。The first node determines that the first user is a valid registered user based on the authentication information of the first user and the registration information of the first user stored in the first node. 3.根据权利要求1所述的方法,其特征在于,所述第一节点广播所述第一用户的鉴权信息,包括:3. The method according to claim 1, characterized in that the first node broadcasts the authentication information of the first user, including: 所述第一节点根据所述第一用户的鉴权信息生成区块;所述区块包括所述第一用户的鉴权信息、以及所述第一节点的身份信息;所述第一节点的身份信息用于所述第二节点验证所述第一节点的身份;The first node generates a block based on the first user's authentication information; the block includes the first user's authentication information and the first node's identity information; the first node's The identity information is used by the second node to verify the identity of the first node; 所述第一节点广播所述区块。The first node broadcasts the block. 4.根据权利要求1所述的方法,其特征在于,所述第一节点广播所述第一用户的鉴权信息,包括:4. The method according to claim 1, characterized in that the first node broadcasts the authentication information of the first user, including: 所述第一节点向第三节点发送所述第一用户的鉴权信息,以使得所述第三节点根据所述第一用户的鉴权信息生成区块,并广播所述区块;所述第三节点是多个所述边缘节点中除所述第一节点之外的边缘节点或者所述中心节点。The first node sends the first user's authentication information to a third node, so that the third node generates a block based on the first user's authentication information and broadcasts the block; The third node is an edge node other than the first node among the plurality of edge nodes or the center node. 5.根据权利要求1-4任一项所述的方法,其特征在于,所述第一节点与第一网络设备连接,所述第一节点存储有每个所述边缘节点对应的子网的用户的服务质量信息;所述第一用户的鉴权结果包括:通过或不通过;所述方法还包括:5. The method according to any one of claims 1 to 4, characterized in that the first node is connected to a first network device, and the first node stores information about the subnet corresponding to each edge node. The user's quality of service information; the authentication result of the first user includes: pass or fail; the method also includes: 所述第一节点确定所述第一用户为有效注册用户之后,根据每个所述边缘节点对应的子网的用户的服务质量信息,确定所述第一用户的服务质量信息并记录;After the first node determines that the first user is a valid registered user, it determines and records the service quality information of the first user based on the service quality information of the user in the subnet corresponding to each edge node; 当所述第一用户的鉴权结果为通过时,所述第一节点向所述第一网络设备发送所述第一用户的服务质量信息,以使得所述第一网络设备按照所述第一用户的服务质量信息为所述第一用户提供服务。When the authentication result of the first user is passed, the first node sends the service quality information of the first user to the first network device, so that the first network device performs the authentication according to the first The user's quality of service information provides services to the first user. 6.根据权利要求1-4任一项所述的方法,其特征在于,所述第一节点与第一网络设备连接,所述第一节点存储有每个所述边缘节点对应的子网的用户的服务质量信息;所述第一用户的鉴权结果包括:通过或不通过;所述方法还包括:6. The method according to any one of claims 1 to 4, characterized in that the first node is connected to a first network device, and the first node stores information about the subnet corresponding to each edge node. The user's quality of service information; the authentication result of the first user includes: pass or fail; the method also includes: 所述第一节点接收所述中心节点发送的第一指令,所述第一指令用于当所述第一用户的鉴权结果为通过时,命令所述第一节点向所述第一网络设备发送基础服务质量信息;所述第一指令是当所述第一节点连接的其他边缘节点的数量小于预设的数量阈值时由所述中心节点发送的;The first node receives a first instruction sent by the central node, and the first instruction is used to instruct the first node to send a message to the first network device when the authentication result of the first user is passed. Send basic quality of service information; the first instruction is sent by the central node when the number of other edge nodes connected to the first node is less than a preset quantity threshold; 响应于所述第一指令,当所述第一用户的鉴权结果为通过时,所述第一节点向所述第一网络设备发送所述基础服务质量信息,以使得所述第一网络设备根据所述基础服务质量信息为所述第一用户提供服务。In response to the first instruction, when the authentication result of the first user is passed, the first node sends the basic quality of service information to the first network device, so that the first network device Provide services to the first user according to the basic service quality information. 7.根据权利要求1所述的方法,其特征在于,所述中心节点包括多个;7. The method according to claim 1, characterized in that the central node includes multiple; 多个所述中心节点相互连接;A plurality of said central nodes are connected to each other; 所述每个所述边缘节点与所述中心节点连接,是指:每个所述边缘节点与多个所述中心节点中的一个连接;The connection between each edge node and the central node means: each edge node is connected to one of the plurality of central nodes; 所述第二节点是所述中心节点,是指:所述第二节点是多个所述中心节点中的一个。The second node being the central node means that the second node is one of a plurality of central nodes. 8.一种数据管理装置,其特征在于,所述装置应用于统一数据管理UDM系统中的第一节点,所述UDM系统包括中心节点、以及多个边缘节点;每个所述边缘节点与所述中心节点连接,且每个所述边缘节点与所述多个边缘节点中的至少一个其他边缘节点连接;所述第一节点是多个所述边缘节点中的一个,且所述第一节点存储有每个所述边缘节点对应的子网的用户的注册信息;8. A data management device, characterized in that the device is applied to the first node in a unified data management UDM system. The UDM system includes a central node and a plurality of edge nodes; each edge node is connected to the The central node is connected, and each edge node is connected to at least one other edge node among the plurality of edge nodes; the first node is one of a plurality of edge nodes, and the first node The registration information of users of the subnet corresponding to each edge node is stored; 所述装置包括:获取单元、发送单元、以及处理单元;The device includes: an acquisition unit, a sending unit, and a processing unit; 所述获取单元,用于获取第一用户的鉴权信息,所述第一用户为所述第一节点对应的子网的用户;The obtaining unit is used to obtain