CN110365483A - Cloud platform authentication method, client, middleware and system - Google Patents

Cloud platform authentication method, client, middleware and system Download PDF

Info

Publication number
CN110365483A
CN110365483A CN201810320459.8A CN201810320459A CN110365483A CN 110365483 A CN110365483 A CN 110365483A CN 201810320459 A CN201810320459 A CN 201810320459A CN 110365483 A CN110365483 A CN 110365483A
Authority
CN
China
Prior art keywords
token
certification
authentication
information
cloud platform
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810320459.8A
Other languages
Chinese (zh)
Other versions
CN110365483B (en
Inventor
周实奇
吴列宏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Guangdong Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Guangdong Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Guangdong Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201810320459.8A priority Critical patent/CN110365483B/en
Publication of CN110365483A publication Critical patent/CN110365483A/en
Application granted granted Critical
Publication of CN110365483B publication Critical patent/CN110365483B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/108Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the present invention provides a kind of cloud platform authentication method, client, middleware and system.The described method includes: obtaining the configuration information of token, the configuration information includes the expired time that token generates information and the token;Token authentication request is sent to certification middleware, the certification request carries the configuration information and authentication-exempt mark, so that the certification middleware is identified according to the authentication-exempt, after judging to know the certification request as non-certification for the first time, information is generated according to the token and the expired time judges whether the token is legal.The embodiment of the present invention authenticates certification middleware directly according to authentication-exempt mark to the non-token authenticated for the first time, avoid the repetition certification with certificate server, the load for reducing certificate server, improves the efficiency of authentication service, and then improves cloud platform service quality.

Description

Cloud platform authentication method, client, middleware and system
Technical field
The present embodiments relate to field of computer technology, and in particular to a kind of cloud platform authentication method, client, centre Part and system.
Background technique
Keystone project is an elementary item of Openstack cloud platform, it provides platform authentication service, that is, uses Family requires to be authenticated by Keystone, verification process mainly includes before the various services provided using cloud platform Two processes of token and authentication token of acquisition.
Firstly, the process for obtaining token includes: that user uses user name, password, tenant or domain information to Openstack Server-side in cloud platform sends request, and server-side parses and after receiving the request of user according to token format, in progress Portion's flow processing, finally returns to user for token in the form of ID, this token ID will be that user is subsequent to be sent out to each service Send the legitimacy foundation of request.
During authentication token, the token ID carried in request is sent according to user, carries out the legal of user identity Property certification.The authentication techniques of Openstack project, in addition to also be unableing to do without numerous middlewares with other than Keystone authentication service The processing of technology, such as typical Keystone-middleware.Fig. 1 is cloud platform service authentication flow chart in the prior art, such as Shown in Fig. 1, whether token is carried in the middleware decision request first in Openstack cloud platform, if not provided, directly returning Do not pass through;If so, can go in the legal caching of system to have searched whether corresponding token information, if hit, check Whether token is recovered, and passes through if authenticated without if, conversely, authentification failure;But if in legal caching and illegal caching All there is no if token, Keystone service can be gone to carry out the certification of token according to token ID.Due to the token of Keystone Format supports 4 kinds, and each token format, has corresponding certification driving to be handled.Therefore, keystone services meeting It according to the format of token, finds corresponding driving and is authenticated, if certification does not pass through, be returned to failure, and by token information In the illegal caching of deposit, interacted with reducing the subsequent certification with Keystone;Otherwise, certification passes through, and token information is added to In legal caching.In this way, the certification of the subsequent token just directly by middleware authentication, reduces the certification with Keystone and hands over Mutually.In current Keystone authentication service, it is the value that can be set that token, which is put into the time of legal caching, this value Size is configured according to time situation, typically less than the expired time of token, i.e., before token failure, is just moved out of conjunction Method caching uses to there is more spaces to leave other effective tokens for.
The authentication techniques of existing Openstack cloud platform, it is fine for the performance serviced on a small scale.In actual operations, The services client of cloud product will be ten hundreds of users, and when excessive user is authenticated by Keystone, hold Easily reach the Keystone service upper limit or cause Keystone service pressure excessive, in the case that pressure reaches certain, often The case where will appear authentification failure, causes a part of token to be judged by accident, when user takes token using the identity information that oneself is created Information, can not continue to execute operation, be directly judged token and failed, and cause cloud platform service quality poor.
Therefore, the authentication service ability for cloud platform how being improved in the case where a large number of users becomes urgently to be resolved important Project.
Summary of the invention
For the defects in the prior art, the embodiment of the invention provides a kind of cloud platform authentication methods, client, centre Part and system.
In a first aspect, the embodiment of the present invention provides a kind of cloud platform authentication method, comprising:
The configuration information of token is obtained, the configuration information includes the expired time that token generates information and the token;
Token authentication request is sent to certification middleware, the certification request carries the configuration information and authentication-exempt mark Know, so that the certification middleware is identified according to the authentication-exempt, is judging to know that the certification request authenticates it to be non-for the first time Afterwards, information is generated according to the token and the expired time judges whether the token is legal.
Second aspect, further embodiment of this invention provide a kind of cloud platform authentication method, comprising:
The token authentication request that cloud platform client is sent is received, the certification request carries the configuration information of the token It is identified with authentication-exempt, the configuration information includes: the expired time that token generates information and the token;
The certification request is parsed, authentication-exempt mark is obtained, judges whether the certification request is non-to authenticate for the first time;
If judgement be known as it is non-authenticate for the first time, according to the token generate information judge whether token identity legal;
If judgement knows that the token identity is legal, judge whether the token is expired according to the expired time.
The third aspect, the embodiment of the present invention provide a kind of cloud platform client, comprising:
Module is obtained, for obtaining the configuration information of token, the configuration information includes that token generates information and the order The expired time of board;
Sending module, for sending token authentication request to certification middleware, the certification request carrying is described to match confidence Breath and authentication-exempt mark, so that the certification middleware is identified according to the authentication-exempt, know that the certification request is in judgement After non-certification for the first time, information is generated according to the token and the expired time judges whether the token is legal.
Fourth aspect, the embodiment of the present invention provide a kind of cloud platform certification middleware, comprising:
Receiving module, the token authentication for receiving the transmission of cloud platform client are requested, described in the certification request carrying The configuration information and authentication-exempt of token identify, and the configuration information includes: that the token generates the expired of information and the token Time;
Judgment module obtains authentication-exempt mark, judges whether the certification request is non-for parsing the certification request It authenticates for the first time;
First authentication module, if for judge be known as it is non-authenticate for the first time, according to the token generate information judge institute Whether legal state token identity;
Second authentication module, if judging institute according to the expired time for judging to know that the token identity is legal Whether expired state token.
5th aspect, the embodiment of the present invention provide a kind of cloud platform system, comprising: above-mentioned cloud platform client and above-mentioned cloud Platform authentication middleware.
6th aspect, the embodiment of the present invention provide a kind of electronic equipment, comprising:
Memory and processor, the processor and the memory complete mutual communication by bus;It is described to deposit Reservoir is stored with the program instruction that can be executed by the processor, and it is as follows that the processor calls described program instruction to be able to carry out Method: obtaining the configuration information of token, and the configuration information includes the expired time that token generates information and the token;To recognizing It demonstrate,proves middleware and sends token authentication request, the certification request carries the configuration information and authentication-exempt mark, recognizes for described Card middleware is identified according to the authentication-exempt, after judging to know the certification request as non-certification for the first time, according to the order Board generates information and the expired time judges whether the token is legal.
7th aspect, the embodiment of the present invention provide a kind of storage medium, are stored thereon with computer program, the computer journey Following method is realized when sequence is executed by processor: obtaining the configuration information of token, and the configuration information includes that token generates information With the expired time of the token;Token authentication request is sent to certification middleware, the certification request carrying is described to match confidence Breath and authentication-exempt mark, so that the certification middleware is identified according to the authentication-exempt, know that the certification request is in judgement After non-certification for the first time, information is generated according to the token and the expired time judges whether the token is legal.
Cloud platform authentication method provided in an embodiment of the present invention, in the certification request of token carry token generate information, The expired time and authentication-exempt of token identify, and allow to authenticate middleware directly according to authentication-exempt mark to the non-order authenticated for the first time Board is authenticated, and is avoided the repetition certification with certificate server, is reduced the load of certificate server, improve authentication service Efficiency, and then improve cloud platform service quality.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is this hair Bright some embodiments for those of ordinary skill in the art without creative efforts, can be with root Other attached drawings are obtained according to these attached drawings.