authentication information of a first user, where the first user is a user of the subnet corresponding to the first node; 所述发送单元,用于广播所述第一用户的鉴权信息;The sending unit is used to broadcast the authentication information of the first user; 所述获取单元,还用于接收来自至少一个第二节点分别发送的第一信息;所述第二节点是多个所述边缘节点中除所述第一节点之外的节点或者所述中心节点;所述第一信息是所述第二节点根据所述第一用户的鉴权信息、以及第二节点中存储的第一用户的注册信息,校验第一用户是否为有效注册用户之后,由所述第二节点根据校验第一用户是否为有效注册用户的结果确定的;所述第一信息用于指示所述第一节点通过所述第一用户的鉴权信息,或者不通过所述第一用户的鉴权信息;The acquisition unit is also configured to receive the first information respectively sent from at least one second node; the second node is a node other than the first node among the plurality of edge nodes or the central node. ; The first information is after the second node verifies whether the first user is a valid registered user based on the authentication information of the first user and the registration information of the first user stored in the second node. The second node is determined based on the result of verifying whether the first user is a valid registered user; the first information is used to instruct the first node to pass the first user's authentication information, or not to pass the first user's authentication information. Authentication information of the first user; 所述处理单元,用于根据至少一个第二节点分别发送的第一信息中指示第一节点通过所述第一用户的鉴权信息的比例、以及预设的第一比例,确定所述第一用户的鉴权结果;The processing unit is configured to determine the first node according to a proportion of the first information sent by at least one second node indicating that the first node passes the first user's authentication information and a preset first proportion. User’s authentication results; 所述获取单元,还用于在所述中心节点和所述边缘节点断开的情况下,接收来自除所述第一节点之外的边缘节点发送的,和/或,所述第一节点对应的子网的管理人员输入的所述第一用户的注册信息,并存储所述第一用户的注册信息。The acquisition unit is also configured to receive data sent from edge nodes other than the first node when the central node and the edge node are disconnected, and/or the first node corresponds to The administrator of the subnet inputs the registration information of the first user, and stores the registration information of the first user. 9.一种网络设备,其特征在于,所述网络设备包括:处理器和存储器;9. A network device, characterized in that the network device includes: a processor and a memory; 所述存储器存储有所述处理器可执行的指令;The memory stores instructions executable by the processor; 所述处理器被配置为执行所述指令时,使得所述网络设备实现如权利要求1-7任一项所述的方法。When the processor is configured to execute the instruction, the network device implements the method according to any one of claims 1-7. 10.一种计算机可读存储介质,其特征在于,所述计算机可读存储介质包括:计算机软件指令;10. A computer-readable storage medium, characterized in that the computer-readable storage medium includes: computer software instructions; 当所述计算机软件指令在网络设备中运行时,使得所述网络设备实现如权利要求1-7任一项所述的方法。When the computer software instructions are run in the network device, the network device is caused to implement the method according to any one of claims 1-7. 11.一种统一数据管理UDM系统,其特征在于,所述UDM系统包括中心节点、以及多个边缘节点;每个所述边缘节点与所述中心节点连接,且每个所述边缘节点与所述多个边缘节点中的至少一个其他边缘节点连接;11. A unified data management UDM system, characterized in that the UDM system includes a central node and a plurality of edge nodes; each edge node is connected to the central node, and each edge node is connected to all edge nodes. At least one other edge node among the plurality of edge nodes is connected; 第一节点获取第一用户的鉴权信息,所述第一用户为所述第一节点对应的子网的用户;所述第一节点是多个所述边缘节点中的一个;The first node obtains the authentication information of the first user, and the first user is a user of the subnet corresponding to the first node; the first node is one of a plurality of edge nodes; 所述第一节点广播所述第一用户的鉴权信息;The first node broadcasts the authentication information of the first user; 第二节点根据所述第一用户的鉴权信息、以及第二节点中存储的第一用户的注册信息,校验第一用户是否为有效注册用户;所述第二节点是多个所述边缘节点中除所述第一节点之外的节点或者所述中心节点;The second node verifies whether the first user is a valid registered user based on the authentication information of the first user and the registration information of the first user stored in the second node; the second node is a plurality of the edge Nodes other than the first node or the central node among the nodes; 所述第二节点根据校验第一用户是否为有效注册用户的结果,生成第一信息;所述第一信息用于指示所述第一用户的鉴权信息是否通过第二节点的校验;The second node generates first information based on the result of verifying whether the first user is a valid registered user; the first information is used to indicate whether the authentication information of the first user passes the verification of the second node; 所述第二节向所述第一节点发送所述第一信息;The second node sends the first information to the first node; 所述第一节点根据指示通过所述第二节点校验的所述第一信息,在所有所述第一信息中的占比、以及预设的第一比例,确定所述第一用户的鉴权结果;The first node determines the authentication of the first user based on the proportion of the first information that is indicated to be verified by the second node in all the first information, and a preset first proportion. right result; 在所述中心节点和所述边缘节点断开的情况下,所述第一节点接收来自除所述第一节点之外的边缘节点发送的,和/或,所述第一节点对应的子网的管理人员输入的所述第一用户的注册信息,并存储所述第一用户的注册信息。When the central node and the edge node are disconnected, the first node receives data sent from edge nodes other than the first node, and/or the subnet corresponding to the first node The registration information of the first user input by the administrator, and the registration information of the first user is stored.
CN202111528603.5A 2021-12-14 2021-12-14 Data management methods, devices, equipment, storage media and systems Active CN114302396B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111528603.5A CN114302396B (en) 2021-12-14 2021-12-14 Data management methods, devices, equipment, storage media and systems