Fig. 1 is cloud platform service authentication flow chart in the prior art;
Fig. 2 is cloud platform authentication method flow diagram provided in an embodiment of the present invention;
Fig. 3 is the cloud platform authentication method flow diagram that further embodiment of this invention provides;
Fig. 4 is the structural schematic diagram of cloud platform client provided in an embodiment of the present invention;
Fig. 5 is the structural schematic diagram that cloud platform provided in an embodiment of the present invention authenticates middleware;
Fig. 6 is the structural schematic diagram of cloud platform system provided in an embodiment of the present invention;
Fig. 7 is the structural schematic diagram of electronic equipment provided in an embodiment of the present invention.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art Every other embodiment obtained without creative efforts, shall fall within the protection scope of the present invention.
Fig. 2 is cloud platform authentication method flow diagram provided in an embodiment of the present invention, as shown in Fig. 2, this method comprises:
Step S21, the configuration information of token is obtained, the configuration information includes the mistake that token generates information and the token Time phase;
Specifically, cloud platform provides various services for user, when user need using a certain item service when, need using Token is as the cloud platform pass.User is just had an opportunity after being assigned to token ID using token ID firstly the need of token is obtained Using the various services in cloud platform, every kind of service can authenticate token before user's use, and only certification passes through it Afterwards, user could use corresponding service.
Firstly, user, which is sent by client to cloud platform, obtains token request, cloud platform is according to pre-set distribution Rule is the token that user distributes corresponding format, for example, the Keystone certificate server of Openstack cloud platform supports four kinds Token format is respectively as follows: Universally Unique Identifier (UUID), public basic installations compression (PKIZ), public basic installations (PKI) With redundancy encrypted code (Fernet), the corresponding four kinds of certifications of the tokens of these four formats are driven, for the token to corresponding format into Row certification, it is whether legal to verify token.Cloud platform returns to token ID, later, client after token is assigned, to client End can be used token ID and send certification request.In order to reduce the interaction with certificate server, client is sending certification request Before, the configuration information of token can be first obtained, such as token generates the expired time (Expire) of information and token, wherein It is related to the production method of the token, time and user information that token generates information.It is generated in token and is certified server head After secondary certification, generating token generation information in practical applications, can be according to preset conversion for the ease of authentication checks Token generation information is converted into the generation ID (Audit_ID) of token by rule, and each Audit_ID is related to cloud platform, can not It forges, indicates that its identity is legal by the token that Audit_ID is authenticated.In practical applications, token is assigned and is recognized After card server first time certification passes through, the configuration informations such as the corresponding Audit_ID of the token and expired time are generated, by this A little configuration informations are associated with token ID, are stored in the system cache, when user needs authentication token, by searching for system cache Obtain the configuration information of token.
Step S22, token authentication request is sent to certification middleware, the certification request carries the configuration information and exempts from Certification mark, so that the certification middleware is identified according to the authentication-exempt, judge to know the certification request as it is non-for the first time After certification, information is generated according to the token and the expired time judges whether the token is legal.
Specifically, after client gets token ID, certification request is sent to cloud platform, certification request carries token ID, configuration information and authentication-exempt mark (Verify), authentication-exempt mark indicate that the token without authenticating again, works as User reliability When very high, authentication-exempt mark is carried in certification request and shows that user sets minimum for certification policy rank, at this point, for For cloud platform, user need to only be logged in once, and after certification, subsequent verification process does not need to be recognized with certificate server Card interaction completes verification process by certification middleware, to reduce certificate server pressure.When certification middleware receives client hair After the certification request sent, certification request is parsed, token ID and configuration information is obtained, judges whether to carry in certification request and exempt to recognize Card mark, if so, then judging whether the confidence level of user can carry out authentication-exempt process, for example, whether user is that local area network is used Family or cloud platform internal system user etc..Later, whether certification middleware judges certification request is to authenticate for the first time, generally, It must be authenticated by certificate server due to authenticating for the first time, at this time in cloud platform caching, the configuration information of token is sky, therefore first The configuration information carried in the token authentication request that user sends when secondary certification is sky.
When authenticate middleware determine certification request be it is non-authenticate for the first time after, according to token generate information to the identity of token into Row safety detection generates information by parsing token first and judges that token generates the user information in information and current authentication is requested In user information it is whether consistent, corresponding token in system cache is then searched according to token ID and generates information, both is judged Whether consistent, i.e., whether token identity is legal or forges, if consistent with system cache, shows that token identity is legal, later, will The expired time carried in current point in time and certification request compares, and judges whether the token expired, if identity it is legal and Not out of date, then token is by certification, and later, the corresponding service of cloud platform can be used in user.If token identity it is illegal or The expired time of token is alreadyd exceed, then token is unauthenticated, authenticates middleware to client feedback operation failure information.
Cloud platform authentication method provided in an embodiment of the present invention, in the certification request of token carry token generate information, The expired time and authentication-exempt of token identify, and allow to authenticate middleware directly according to authentication-exempt mark to the non-order authenticated for the first time Board is authenticated, and is avoided the repetition certification with certificate server, is reduced the load of certificate server, improve authentication service Efficiency, and then improve cloud platform service quality.
On the basis of the above embodiments, further, the configuration information for obtaining token, comprising:
It is sent to certificate server and obtains token request, so that the certificate server determines that token ID, token generate letter The expired time of breath and the token, and send the token ID;
The corresponding certification request of the token ID is sent to certification middleware, so that the certification middleware is known in judgement The certification request is after authenticating for the first time, and Xiang Suoshu certificate server forwards the certification request, for the authentication service Device is stored in system cache after the token is by certification, by the expired time that the token generates information and the token In;
The token is obtained from the system cache generates information and the expired time.
Specifically, when user needs using a certain service in cloud platform, user sends to obtain to cloud platform and enable first Board request, the certificate server in cloud platform obtains acquisition token request later, raw according to token format corresponding to the user At the expired time of token ID and the token, then according to the production method of the token, time and user information and correspondence Transformation rule, generate token and generate information Audit_ID, token ID is sent to client, client obtain token ID it Afterwards, certification request is sent to cloud platform, certification request carries token ID, and the certification middleware in cloud platform receives certification first asks It asks, judges that certification request is after authenticating for the first time, certification request to be forwarded to certificate server, to ensure that each token passes through Certificate server certification.
Certificate server determines corresponding token format according to token ID and user information, is determined and is authenticated according to token format Driving, by corresponding certification driving token is authenticated, if certification pass through, by token generation information, expired time and Token ID is associated, and is stored into system cache, on the one hand, the token for ensuring to authenticate without certificate server matches confidence Breath can not obtain, so that it is excessively primary to guarantee that each token is at least certified server authentication, on the other hand, it is ensured that user setting The correctness of configuration information avoids and verifies process caused by error configurations information, saves authenticated time.If token does not pass through Certification, certificate server return operation failure message to client.