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111528603.5A CN114302396B (en) 2021-12-14 2021-12-14 Data management methods, devices, equipment, storage media and systems

Publications (2)

Publication Number Publication Date
CN114302396A CN114302396A (en) 2022-04-08
CN114302396B true CN114302396B (en) 2023-11-07

Family

ID=80968556

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111528603.5A Active CN114302396B (en) 2021-12-14 2021-12-14 Data management methods, devices, equipment, storage media and systems

Country Status (1)

Country Link
CN (1) CN114302396B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119383594A (en) * 2023-07-25 2025-01-28 大唐移动通信设备有限公司 Data transmission method and device
CN117633848B (en) * 2024-01-25 2024-04-12 中信证券股份有限公司 User information joint processing method, device, equipment and computer readable medium

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107231363A (en) * 2017-06-12 2017-10-03 华南理工大学 A kind of distributed authentication method and authentication model
WO2018174846A1 (en) * 2017-03-20 2018-09-27 Nokia Technologies Oy Distributed network policy decision making
CN111294315A (en) * 2018-12-07 2020-06-16 中国移动通信集团贵州有限公司 Block chain-based security authentication method, block chain-based security authentication device, block chain-based security authentication equipment and storage medium
CN111711711A (en) * 2020-05-28 2020-09-25 北京邮电大学 Blockchain-based top-level domain name management and resolution method and system
CN112583858A (en) * 2021-01-05 2021-03-30 广州华资软件技术有限公司 Unified identity authentication method based on block chain PBFT algorithm
CN112738751A (en) * 2020-12-08 2021-04-30 中车工业研究院有限公司 Wireless sensor access authentication method, device and system
CN113010872A (en) * 2021-04-09 2021-06-22 国网信息通信产业集团有限公司 Identity authentication method and device, computer equipment and storage medium
CN113099449A (en) * 2019-12-19 2021-07-09 中国电信股份有限公司 Authentication method and system of distributed core network and home subscriber server
CN113613248A (en) * 2020-04-20 2021-11-05 华为技术有限公司 Authentication event processing method, device and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10951615B1 (en) * 2018-10-16 2021-03-16 Sprint Communications Company L.P. Wireless network access for data appliances