In practical applications, certificate server can store unauthenticated token ID into system cache, and mark It is unauthenticated to infuse the token.When user, which reuses token ID, sends certification request, certification middleware is slow by system Filing for reference, it is unauthenticated to find token ID, then directly returns operation failure message to user client, avoids and takes with certification The repetition verification process of business device.
When user sends certification request again, it is corresponding that user can search in the system cache token ID by client Token generates information and expired time, and configuration information is arranged, and the order for carrying that configuration information and authentication-exempt identify is sent to cloud platform Board certification request avoids the repeated interaction with certificate server.
Cloud platform authentication method provided in an embodiment of the present invention generates after the certification of token first passage certificate server The configuration information of token carries token configuration information and authentication-exempt mark in the certification request of token later, keeps certification intermediate Part can directly authenticate the non-token authenticated for the first time according to authentication-exempt mark, avoid the repetition with certificate server and recognize Card, reduces the load of certificate server, improves authentication service ability, and then improve cloud platform service quality.
On the basis of the above embodiments, further, the configuration information further include: tenant's information of the token And/or the Role Information of the token.
Specifically, in practical applications, system can return to improve the utilization rate of token before token expired time Token is received, token is distributed to the user of needs again, for being recovered and not out of date token, is stored in system cache Configuration information is still correct, but token has been not belonging to the user at this time, in order to avoid authenticating fault caused by this phenomenon, User send certification request configuration information in also need carry token tenant's information (Project), wherein tenant's information by User configures in user client, if user is to find corresponding tenant's information, default tenant information is Null.
User sends and carries tenant's information later, token generates information, the certification of token expired time and authentication-exempt mark Request, certification middleware judge between right and wrong for the first time authenticate and by token authentication and expired time certification after, search Pre-stored authority policy.json in system is compared in tenant's information and the authority in this certification request Whether the corresponding tenant's information of the token ID of storage is consistent, if unanimously, certification passes through, otherwise fails to client return authentication Message.
In addition, in configuration information, Role Information can also be carried in order to verify whether user has using token qualification (Role), show the Role Information of the user carried in the token, default role information is angle most basic in cloud platform system Color information member shows that user is the basic role that can obtain token.User, which sends, later carries Role Information, Zu Huxin Breath, token generate the certification request of information, token expired time and authentication-exempt mark, and certification middleware is recognized for the first time judging between right and wrong After demonstrate,proving and passing through token authentication, expired time certification and tenant's authentification of message, pre-stored power in lookup system File policy.json is limited, whether compares the Role Information that stores in Role Information and authority in this certification request Unanimously, if unanimously, certification passes through, otherwise to client return authentication failed message.In practical applications, certificate server is every As soon as authenticating time token, an authority is updated, token information is associated with most newly assigned tenant's information and Role Information.
In practical applications, for cloud platform project, user only needs to log in once, subsequent after certification Verification process does not need to carry out certification interaction with authentication service, it is only necessary to it is compared according to the configuration information of user, and user The permission control that set still according to projects of operating right control.For example, the permission of user configuration is user's access item Mesh A, but cloud platform system configuration is that project A cannot be accessed, after purview certification, so that user right is still flat with cloud Subject to platform system.By the way that configuration information is arranged, greatly reducing each service will repeat to participate in the certification number of certificate server, subtract The expense in service process is lacked.
Cloud platform authentication method provided in an embodiment of the present invention, order carry token configuration information in the certification request of token With authentication-exempt identify, allow authenticate middleware directly according to authentication-exempt mark to token identity, expired time, tenant's information and Role Information is authenticated, make full use of cloud platform cache high efficiency, promote the storage of effective token in the buffer, avoid with The repetition of certificate server authenticates, and reduces the load of certificate server, improves authentication efficiency, and then improves cloud platform clothes Business quality.
Fig. 3 is the cloud platform authentication method flow diagram that further embodiment of this invention provides, as shown in figure 3, this method Include:
Step S31, the token authentication request that cloud platform client is sent is received, the certification request carries the token Configuration information and authentication-exempt mark, the configuration information include: the expired time that token generates information and the token;
Specifically, user is sent to cloud platform by client and obtains token request, and cloud platform is according to pre-set point It is the token that user distributes corresponding format with rule, cloud platform returns to token ID after token is assigned, to client, it Afterwards, client can be used token ID and send certification request.In order to reduce the interaction with certificate server, client is recognized in transmission Before card request, the configuration information of token can be first obtained, such as token generates the expired time of information and token, wherein enable It is related to the production method of the token, time and user information that board generates information.It is generated in token and is certified server for the first time After certification, generate token generation information in practical applications, can advise for the ease of authentication checks according to preset conversion Token generation information is then converted into the Audit_ID of token, each Audit_ID is related to cloud platform, can not forge, pass through The token of Audit_ID certification indicates that its identity is legal.In practical applications, token is assigned and is certified server After certification passes through for the first time, the configuration informations such as the corresponding Audit_ID of the token and expired time are generated, these are matched into confidence Breath is associated with token ID, and storage in the system cache, when user needs authentication token, obtains token by searching for system cache Configuration information.
After client gets token ID, certification request is sent to cloud platform, the certification middleware in cloud platform receives The certification request that client is sent, certification request carry token ID, configuration information and authentication-exempt mark.
Step S32, the certification request is parsed, the authentication-exempt mark is obtained, judges whether the certification request is non- It authenticates for the first time;
Specifically, certification middleware parses certification request, obtains token ID and configuration information, judge in certification request whether Carry authentication-exempt mark, if so, then judge whether the confidence level of user can carry out authentication-exempt process, for example, user whether be LAN subscriber or cloud platform internal system user etc..Later, whether certification middleware judges certification request is to authenticate for the first time, Generally, due to which certification must be authenticated by certificate server for the first time, at this time in cloud platform caching, the configuration information of token is Sky, therefore the configuration information carried in the token authentication request that user sends when certification for the first time is sky.
If step S33, judgement be known as it is non-authenticate for the first time, according to the token generate information whether judge token identity It is legal;
Specifically, after certification middleware determines that certification request is non-certification for the first time, information is generated to token according to token Identity carry out safety detection, first by parsing token generate information judge token generate information in user information with currently Whether the user information in certification request is consistent, then searches corresponding token in system cache according to token ID and generates information, Judge whether the two is consistent, i.e., whether token identity is legal or forges, if consistent with system cache, shows that token identity is closed Method.If inconsistent, show that token identity is illegal, return operation failure message to client.