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018174846A1 (en) * 2017-03-20 2018-09-27 Nokia Technologies Oy Distributed network policy decision making
CN107231363A (en) * 2017-06-12 2017-10-03 华南理工大学 A kind of distributed authentication method and authentication model
CN111294315A (en) * 2018-12-07 2020-06-16 中国移动通信集团贵州有限公司 Block chain-based security authentication method, block chain-based security authentication device, block chain-based security authentication equipment and storage medium
CN113099449A (en) * 2019-12-19 2021-07-09 中国电信股份有限公司 Authentication method and system of distributed core network and home subscriber server
CN113613248A (en) * 2020-04-20 2021-11-05 华为技术有限公司 Authentication event processing method, device and system
CN111711711A (en) * 2020-05-28 2020-09-25 北京邮电大学 Blockchain-based top-level domain name management and resolution method and system
CN112738751A (en) * 2020-12-08 2021-04-30 中车工业研究院有限公司 Wireless sensor access authentication method, device and system
CN112583858A (en) * 2021-01-05 2021-03-30 广州华资软件技术有限公司 Unified identity authentication method based on block chain PBFT algorithm
CN113010872A (en) * 2021-04-09 2021-06-22 国网信息通信产业集团有限公司 Identity authentication method and device, computer equipment and storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Nokia, Nokia Shanghai Bell.S3-192276 "Definition of authentication subscription data".3GPP tsg_sa\wg3_security.2019,(tsgs3_95bis_sapporo),全文. *
基于Cloud Native全融合5G UDM应用研究;郑航帅;;邮电设计技术(第09期);全文 *

Also Published As

Publication number Publication date
CN114302396A (en) 2022-04-08

Similar Documents

Publication Publication Date Title
US11784788B2 (en) Identity management method, device, communications network, and storage medium
CN110581854B (en) Intelligent terminal safety communication method based on block chain
KR102789267B1 (en) Method, device and system for dds communication
WO2021203733A1 (en) Power edge gateway device and device-based sensor data uplink storage method
US9578003B2 (en) Determining whether to use a local authentication server
US11962685B2 (en) High availability secure network including dual mode authentication
WO2019047631A1 (en) Blockchain-based micro-base station communication management method, system and device
CN110086821A (en) The authentication method of electric power things-internet gateway and the access of electric power internet-of-things terminal based on block chain
CN104780069B (en) A kind of key-course towards SDN and data Layer communication port self-configuration method and its system
EP2658207B1 (en) Authorization method and terminal device
EP3813298B1 (en) Method and apparatus for establishing trusted channel between user and trusted computing cluster
CN111787533B (en) Encryption method, slice management method, terminal and access and mobility management entity
CN107094155A (en) A kind of secure storage method of data and device based on alliance&#39;s block chain
CN114302396B (en) Data management methods, devices, equipment, storage media and systems
WO2008083628A1 (en) A authentication server and a method,a system,a device for bi-authenticating in a mesh network
CN106453651B (en) A kind of RPKI database and data synchronization method
US11792034B2 (en) System for communication on a network
CN111818056A (en) A blockchain-based industrial Internet identity authentication method
CN105007164A (en) Centralized safety control method and device
CN112235290A (en) Block chain-based Internet of things equipment management method and first Internet of things equipment
CN116260645B (en) Node admittance method, consensus method, device, electronic equipment and storage medium
CN111031012A (en) Method for realizing security authentication of DDS domain participant
CN104917750B (en) A kind of key-course towards SDN and data Layer communication port self-configuration method and its system
CN112039910A (en) Method, system, equipment and medium for unified management of authentication and authority
CN115378578B (en) SD-WAN (secure digital-to-Wide area network) implementation method and system based on SM4 cryptographic key

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载