If step S34, judgement knows that the token identity is legal, whether the token is judged according to the expired time It is expired.
Specifically, if certification middleware verifying token identity is legal, by what is carried in current point in time and certification request Expired time compares, and judges whether the token is expired, if identity is legal and not out of date, token is by certification, later, uses The corresponding service of cloud platform can be used in family.If token identity is illegal or alreadys exceed the expired time of token, token It is unauthenticated, middleware is authenticated to client feedback operation failure information.
Cloud platform authentication method provided in an embodiment of the present invention authenticates middleware according to the authentication-exempt carried in certification request Mark and configuration information authenticate the non-token authenticated for the first time, avoid the repetition certification with certificate server, reduce The load of certificate server, improves the efficiency of authentication service, and then improves cloud platform service quality.
On the basis of the above embodiments, further, the configuration information further include:
Tenant's information of the token and/or the Role Information of the token;
Correspondingly, the method also includes:
If judgement knows that the token identity is legal and the token is not out of date, according to preset token authority information Judge whether tenant's information or the Role Information of the token are legal.
Specifically, in practical applications, system can return to improve the utilization rate of token before token expired time Token is received, token is distributed to the user of needs again, for being recovered and not out of date token, is stored in system cache Configuration information is still correct, but token has been not belonging to the user at this time, in order to avoid authenticating fault caused by this phenomenon, Tenant's information of carrying token is also needed in the configuration information that user sends certification request, wherein tenant's information is by user in user Client configuration, if user is to find corresponding tenant's information, default tenant information is Null.
User sends and carries tenant's information later, token generates information, the certification of token expired time and authentication-exempt mark Request, certification middleware judge between right and wrong for the first time authenticate and by token authentication and expired time certification after, search Pre-stored authority policy.json in system is compared in tenant's information and the authority in this certification request Whether the corresponding tenant's information of the token ID of storage is consistent, if unanimously, certification passes through, otherwise fails to client return authentication Message.
In addition, in configuration information, Role Information can also be carried in order to verify whether user has using token qualification (Role), show the Role Information of the user carried in the token, default role information is angle most basic in cloud platform system Color information member shows that user is the basic role that can obtain token.User, which sends, later carries Role Information, Zu Huxin Breath, token generate the certification request of information, token expired time and authentication-exempt mark, and certification middleware is recognized for the first time judging between right and wrong After demonstrate,proving and passing through token authentication, expired time certification and tenant's authentification of message, pre-stored power in lookup system File policy.json is limited, whether compares the Role Information that stores in Role Information and authority in this certification request Unanimously, if unanimously, certification passes through, otherwise to client return authentication failed message.In practical applications, certificate server is every As soon as authenticating time token, an authority is updated, token information is associated with most newly assigned tenant's information and Role Information.
For example, cloud platform Openstack provides A service, B service, C service and D service, user User wants to use cloud A service in platform, sends the request for obtaining token, Openstack receives acquisition using client to Openstack first After request, acquisition request is forwarded to certificate server Keystone, Keystone is that user distributes token ID, and determines token Audit_ID expired time Expire, tenant's information Project and Role Information Role.User uses token ID to A later Service sends certification request, the flat certification middleware Keystone-middleware, Keystone- of A service call cloud Middleware judges certification request to authenticate for the first time, certification request is forwarded to Keystone, Keystone calls corresponding Certification driving authenticates token, and after certification passes through, token ID, Audit_ID, Expire, Project and Role are closed It is stored in after connection in cloud platform caching, and informs A service token by certification, A service provides a user corresponding service.
Later when user reuses A service, pass through cloud platform buffer setting configuration information: Audit_ID, it is expired when Between Expire, tenant's information Project, serviced to A and send the certification request for carrying configuration information, the certification of A service call is intermediate Part Keystone-middleware, Keystone-middleware judge certification request for it is non-authenticate for the first time after, first from Cloud platform caching in search Audit_ID, after judging that token identity is legal, compare expired time, judge token it is not out of date it Afterwards, system permission file is being searched, after judging that tenant's information of token and Role Information are all legal, is showing that token passes through Certification informs A service token by certification, and A service provides a user corresponding service.Otherwise, Keystone-middleware Message is returned operation failure to user.
Cloud platform authentication method provided in an embodiment of the present invention authenticates middleware according to the authentication-exempt carried in certification request Mark and configuration information authenticate the non-token authenticated for the first time, and cloud platform is made full use of to cache high efficiency, are promoted and are effectively enabled The storage of board in the buffer avoids the repetition certification with certificate server, reduces the load of certificate server, improve and recognize The efficiency of service is demonstrate,proved, and then improves cloud platform service quality.
Fig. 4 is the structural schematic diagram of cloud platform client provided in an embodiment of the present invention, as shown in figure 4, the client packet It includes: obtaining module 41 and sending module 42, in which:
The configuration information that module 41 is used to obtain token is obtained, the configuration information includes that token generates information and the order The expired time of board;Sending module 42 is used to send token authentication to certification middleware and request, described in the certification request carrying Configuration information and authentication-exempt mark, so that the certification middleware is identified according to the authentication-exempt, know the certification in judgement After request is non-certification for the first time, information is generated according to the token and the expired time judges whether the token is legal.
Specifically, the configuration information that module 41 searches token from system cache is obtained, such as token generates information and order Board expired time, sending module 42 sends token authentication request to certification middleware later, and certification request carries token ID, matches Confidence breath and authentication-exempt mark parse certification request, obtain after certification middleware receives the certification request of client transmission Token ID and configuration information judge whether to carry authentication-exempt mark in certification request, if so, then judge certification request whether headed by Secondary certification, when authenticate middleware determine certification request be it is non-authenticate for the first time after, according to token generate information to the identity of token into Row safety detection generates information by parsing token first and judges that token generates the user information in information and current authentication is requested In user information it is whether consistent, corresponding token in system cache is then searched according to token ID and generates information, both is judged Whether consistent, i.e., whether token identity is legal or forges, if consistent with system cache, shows that token identity is legal, later, will The expired time carried in current point in time and certification request compares, and judges whether the token expired, if identity it is legal and Not out of date, then token is by certification, and later, the corresponding service of cloud platform can be used in user.If token identity it is illegal or The expired time of token is alreadyd exceed, then token is unauthenticated, and certification middleware returns operation failure information.The present invention is implemented The device that example provides, for realizing the above method, function is referring in particular to above method embodiment, and details are not described herein again.
Cloud platform client provided in an embodiment of the present invention carries token in the certification request of token and generates information, enables The expired time and authentication-exempt of board identify, and allow to authenticate middleware directly according to authentication-exempt mark to the non-token authenticated for the first time It is authenticated, avoids the repetition certification with certificate server, reduce the load of certificate server, improve authentication service Efficiency, and then improve cloud platform service quality.
Fig. 5 is the structural schematic diagram that cloud platform provided in an embodiment of the present invention authenticates middleware, as shown in figure 5, the certification Middleware includes: receiving module 51, judgment module 52, the first authentication module 53 and the second authentication module 54, in which:
The token authentication that receiving module 51 is used to receive the transmission of cloud platform client is requested, described in the certification request carrying The configuration information and authentication-exempt of token identify, and the configuration information includes: that the token generates the expired of information and the token Time;Judgment module 52 obtains authentication-exempt mark, judges whether the certification request is non-head for parsing the certification request Secondary certification;If the first authentication module 53 for judge be known as it is non-authenticate for the first time, according to the token generate information judge institute Whether legal state token identity;If the second authentication module 54 knows that the token identity is legal for judging, according to the mistake Time phase judges whether the token is expired.
Specifically, after client gets token ID, certification request is sent to receiving module 51, receiving module 51 receives The certification request that client is sent, certification request carry token ID, configuration information and authentication-exempt mark.Judgment module 52 parses Certification request obtains token ID and configuration information, judges authentication-exempt mark whether is carried in certification request, if so, then judging to use Whether the confidence level at family can carry out authentication-exempt process, for example, whether user is LAN subscriber or cloud platform internal system User etc..Later, judgment module 52 judges whether certification request is to authenticate for the first time.When judgment module 52 determines that certification request is non- After authenticating for the first time, the first authentication module 53 generates information according to token and carries out safety detection to the identity of token, passes through solution first Analysis token generates information and judges that token generates the user information in information and whether the user information in current authentication request is consistent, Then corresponding token in system cache is searched according to token ID and generates information, judge whether the two is consistent, and if system cache Unanimously, then show that token identity is legal.If inconsistent, show that token identity is illegal.First authentication module 53 verifies token After identity is legal, the second authentication module 54 compares the expired time carried in current point in time and certification request, sentences Breaking, whether the token is expired, if identity is legal and not out of date, token is by certification, and later, cloud platform pair can be used in user The service answered.If token identity is illegal or alreadys exceed the expired time of token, token is unauthenticated, feedback operation Failure information.Device provided in an embodiment of the present invention, for realizing the above method, function is implemented referring in particular to the above method Example, details are not described herein again.
Cloud platform provided in an embodiment of the present invention authenticates middleware, identifies and matches according to the authentication-exempt carried in certification request Confidence breath authenticates the non-token authenticated for the first time, avoids the repetition certification with certificate server, reduces authentication service The load of device, improves the efficiency of authentication service, and then improves cloud platform service quality.
Fig. 6 is the structural schematic diagram of cloud platform system provided in an embodiment of the present invention, as shown in fig. 6, the cloud platform system System includes: cloud platform client 61 and cloud platform certification middleware 62, the cloud platform client 61 in the cloud platform system, For function referring in particular to above-mentioned cloud platform client embodiment, the cloud platform in the cloud platform system authenticates middleware 62, function Middleware embodiment can be authenticated referring in particular to above-mentioned cloud platform, details are not described herein again.
Fig. 7 is the structural schematic diagram of electronic equipment provided in an embodiment of the present invention, as shown in fig. 7, the equipment includes: place Manage device (processor) 71, memory (memory) 72 and bus 73;
Wherein, processor 71 and memory 72 complete mutual communication by the bus 73;
Processor 71 is used to call the program instruction in memory 72, to execute side provided by above-mentioned each method embodiment Method, for example, obtain the configuration information of token, the configuration information include token generate information and the token it is expired when Between;Token authentication request is sent to certification middleware, the certification request carries the configuration information and authentication-exempt mark, for The certification middleware is identified according to the authentication-exempt, after judging to know the certification request as non-certification for the first time, according to The token generates information and the expired time judges whether the token is legal.
The embodiment of the present invention discloses a kind of computer program product, and the computer program product is non-transient including being stored in Computer program on computer readable storage medium, the computer program include program instruction, when described program instructs quilt When computer executes, computer is able to carry out method provided by above-mentioned each method embodiment, for example, obtains matching for token Confidence breath, the configuration information include the expired time that token generates information and the token;Token is sent to certification middleware Certification request, the certification request carries the configuration information and authentication-exempt mark, so that the certification middleware is according to Authentication-exempt mark, judge to know the certification request be it is non-authenticate for the first time after, according to token generation information and described Expired time judges whether the token is legal.
The embodiment of the present invention provides a kind of non-transient computer readable storage medium, the non-transient computer readable storage Medium storing computer instruction, the computer instruction make the computer execute side provided by above-mentioned each method embodiment Method, for example, obtain the configuration information of token, the configuration information include token generate information and the token it is expired when Between;Token authentication request is sent to certification middleware, the certification request carries the configuration information and authentication-exempt mark, for The certification middleware is identified according to the authentication-exempt, after judging to know the certification request as non-certification for the first time, according to The token generates information and the expired time judges whether the token is legal.
Those of ordinary skill in the art will appreciate that: realize that all or part of the steps of above method embodiment can pass through The relevant hardware of program instruction is completed, and program above-mentioned can be stored in a computer readable storage medium, the program When being executed, step including the steps of the foregoing method embodiments is executed;And storage medium above-mentioned includes: ROM, RAM, magnetic disk or light The various media that can store program code such as disk.
The embodiments such as device described above are only schematical, wherein the unit as illustrated by the separation member It may or may not be physically separated, component shown as a unit may or may not be physics list Member, it can it is in one place, or may be distributed over multiple network units.It can be selected according to the actual needs In some or all of the modules achieve the purpose of the solution of this embodiment.Those of ordinary skill in the art are not paying creativeness Labour in the case where, it can understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can It realizes by means of software and necessary general hardware platform, naturally it is also possible to pass through hardware.Based on this understanding, on Stating technical solution, substantially the part that contributes to existing technology can be embodied in the form of software products in other words, should Computer software product may be stored in a computer readable storage medium, such as ROM/RAM, magnetic disk, CD, including several fingers It enables and using so that a computer equipment (can be personal computer, server or the network equipment etc.) executes each implementation Method described in certain parts of example or embodiment.
Finally, it should be noted that the above various embodiments is only to illustrate the technical solution of the embodiment of the present invention, rather than it is right It is limited;Although the embodiment of the present invention is described in detail referring to foregoing embodiments, the ordinary skill of this field Personnel are it is understood that it is still possible to modify the technical solutions described in the foregoing embodiments, or to part Or all technical features are equivalently replaced;And these are modified or replaceed, it does not separate the essence of the corresponding technical solution The range of each embodiment technical solution of the embodiment of the present invention.

Claims (10)

1. a kind of cloud platform authentication method characterized by comprising
The configuration information of token is obtained, the configuration information includes the expired time that token generates information and the token;
Token authentication request is sent to certification middleware, the certification request carries the configuration information and authentication-exempt mark, with It is identified for the certification middleware according to the authentication-exempt, after judging to know the certification request as non-certification for the first time, root Information is generated according to the token and the expired time judges whether the token is legal.
2. the method according to claim 1, wherein the configuration information for obtaining token, comprising:
To certificate server send obtain token request, for the certificate server determine token ID, token generate information and The expired time of the token, and send the token ID;
Send the corresponding certification request of the token ID to certification middleware, know in judgement for the certification middleware described in Certification request is after authenticating for the first time, and Xiang Suoshu certificate server forwards the certification request, so that the certificate server exists After the token is by certification, the expired time that the token generates information and the token is stored in system cache;
The token is obtained from the system cache generates information and the expired time.
3. the method according to claim 1, wherein the configuration information further include: the tenant of the token believes The Role Information of breath and/or the token.
4. a kind of cloud platform authentication method characterized by comprising
The token authentication request that cloud platform client is sent is received, the certification request carries the configuration information of the token and exempts from Certification mark, the configuration information include: the expired time that token generates information and the token;
The certification request is parsed, authentication-exempt mark is obtained, judges whether the certification request is non-to authenticate for the first time;
If judgement be known as it is non-authenticate for the first time, according to the token generate information judge whether token identity legal;
If judgement knows that the token identity is legal, judge whether the token is expired according to the expired time.
5. according to the method described in claim 4, it is characterized in that, the configuration information further include:
Tenant's information of the token and/or the Role Information of the token;
Correspondingly, the method also includes:
If judgement knows that the token identity is legal and the token is not out of date, judged according to preset token authority information Whether the tenant's information or Role Information of the token are legal.
6. a kind of cloud platform client characterized by comprising
Module is obtained, for obtaining the configuration information of token, the configuration information includes that token generates information and the token Expired time;
Sending module, for sending token authentication request to certification middleware, the certification request carry the configuration information and Authentication-exempt mark, so that the certification middleware is identified according to the authentication-exempt, is judging to know the certification request as non-head After secondary certification, information is generated according to the token and the expired time judges whether the token is legal.
7. a kind of cloud platform authenticates middleware characterized by comprising
Receiving module, for receiving the token authentication request of cloud platform client transmission, the certification request carries the token Configuration information and authentication-exempt mark, the configuration information include: the expired time that the token generates information and the token;
Judgment module obtains authentication-exempt mark for parsing the certification request, judge the certification request whether be it is non-for the first time Certification;
First authentication module, if for judge be known as it is non-authenticate for the first time, according to the token generate information judge the order Whether board identity is legal;
Second authentication module, if judging the order according to the expired time for judging to know that the token identity is legal Whether board is expired.
8. a kind of cloud platform system characterized by comprising cloud platform client as claimed in claim 6 and as right is wanted Cloud platform described in asking 7 authenticates middleware.
9. a kind of electronic equipment characterized by comprising
Memory and processor, the processor and the memory complete mutual communication by bus;The memory It is stored with the program instruction that can be executed by the processor, the processor calls described program instruction to be able to carry out right such as and wants Seek 1 to 5 any method.
10. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the computer program Method as claimed in claim 1 to 5 is realized when being executed by processor.
CN201810320459.8A 2018-04-11 2018-04-11 Cloud platform authentication method, client, middleware and system Active CN110365483B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810320459.8A CN110365483B (en) 2018-04-11 2018-04-11 Cloud platform authentication method, client, middleware and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810320459.8A CN110365483B (en) 2018-04-11 2018-04-11 Cloud platform authentication method, client, middleware and system

Publications (2)

Publication Number Publication Date
CN110365483A true CN110365483A (en) 2019-10-22
CN110365483B CN110365483B (en) 2022-06-14

Family

ID=68214186

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810320459.8A Active CN110365483B (en) 2018-04-11 2018-04-11 Cloud platform authentication method, client, middleware and system

Country Status (1)

Country Link
CN (1) CN110365483B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111447220A (en) * 2020-03-26 2020-07-24 金蝶软件(中国)有限公司 Authentication information management method, server of application system and computer storage medium
CN111552568A (en) * 2020-04-28 2020-08-18 中国银行股份有限公司 Cloud service calling method and device
CN111698312A (en) * 2020-06-08 2020-09-22 中国建设银行股份有限公司 Service processing method, device, equipment and storage medium based on open platform
CN111885057A (en) * 2020-07-23 2020-11-03 中国平安财产保险股份有限公司 Message middleware access method, device, equipment and storage medium
CN112019539A (en) * 2020-08-27 2020-12-01 苏州浪潮智能科技有限公司 Authentication method, device, equipment and readable medium for private cloud
CN112019343A (en) * 2020-07-28 2020-12-01 苏州浪潮智能科技有限公司 OpenStack token optimization method and system
CN112600831A (en) * 2020-12-11 2021-04-02 析云网络科技(苏州)有限公司 Network client identity authentication system and method
CN114499977A (en) * 2021-12-28 2022-05-13 天翼云科技有限公司 Authentication method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080052245A1 (en) * 2006-08-23 2008-02-28 Richard Love Advanced multi-factor authentication methods
CN103188242A (en) * 2011-12-30 2013-07-03 ***通信集团广东有限公司 Data protecting method, data protecting server and system
CN105871854A (en) * 2016-04-11 2016-08-17 浙江工业大学 Self-adaptive cloud access control method based on dynamic authorization mechanism

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080052245A1 (en) * 2006-08-23 2008-02-28 Richard Love Advanced multi-factor authentication methods
CN103188242A (en) * 2011-12-30 2013-07-03 ***通信集团广东有限公司 Data protecting method, data protecting server and system
CN105871854A (en) * 2016-04-11 2016-08-17 浙江工业大学 Self-adaptive cloud access control method based on dynamic authorization mechanism

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
MISS_YANG_CLOUD: "keystone 认证深度研究分析", 《HTTPS://BLOG.CSDN.NET/MISS_YANG_CLOUD/ARTICLE/DETAILS/72902760》 *

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111447220B (en) * 2020-03-26 2022-08-23 金蝶软件(中国)有限公司 Authentication information management method, server of application system and computer storage medium
CN111447220A (en) * 2020-03-26 2020-07-24 金蝶软件(中国)有限公司 Authentication information management method, server of application system and computer storage medium
CN111552568A (en) * 2020-04-28 2020-08-18 中国银行股份有限公司 Cloud service calling method and device
CN111552568B (en) * 2020-04-28 2023-11-21 中国银行股份有限公司 Cloud service calling method and device
CN111698312A (en) * 2020-06-08 2020-09-22 中国建设银行股份有限公司 Service processing method, device, equipment and storage medium based on open platform
CN111698312B (en) * 2020-06-08 2022-10-21 中国建设银行股份有限公司 Service processing method, device, equipment and storage medium based on open platform
CN111885057A (en) * 2020-07-23 2020-11-03 中国平安财产保险股份有限公司 Message middleware access method, device, equipment and storage medium
CN112019343A (en) * 2020-07-28 2020-12-01 苏州浪潮智能科技有限公司 OpenStack token optimization method and system
CN112019343B (en) * 2020-07-28 2022-12-23 苏州浪潮智能科技有限公司 OpenStack token optimization method and system
CN112019539B (en) * 2020-08-27 2023-01-06 苏州浪潮智能科技有限公司 Authentication method, device, equipment and readable medium for private cloud
CN112019539A (en) * 2020-08-27 2020-12-01 苏州浪潮智能科技有限公司 Authentication method, device, equipment and readable medium for private cloud
CN112600831A (en) * 2020-12-11 2021-04-02 析云网络科技(苏州)有限公司 Network client identity authentication system and method
CN114499977A (en) * 2021-12-28 2022-05-13 天翼云科技有限公司 Authentication method and device
CN114499977B (en) * 2021-12-28 2023-08-08 天翼云科技有限公司 Authentication method and device

Also Published As

Publication number Publication date
CN110365483B (en) 2022-06-14

Similar Documents

Publication Publication Date Title
CN110365483A (en) Cloud platform authentication method, client, middleware and system
CN110958118B (en) Certificate authentication management method, device, equipment and computer readable storage medium
CN107239688B (en) The purview certification method and system in Docker mirror image warehouse
CN102638454B (en) Plug-in type SSO (single signon) integration method oriented to HTTP (hypertext transfer protocol) identity authentication protocol
CN107294916B (en) Single-point logging method, single-sign-on terminal and single-node login system
US9065828B2 (en) System for delegation of authority, access management service system, medium, and method for controlling the system for delegation of authority
CN104539615B (en) Cascade connection authentication method based on CAS
US20110277025A1 (en) Method and system for providing multifactor authentication
CN105828329B (en) Mobile terminal authentication management method
CN107241336B (en) Identity verification method and device
EP3609152A1 (en) Internet-of-things authentication system and internet-of-things authentication method
CN105871838A (en) Third party account login control method and user center platform
US11811952B2 (en) Authentication system and working method thereof
US20120005340A1 (en) Mediation device, mediation method and mediation system
CN108965341A (en) The method, apparatus and system of login authentication
CN110958119A (en) Identity verification method and device
CN111404695B (en) Token request verification method and device
CN109726531A (en) A kind of marketer terminal security control method based on block chain intelligence contract
CN109962892A (en) A kind of authentication method and client, server logging in application
CN107453872A (en) A kind of unified safety authentication method and system based on Mesos container cloud platforms
CN106453321A (en) Authentication server, system and method, and to-be-authenticated terminal
CN102255904A (en) Communication network and terminal authentication method thereof
CN103428161A (en) Phone authentication service system
Kim et al. Puf-based iot device authentication scheme on iot open platform
CN110166471A (en) A kind of portal authentication method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant