CN114302396B - Data management method, device, equipment, storage medium and system - Google Patents

Abstract

The application provides a data management method, a device, equipment, a storage medium and a system, and relates to the field of communication. The method is applied to a first node in a UDM system, and comprises the following steps: acquiring authentication information of a first user; broadcasting authentication information of the first user; receiving first information respectively sent by at least one second node; the second node is a node other than the first node or a center node among the plurality of edge nodes; the first information is generated after the second node verifies whether the first user is a valid registered user according to the authentication information of the first user and the registration information of the first user stored in the second node; the first information is used for indicating whether authentication information of the first user passes verification of the second node; and determining an authentication result of the first user according to the first information which indicates the verification by the second node, the duty ratio in all the first information and the preset first proportion. The method is suitable for the authentication process and is used for improving the security of the UDM system.

Description

Data management method, device, equipment, storage medium and system

Technical Field

The present application relates to the field of communications, and in particular, to a data management method, apparatus, device, storage medium, and system.

Background

The unified data management (unified data management, UDM) network element is one of the network elements in the core network of the fifth generation mobile communication technology (5th generation mobile communication technology,5G). The UDM network element may be used for storing subscription data of the user, authentication, etc. For example, the UDM network element may obtain authentication information sent by the user equipment, and when the authentication information sent by the user equipment is the same as registration information pre-stored in the UDM network element, the UDM network element may determine that the authentication of the user equipment passes. After passing the authentication, the UDM network element may provide a service to the user according to the service information in the subscription data of the user. For example, the service information may include quality of service (quality of service, qoS) information.

Currently, some users need to build flexible production lines, which require a network of high availability (high availability, HA). In order to provide users with a high availability network, operators have proposed a distributed UDM system. The distributed UDM system may comprise a central UDM network element, and edge UDM network elements. The central UDM network element is connected with a plurality of edge UDM network elements in a star shape. Each edge UDM network element may acquire, from the central UDM network element, registration information and subscription data of the user in the subnet corresponding to the edge UDM network element, and store the registration information and subscription data. Each edge UMD network element may implement the above-mentioned function of the UDM network element in the subnet corresponding to the edge UDM network element according to the registration information and subscription data of the user of the subnet corresponding to the edge UDM network element.

However, in the current distributed UDM system, there may be a risk that a user of the edge UDM network element maliciously disconnects the connection between the edge UDM network element and the central UDM network element, and privately falsifies registration information and subscription data of the user stored in the edge UDM network element.

Disclosure of Invention

The application provides a data management method, a device, equipment and a storage medium, which can prevent a user of an edge node from maliciously disconnecting the edge node from a central node, and falsify registration information of the user privately, thereby improving the security of a UDM system.

In a first aspect, the present application provides a data management method applied to a first node in a unified data management, UDM, system, the UDM system comprising a central node, and a plurality of edge nodes; each edge node is connected with the center node, and each edge node is connected with at least one other edge node in the plurality of edge nodes; the first node is one of a plurality of edge nodes. The method comprises the following steps: the first node acquires authentication information of a first user, wherein the first user is a user of a subnet corresponding to the first node; the first node broadcasts authentication information of a first user; the first node receives first information sent by at least one second node respectively; the second node is at least one of a node other than the first node among the plurality of edge nodes, and a center node; the first information is generated after the second node verifies whether the first user is a valid registered user according to the authentication information of the first user and the registration information of the first user stored in the second node; the first information is used for indicating whether authentication information of the first user passes verification of the second node; the first node determines an authentication result of the first user according to the first information indicating the verification by the second node, the duty ratio in all the first information and the preset first proportion.

In a possible implementation manner, before the first node broadcasts the authentication information of the first user, the method further includes: the first node determines that the first user is an effective registered user according to authentication information of the first user and registration information of the first user stored in the first node.

In another possible implementation manner, the method further includes: under the condition that the central node and the edge nodes are disconnected, the first node receives the registration information of the first user, which is transmitted by the edge nodes except the first node and/or is input by a manager of the subnet corresponding to the first node, and stores the registration information of the first user.

In yet another possible implementation, the first node broadcasts authentication information of the first user, including: the first node generates a block according to authentication information of the first user; the block comprises authentication information of the first user and identity information of the first node; the identity information of the first node is used for the second node to verify the identity of the first node; the first node broadcasts a block.

In yet another possible implementation, the first node broadcasts authentication information of the first user, including: the first node sends authentication information of the first user to the third node so that the third node generates a block according to the authentication information of the first user and broadcasts the block; the third node is an edge node or a center node of the plurality of edge nodes other than the first node.

In another possible implementation manner, a first node is connected to a first network device, where the first node stores service quality information of users of a subnet corresponding to each edge node; the authentication result of the first user includes: pass or fail; the method further comprises the steps of: after the first node determines that the first user is an effective registered user, determining and recording service quality information of the first user according to service quality information of users of the sub-network corresponding to each edge node; and when the authentication result of the first user is that the first user passes, the first node sends the service quality information of the first user to the first network equipment so that the first network equipment provides service for the first user according to the service quality information of the first user.

In another possible implementation manner, a first node is connected to a first network device, where the first node stores service quality information of users of a subnet corresponding to each edge node; the authentication result of the first user includes: pass or fail; the method further comprises the steps of: the first node receives a first instruction sent by the central node, wherein the first instruction is used for commanding the first node to send basic service quality information to the first network equipment when the authentication result of the first user is passed; the first instruction is sent by the central node when the number of other edge nodes connected by the first node is smaller than a preset number threshold; and responding to the first instruction, and when the authentication result of the first user is passing, the first node sends basic service quality information to the first network equipment so that the first network equipment provides services for the first user according to the basic service quality information.

In yet another possible implementation, the central node includes a plurality of; a plurality of central nodes are connected with each other; each edge node is connected with the central node, which means that: each edge node is connected with one of the plurality of center nodes; the second node is a central node, which means: the second node is one of a plurality of central nodes.

In the data management method provided by the embodiment of the application, the center node and the center node, the center node and the edge node in the UDM system are connected in a point-to-point (P2P) mode, and compared with the existing star connection, the P2P connection has better robustness. The central node in the UDM system and each edge node may store registration information of the users of the sub-network corresponding to each edge node. An edge node (e.g., the first node described above) in the UDM system may obtain authentication information of a user in a subnet corresponding to the edge node, and broadcast the authentication information. Other edge nodes or central nodes (such as the second node) in the UDM system may verify the authentication information of the user according to the respectively stored registration information of the user of the subnet corresponding to each edge node, generate first information and send the first information to the edge node broadcasting the authentication information of the user. The edge node broadcasting authentication information of the user may determine an authentication result of the user according to the first information. The edge node broadcasting the authentication information of the user can perform normal authentication only when receiving the first information obtained by checking the authentication information of other edge nodes according to the authentication information of the user, when a user of one edge node maliciously disconnects the edge node from the center node and attempts to privately tamper with the registration information of the user, the users of the subnets corresponding to the edge node stored in the other edge nodes are different from the registration information of the user after privately tampering, and at the moment, the edge node cannot pass the authentication of the user of the privately tampering with the registration information. The security of the UDM system is improved.

In a second aspect, the present application provides a data management device, which may be applied to a first node in the unified data management UDM system described in the first aspect, where the UDM system includes a central node and a plurality of edge nodes; each edge node is connected with the center node, and each edge node is connected with at least one other edge node in the plurality of edge nodes; the first node is one of a plurality of edge nodes. The apparatus may include: acquisition unit, sending unit, and processing unit. The acquisition unit is used for acquiring authentication information of a first user, wherein the first user is a user of a subnet corresponding to the first node. And the sending unit is used for broadcasting the authentication information of the first user. The acquisition unit is also used for receiving the first information respectively sent by the at least one second node; the second node is at least one of a node other than the first node among the plurality of edge nodes, and a center node; the first information is generated after the second node verifies whether the first user is a valid registered user according to the authentication information of the first user and the registration information of the first user stored in the second node; the first information is used to indicate whether authentication information of the first user passes a check of the second node. And the processing unit is used for determining an authentication result of the first user according to the first information which indicates the verification by the second node, the duty ratio in all the first information and the preset first proportion.

In a possible implementation manner, the processing unit is further configured to determine, before the sending unit broadcasts the authentication information of the first user, that the first user is a valid registered user according to the authentication information of the first user and the registration information of the first user stored in the first node.

In another possible implementation manner, the obtaining unit is further configured to receive, in a case where the central node and the edge node are disconnected, registration information of the first user sent from an edge node other than the first node and/or input by a manager of a subnet corresponding to the first node, and store the registration information of the first user.

In another possible implementation manner, the sending unit is specifically configured to generate a block according to authentication information of the first user, where the block includes the authentication information of the first user and identity information of the first node; the identity information of the first node is used for the second node to verify the identity of the first node; broadcasting the block.

In another possible implementation manner, the sending unit is specifically configured to send authentication information of the first user to the third node, so that the third node generates a block according to the authentication information of the first user and broadcasts the block; the third node is an edge node or a center node of the plurality of edge nodes other than the first node.

In another possible implementation manner, a first node is connected to a first network device, where the first node stores service quality information of users of a subnet corresponding to each edge node; the authentication result of the first user includes: pass or not pass. And the processing unit is also used for determining and recording the service quality information of the first user according to the service quality information of the users of the sub-network corresponding to each edge node after determining that the first user is the effective registered user. And the sending unit is further used for sending the service quality information of the first user to the first network equipment when the authentication result of the first user is that the authentication result is passed, so that the first network equipment provides service for the first user according to the service quality information of the first user.

In another possible implementation manner, the obtaining unit is further configured to receive a first instruction sent by the central node, where the first instruction is configured to instruct the first node to send basic quality of service information to the first network device when an authentication result of the first user is passed; the first instruction is sent by the central node when the number of other edge nodes to which the first node is connected is less than a preset number threshold. And the sending unit is also used for responding to the first instruction, and sending basic service quality information to the first network equipment when the authentication result of the first user is that the first user passes, so that the first network equipment provides service for the first user according to the basic service quality information.

In yet another possible implementation, the central node includes a plurality of; a plurality of central nodes are interconnected. Each edge node is connected with the central node, which means that: each edge node is connected to one of the plurality of center nodes. The second node is a central node, which means: the second node is one of a plurality of central nodes.

In a third aspect, the present application provides a data management method, the method being applicable to a second node in a UDM system, the UDM system comprising a central node, and a plurality of edge nodes; each edge node is connected with the center node, and each edge node is connected with at least one other edge node in the plurality of edge nodes; the second node is at least one of a plurality of edge nodes other than the first node, and a center node, and the first node is one of the plurality of edge nodes. The method comprises the following steps: the second node receives authentication information of a first user broadcasted by the first node, wherein the first user is a user of a subnet corresponding to the first node; the second node checks whether the first user is an effective registered user according to the authentication information of the first user and the registration information of the first user stored in the second node; the second node generates first information according to a result of checking whether the first user is a valid registered user; the first information is used for indicating whether the second node passes or does not pass the authentication information of the first user; the second node transmits first information to the first node, so that the first node determines an authentication result of the first user according to the first information which is checked by the second node, the duty ratio in all the first information and a preset first proportion.

In a possible implementation manner, the authentication information of the first user, which is broadcast by the first node and received by the second node, is sent after the first node determines that the first user is a valid registered user according to the authentication information of the first user and the registration information of the first user stored in the first node.

In another possible implementation manner, in the case that the central node and the edge node are disconnected, the registration information of the first user stored in the first node is sent by the edge node other than the first node and/or is input by a manager of the subnet corresponding to the first node.

In yet another possible implementation manner, the second node receives authentication information of the first user broadcasted by the first node, including: the second node receives a block broadcasted by the first node, wherein the block is generated by the first node according to the authentication information of the first user, and comprises the authentication information of the first user and the identity information of the first node; the identity information of the first node is used by the second node to verify the identity of the first node.

In yet another possible implementation manner, the second node receives authentication information of the first user broadcasted by the first node, including: the second node receives a block broadcasted by the third node, wherein the block is generated by the third node according to the authentication information of the first user after the first node sends the authentication information of the first user to the third node, and comprises the authentication information of the first user and the identity information of the third node; the identity information of the third node is used for verifying the identity of the third node by the center node and the edge node; the third node is an edge node or a center node of the plurality of edge nodes other than the first node.

In another possible implementation manner, the second node stores service quality information of users of the sub-network corresponding to each edge node; the second node verifies whether the first user is a valid registered user or not according to the authentication information of the first user and the registration information of the first user stored in the second node, and the method further comprises: when the second node determines that the first user is a valid registered user, the second node determines and records the service quality information of the first user according to the service quality information of the users of the subnets corresponding to each edge node stored in the second edge node.

In yet another possible implementation, the central node includes a plurality of; a plurality of central nodes are interconnected. Each edge node is connected with the central node, which means that: each edge node is connected to one of the plurality of center nodes. The second node is a central node, which means: the second node is one of a plurality of central nodes.

In a fourth aspect, the present application provides a data management apparatus, which is applicable to the second node in the UDM system described in the third aspect, the UDM system including a central node, and a plurality of edge nodes; each edge node is connected with the center node, and each edge node is connected with at least one other edge node in the plurality of edge nodes; the second node is at least one of a plurality of edge nodes other than the first node, and a center node, and the first node is one of the plurality of edge nodes. The apparatus may include: acquisition unit, processing unit, and sending unit. The acquisition unit is used for receiving authentication information of a first user broadcasted by the first node, wherein the first user is a user of a subnet corresponding to the first node. The processing unit is used for checking whether the first user is a valid registered user or not according to the authentication information of the first user and the registration information of the first user stored in the second node; and generating first information according to the result of checking whether the first user is a valid registered user, wherein the first information is used for indicating whether authentication information of the first user passes the check of the second node. And the sending unit is used for sending the first information to the first node so that the first node can determine the authentication result of the first user according to the first information which is checked by the second node, the duty ratio in all the first information and the preset first proportion.

In a possible implementation manner, the authentication information of the first user, which is broadcast by the first node and received by the second node, is sent after the first node determines that the first user is a valid registered user according to the authentication information of the first user and the registration information of the first user stored in the first node.

In another possible implementation manner, in the case that the central node and the edge node are disconnected, the registration information of the first user stored in the first node is sent by the edge node other than the first node and/or is input by a manager of the subnet corresponding to the first node.

In another possible implementation manner, the obtaining unit is specifically configured to receive a block broadcasted by the first node, where the block is generated by the first node according to authentication information of the first user, and the block includes the authentication information of the first user and identity information of the first node; the identity information of the first node is used by the second node to verify the identity of the first node.

In another possible implementation manner, the obtaining unit is specifically configured to receive a block broadcasted by the third node, where the block is generated by the third node according to the authentication information of the first user after the first node sends the authentication information of the first user to the third node; the third node is an edge node or a center node of the plurality of edge nodes other than the first node.

In yet another possible implementation manner, the second node stores service quality information of users of the sub-network corresponding to each edge node. And the processing unit is also used for determining and recording the service quality information of the first user according to the service quality information of the users of the subnets corresponding to each edge node stored in the second node when the first user is determined to be the effective registered user.

In yet another possible implementation, the central node includes a plurality of; a plurality of central nodes are interconnected. Each edge node is connected with the central node, which means that: each edge node is connected to one of the plurality of center nodes. The second node is a central node, which means: the second node is one of a plurality of central nodes.

In a fifth aspect, the present application provides a data management method, the method being applicable to a central node in a UDM system, the UDM system comprising a central node, and a plurality of edge nodes; each edge node is connected with the center node, and each edge node is connected with at least one other edge node in the plurality of edge nodes; the edge nodes are in one-to-one correspondence with the identity information of the first institution. The method comprises the following steps: the central node acquires a system log set, wherein the system log set comprises edge nodes and event information corresponding to the edge nodes. For each edge node, when event information corresponding to the edge node meets a preset condition in the system log set, the center node determines that the edge node is a malicious node and generates a first request. The central node broadcasts a first request and a first log corresponding to the first request, wherein the first request is used for requesting to reveal the identity information of a first mechanism corresponding to the malicious node, and the first log is a log in which event information corresponding to the malicious node is recorded in a centralized manner for the system log. The central node obtains a vote of the edge node for the first request. And when the proportion of the first requests is agreed to be larger than a preset second proportion in the voting, broadcasting the identity information of the first institution corresponding to the malicious node corresponding to the first request by the central node.

In a sixth aspect, the present application provides a data management apparatus, which is applicable to the central node in the UDM system described in the fifth aspect, where the UDM system includes a central node and a plurality of edge nodes; each edge node is connected with the center node, and each edge node is connected with at least one other edge node in the plurality of edge nodes; the edge nodes are in one-to-one correspondence with the identity information of the first institution. The device comprises: acquisition unit, processing unit, and sending unit. The system log collection comprises edge nodes and event information corresponding to the edge nodes. And the processing unit is used for determining the edge node as a malicious node and generating a first request when event information corresponding to the edge node meets a preset condition in the system log set for each edge node. The sending unit is used for broadcasting a first request and a first log corresponding to the first request, wherein the first request is used for requesting to reveal the identity information of a first mechanism corresponding to the malicious node, and the first log is a log in which event information corresponding to the malicious node is recorded in a system log set. The obtaining unit is further configured to obtain a vote of the edge node on the first request. And the sending unit is also used for broadcasting the identity information of the first institution corresponding to the malicious node corresponding to the first request when the proportion of the first request is agreed to be larger than the preset second proportion in the voting.

In a seventh aspect, the present application provides a unified data management, UDM, system comprising a central node, and a plurality of edge nodes; each edge node is connected with the center node, and each edge node is connected with at least one other edge node in the plurality of edge nodes; the first node acquires authentication information of a first user, wherein the first user is a user of a subnet corresponding to the first node; the first node is one of a plurality of edge nodes; the first node broadcasts authentication information of a first user; the second node checks whether the first user is an effective registered user according to the authentication information of the first user and the registration information of the first user stored in the second node; the second node is a node other than the first node or a center node among the plurality of edge nodes; the second node generates first information according to a result of checking whether the first user is a valid registered user; the first information is used for indicating whether authentication information of the first user passes verification of the second node; the second node transmits the first information to the first node; the first node determines an authentication result of the first user according to the first information indicating the verification by the second node, the duty ratio in all the first information and the preset first proportion.

In addition, the unified data management UDM system provided in the present application may further execute the steps executed by the first node in the first aspect, the second node in the third aspect, and the central node in the fifth aspect, so as to implement all functions of the first node in the first aspect, the second node in the third aspect, and the central node in the fifth aspect, which are not described herein in detail.

In an eighth aspect, the present application provides a computer program product which, when run on a computer, causes the computer to perform the steps of the related method of the first, third, further or fifth aspect described above, to carry out the method of the first, third, further or fifth aspect described above.

In a ninth aspect, the present application provides a network device comprising: a processor and a memory; the memory stores instructions executable by the processor; the processor is configured to execute the instructions to cause the network device to implement the method of the first aspect, or the third aspect, or the further or fifth aspect.

In a tenth aspect, the present application provides a computer-readable storage medium comprising: computer software instructions; the computer software instructions, when executed in a network device, cause the network device to implement the method of the first, or third, or further or fifth aspect described above.

Advantageous effects of the second aspect to the tenth aspect described above may be referred to in the first aspect, and will not be described again.

Drawings

In order to more clearly illustrate the embodiments of the application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a schematic diagram of a connection of a distributed UDM system;

fig. 2 is a schematic connection diagram of a UDM system provided by the present application;

FIG. 3 is a flow chart of a data management method according to an embodiment of the present application;

FIG. 4 is a schematic flow chart of another method for managing data according to an embodiment of the present application;

FIG. 5 is a block diagram of an embodiment of the present application;

FIG. 6 is a schematic flow chart of a data management method according to an embodiment of the present application;

FIG. 7 is a schematic diagram of another block composition according to an embodiment of the present application;

FIG. 8 is a schematic diagram of another block composition according to an embodiment of the present application;

Fig. 9 is a schematic diagram of a first node according to an embodiment of the present application;

FIG. 10 is a schematic flow chart of a data management method according to an embodiment of the present application;

FIG. 11 is a schematic flow chart of a data management method according to an embodiment of the present application;

FIG. 12 is a schematic diagram of a data management device according to an embodiment of the present application;

FIG. 13 is a schematic diagram illustrating another data management apparatus according to an embodiment of the present application;

FIG. 14 is a schematic diagram of a data management device according to another embodiment of the present application;

fig. 15 is a schematic structural diagram of a network device according to an embodiment of the present application.

Detailed Description

The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.

It should be noted that, in the embodiments of the present application, words such as "exemplary" or "such as" are used to mean serving as an example, instance, or illustration. Any embodiment or design described herein as "exemplary" or "for example" is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete fashion.

In order to clearly describe the technical solution of the embodiments of the present application, in the embodiments of the present application, the terms "first", "second", etc. are used to distinguish the same item or similar items having substantially the same function and effect, and those skilled in the art will understand that the terms "first", "second", etc. are not limited in number and execution order.

The unified data management (unified data management, UDM) network element is one of the network elements in the core network of the fifth generation mobile communication technology (5th generation mobile communication technology,5G). The UDM network element may have a correspondence with the operator. For example, UDM network elements may be in one-to-one correspondence with operators. The UDM network element may be configured to store subscription data and registration information of the user, authenticate according to the stored registration information of the user, etc.

For example, the UDM network element may obtain authentication information sent by the user equipment, and when the authentication information sent by the user equipment matches the registration information stored in the UDM network element, the UDM network element may determine that the user equipment passes the authentication. After passing the authentication, the UDM network element may send service information in the subscription data of the user to the network element of the data plane, so that the network element of the data plane provides services for the user according to the service information in the subscription data of the user. For example, the network elements of the data plane may include a Data Network (DN).

The service information may include quality of service (quality of service, qoS) information, among others.

Illustratively, taking the example that the qos information includes delay, throughput, and packet loss rate, the qos information of the user may be as shown in table 1 below.

TABLE 1

As shown in table 1, the quality of service information of the user may include delay, throughput, and packet loss rate. The users may include user 1, user 2, user 3, user 4, user 5, and the like.

The quality of service information corresponding to the user 1 may include: latency less than ("<" means less than) 1 millisecond (ms), throughput of 1 gigabit per second (Gbps), and packet loss rate less than 10 ^-5 The method comprises the steps of carrying out a first treatment on the surface of the The quality of service information corresponding to the user 2 may include: delay less than 5ms, throughput of 1Gbps, and packet loss rate less than 10 ^-5 The method comprises the steps of carrying out a first treatment on the surface of the The quality of service information corresponding to the user 3 may include: delay less than 10ms, throughput 500 megabits per second (Mbps), and packet loss rate less than 10 ^-5 The method comprises the steps of carrying out a first treatment on the surface of the The quality of service information corresponding to the user 4 may include: delay less than 20ms, throughput 300Mbps, and packet loss rate less than 10 ^-4 The method comprises the steps of carrying out a first treatment on the surface of the The quality of service information corresponding to the user 5 may include: delay less than 25ms, throughput 150Mbps, and packet loss rate less than 10 ^-3 。

The flexible production line is a production line formed by connecting a plurality of adjustable machine tools and matching with an automatic conveying device. The flexible production line is managed by means of a computer. Computer management flexible production lines require a network of high availability (high availability, HA). In order to provide users with a high availability network, operators have proposed a distributed UDM system. The distributed UDM system may comprise a central UDM network element, and edge UDM network elements. The central UDM network element may be star-connected to a plurality of edge UDM network elements.

The central UDM network element may store user registration information and subscription data of the subnet corresponding to each edge UDM network element. Each edge UDM network element may acquire, from the central UDM network element, registration information and subscription data of the user in the subnet corresponding to the edge UDM network element, and store the registration information and subscription data. Each edge UMD network element may implement the above-mentioned function of the UDM network element in the subnet corresponding to the edge UDM network element according to the registration information and subscription data of the user of the subnet corresponding to the edge UDM network element.

However, in the current distributed UDM system, there may be a risk that a user of the edge UDM network element maliciously disconnects the connection between the edge UDM network element and the central UDM network element, and privately falsifies registration information and subscription data of the user stored in the edge UDM network element.

Illustratively, fig. 1 is a connection schematic of a distributed UDM system. As shown in fig. 1, the distributed UDM system may include one central UDM network element (shown by taking the central UDM network element 1 as an example in the figure), and a plurality of edge UDM network elements (shown by taking 8 as examples in the figure, namely, edge UDM network element 1, edge UDM network element 2, edge UDM network element 3, edge UDM network element 4, edge UDM network element 5, edge UDM network element 6, edge UDM network element 7, and edge UDM network element 8).

Wherein, the edge UDM network element 1, the edge UDM network element 2, the edge UDM network element 3, the edge UDM network element 4, the edge UDM network element 5, the edge UDM network element 6, the edge UDM network element 7, and the edge UDM network element 8 may each correspond to one subnet. The central UDM network element 1 may store registration information and subscription data of users of the subnets corresponding to the edge UDM network element 1, the edge UDM network element 2, the edge UDM network element 3, the edge UDM network element 4, the edge UDM network element 5, the edge UDM network element 6, the edge UDM network element 7, and the edge UDM network element 8. The edge UDM network element 1, the edge UDM network element 2, the edge UDM network element 3, the edge UDM network element 4, the edge UDM network element 5, the edge UDM network element 6, the edge UDM network element 7, and the edge UDM network element 8 may respectively obtain registration information and subscription data of users of respective corresponding subnets from the central UDM network element 1. And authenticating the users of the respective corresponding subnets according to the registration information and subscription data of the users.

Taking the edge UDM network element 1 and the user of the subnet corresponding to the edge UDM network element 1 including the user 1 as an example, the user of the edge UDM network element 1 may maliciously disconnect the connection between the edge UDM network element 1 and the central UDM network element 1 and privately tamper the registration information of the user 1 in the edge UDM network element 1, so that the user 1 may authenticate according to the registration information after privately tampering and obtain the service corresponding to the registration information after privately tampering.

In this background, the present application provides a data management method, which can be applied to a UDM system. The UDM system may comprise one or more central UDM network elements, and a plurality of edge UDM network elements. When there are a plurality of central UDM network elements, the plurality of central UDM network elements may be interconnected with each other. Each edge UDM network element may be connected to a central UDM network element. For example, an edge UDM network element is connected to a neighboring central UDM network element. For each edge UDM network element, the edge UDM network element may be connected to one or more edge UDM network elements. For example, the edge UDM network element is connected to one or more neighboring edge UDM network elements. When there is only one central UDM network element, all edge UDM network elements may be connected to the central UDM network element.

The central UDM network element may store user registration information and subscription data of the subnet to which each edge UDM network element corresponds respectively.

The edge UDM network element may also store user registration information and subscription data of the subnet corresponding to each edge UDM network element. For example, the edge UDM network element may acquire and store registration information of the user and subscription data input by a manager of the subnet corresponding to the edge UDM network element. For another example, the edge UDM network element may also acquire and store the registration information and subscription data of the user sent by the central UDM network element. For another example, the edge UDM network element may further acquire and store registration information and subscription data of users of subnets respectively corresponding to other edge UDM network elements sent by other edge UDM network elements connected to the edge UDM network element.

For a certain edge UDM network element, the edge UDM network element may also obtain authentication information of the user. The edge UDM network element may also broadcast authentication information of the user to other UDM network elements in the UDM system. The other UDM network elements in the UDM system may generate the first information according to authentication information of the user and registration information of the user stored by the other UDM network elements in the UDM system. The edge UDM network element may receive first information sent by other UDM network elements in the UDM system, and determine an authentication result of the user according to the first information.

For example, the flexible production line described above is taken as an example. The edge UDM network element 1 corresponds to the sub-network 1, the sub-network 1 corresponds to the plant 1, and the plant 1 comprises a machine tool 1, a machine tool 2, a machine tool 3, a computer 1, a computer 2, and a computer 3. The computer 1 controls the machine tool 1, the computer 2 controls the machine tool 2, and the computer 3 controls the machine tool 3. Machine tools 1 and 2 are required for producing product a, and machine tools 2 and 3 are required for producing product B. Assuming that the need for production of product a changes to the need for production of product B, the computers 2 and 3 need to be re-authenticated, the computers 2 and 3 may send an authentication request to the edge UDM network element 1, respectively, the authentication request comprising authentication information of the computers 2 and 3. The edge UDM network element 1 can authenticate the computer 2 and the computer 3. The authentication result may include pass and fail. When the authentication result is passed, the computer 2 and the computer 3 can access the subnet 1 and respectively control the machine tool 2 and the machine tool 3 so that the machine tool 2 and the machine tool 3 cooperate to produce the product B.

The following describes the data management method provided by the embodiment of the present application in detail.

Fig. 2 is a schematic diagram illustrating connection of a UDM system according to the present application. As shown in fig. 2, the UDM system may include one or more center nodes (three are shown in the figure, namely, center node 1, center node 2, and center node 3), and a plurality of edge nodes (four are shown in the figure, namely, edge node 1, edge node 2, edge node 3, and edge node 4).

Wherein the central node 1, the central node 2, and the central node 3 may be interconnected with each other. The edge node 1 may be connected to a central node 1, and to an edge node 2. The edge node 2 may be connected to the central node 2, the edge node 1, and the edge node 3. The edge node 3 may be connected to the central node 3, the edge node 2, and the edge node 4. The edge node 4 may be connected to the central node 3 and to the edge node 3.

It should be noted that the central node may be the central UDM network element in fig. 1 described above. The edge node may be an edge UDM network element as described above in fig. 1. The central node may also be a node in a central UDM network element as described above. That is, a central UDM network element may consist of a plurality of central nodes. For example, also taking the connection schematic diagram of the UDM system described in fig. 2 as an example, the central node 1, the central node 2, and the central node 3 may be three nodes in a certain central UDM network element.

Optionally, the central node may belong to an operator, and the proportion occupied by the central node in the UDM system may be between 20% and 50% to ensure stability and reliability of the UDM system.

Fig. 3 is a flow chart of a data management method according to an embodiment of the present application. As shown in fig. 3, the method may include S301 to S306.

S301, a first node acquires authentication information of a first user.

Wherein the first node may be any one of the edge nodes in the UDM system. The first user may be a user of a subnet to which the first node corresponds.

S302, the first node broadcasts authentication information of the first user.

Correspondingly, the second node may receive authentication information of the first user broadcasted by the first node.

Wherein the second node may be at least one of a node other than the first node among the plurality of edge nodes, and a center node.

S303, the second node verifies whether the first user is a valid registered user according to the authentication information of the first user and the registration information of the first user stored in the second node.

For example, the second node may determine that the first user is a valid registered user when the authentication information of the first user matches the registration information of the first user stored in the second node. The second node may determine that the first user is an invalid registered user when the authentication information of the first user does not match the registration information of the first user stored in the second node.

In a possible implementation, the registration information of the user may be stored directly in the central node as well as in the edge nodes in the UDM system. The second node may directly verify whether the first user is a valid registered user according to the authentication information of the first user and the stored registration information of the second user.

In another possible implementation, the registration information of the user may be stored in the central node, as well as in the edge nodes in the UDM system after encryption. The second node checks whether the first user is a valid registered user according to the authentication information of the first user and the registration information of the first user stored in the second node, and may include: the second node decrypts the registration information of the first user; the second node checks whether the first user is a valid registered user according to the authentication information of the first user and the registration information of the first user after decryption.

Optionally, the central node, as well as the edge nodes in the UDM system, may encrypt the user's registration information using a data encryption standard (data encryption standard, DES) algorithm, a triple data encryption standard (triple data encryption standard,3 DES) algorithm, an international data encryption algorithm (international data encryption algorithm, IDEA), a digital signature algorithm (digital signature algorithm, DSA), and the like. The embodiment of the application does not limit the specific encryption means of the central node and the edge node in the UDM system.

S304, the second node generates first information according to a result of checking whether the first user is a valid registered user.

Wherein, as described above, the second node checking whether the first user is a valid registered user may include: the first user is a valid registered user or is not a valid registered user. Correspondingly, the first information may be used to indicate that the second node passes or fails the authentication information of the first user, or the first information is used to indicate whether the authentication information of the first user passes the verification of the second node.

S305, the second node transmits the first information to the first node.

Correspondingly, the first node receives the first information sent by the second node.

It should be noted that the second node that transmits the first information to the first node may include one or more. That is, the second node transmitting the first information to the first node may include: at least one second node transmits first information to the first node.

S306, the first node determines an authentication result of the first user according to the first information.

Wherein the authentication result of the first user may include pass or fail.

In a possible implementation manner, the first node determines an authentication result of the first user according to the first information, and may include: the first node determines an authentication result of the first user according to the first information and a preset first proportion.

Wherein the first ratio may be preset by a manager. For example, the first ratio is 50%, or 70%, or the like. The specific values of the first ratio are not limited in the embodiment of the present application.

Alternatively, as described above, the first information may be used to indicate that the second node passes or does not pass the authentication information of the first user. The first node determines an authentication result of the first user according to the first information and a preset first proportion, and may include: the first node determines an authentication result of the first user according to the first information indicating the verification by the second node, the duty ratio in all the first information and the preset first proportion.

For example, taking the UDM system shown in fig. 2 as an example, assuming that the first node is the edge node 2, the preset first proportion is 50%, the edge node 2 indicates that the first user is an invalid registered user in the first information received by the edge node 1, the edge node 2 indicates that the first user is a valid registered user in the first information received by the center node 2, and the edge node 2 indicates that the first user is a valid registered user in the first information received by the edge node 3. The edge node 2 may determine that the authentication result of the first user is passed according to the proportion of the first information indicating that the first user is a valid registered user being 66.7% greater than the preset first proportion of 50%.

For example, taking the UDM system shown in fig. 2 as an example, assuming that the first node is the edge node 2, the preset first proportion is 50%, the first information received by the edge node 2 to the edge node 1 indicates that the first user is an invalid registered user, the first information received by the edge node 2 to the center node 2 indicates that the first user is an invalid registered user, and the first information received by the edge node 2 to the edge node 3 indicates that the first user is a valid registered user. The edge node 2 may determine that the authentication result of the first user is failed according to the proportion of the first information indicating that the first user is a valid registered user being 33.3% which is smaller than the preset first proportion of 50%.

Illustratively, taking the UDM system shown in fig. 2 as an example, assuming that the first node is the edge node 1, the preset first proportion is 100%, the connection between the center node 1 and the edge node 1 is disconnected, and the edge node 1 receives the first information of the edge node 2 to indicate that the first user is a valid registered user. The edge node 1 may determine that the authentication result of the first user is passed according to the proportion of the first information indicating that the first user is a valid registered user being 100%, which is equal to a preset first proportion of 100%.

In the data management method provided by the embodiment of the application, the center node and the center node, the center node and the edge node in the UDM system are connected in a point-to-point (P2P) mode, and compared with the existing star connection, the P2P connection has better robustness. The central node in the UDM system and each edge node may store registration information of the users of the sub-network corresponding to each edge node. An edge node (e.g., the first node described above) in the UDM system may obtain authentication information of a user in a subnet corresponding to the edge node, and broadcast the authentication information. Other edge nodes or central nodes (such as the second node) in the UDM system may verify the authentication information of the user according to the respectively stored registration information of the user of the subnet corresponding to each edge node, generate first information and send the first information to the edge node broadcasting the authentication information of the user. The edge node broadcasting authentication information of the user may determine an authentication result of the user according to the first information. The edge node broadcasting the authentication information of the user can perform normal authentication only when receiving the first information obtained by checking the authentication information of other edge nodes according to the authentication information of the user, when a user of one edge node maliciously disconnects the edge node from the center node and attempts to privately tamper with the registration information of the user, the users of the subnets corresponding to the edge node stored in the other edge nodes are different from the registration information of the user after privately tampering, and at the moment, the edge node cannot pass the authentication of the user of the privately tampering with the registration information. The security of the UDM system is improved.

Optionally, before the first node broadcasts the authentication information of the first user in S302, the first node may further preliminarily determine whether the first user is a valid registered user according to the authentication information of the first user and the registration information of the first user stored in the first node. After the first node preliminarily judges that the first user is a valid registered user, the first node triggers the step of broadcasting authentication information of the first user. That is, before the first node broadcasts the authentication information of the first user, the method may further include: the first node determines that the first user is an effective registered user according to authentication information of the first user and registration information of the first user stored in the first node.

It should be noted that, the first node may preliminarily determine whether the first user is an effective registered user according to the authentication information of the first user and the registration information of the first user stored in the first node, and the step of checking whether the first user is an effective registered user may be described in the second node according to the authentication information of the first user and the registration information of the first user stored in the second node in S303, which is not described herein.

In the data management method provided by the embodiment of the application, after the first node obtains the authentication information of the first user, whether the first user is an effective registered user can be initially judged according to the authentication information of the first user and the registration information of the first user stored in the first node. After the first user is determined to be the effective registered user, the first node triggers the step of broadcasting the authentication information of the first user, the authentication information of the first user broadcasted by the first node is high in possibility of passing the verification of the second node, and the authentication efficiency of the UDM system on the first user is improved as a whole.

Alternatively, as described above, the edge node may acquire and store registration information and subscription data of the user input by the administrator of the subnet corresponding to the edge node and sent by other edge nodes. That is, in the case where the center node and the edge node are disconnected, the first node may receive registration information of the first user and subscription data, which are transmitted from the edge node other than the first node and/or input by a manager of the subnet to which the first node corresponds.

Similarly, in the case that the center node and the edge node are disconnected, the second node may receive the registration information of the first user and subscription data sent by the first node; the registration information and subscription data of the first user sent by the first node may be input by a manager of the subnet corresponding to the first node into the first node and stored by the first node.

In the data management method provided by the embodiment of the application, when the central node or the connection between the central node and the edge node fails and a new registered user or an old user needing to change registration information exists, the edge node in the UDM system can acquire the registration information of the new registered user or the registration information of the changed old user from a manager and synchronously update the registration information to other edge nodes of the UDM system. After the update, the newly registered user or the old user who changes the registration information may be authenticated according to the procedure shown in fig. 3. The usability of the UDM system as a whole is improved.

In some possible embodiments, the central node and the edge node in the above-mentioned UDM system may be further divided into a master node and a slave node. The number of master nodes may be one. The slave nodes may comprise edge nodes, or central nodes, in the UDM system that are different from the master node. The master node may generate a block from the authentication information of the first user and broadcast to the slave nodes. The slave node may vote on the block according to the result of determining whether the first user is a valid registered user, respectively. The first node may obtain a result of the voting, and determine an authentication result of the first user according to the result of the voting.

Alternatively, the central node, as well as the edge nodes in the UDM system, may act as master nodes in a random queue. For example, a certain central node, or a certain edge node (which may be referred to as a queue node) in the UDM system may seed a random queue with a timestamp, and the central node, and the edge node in the UDM system may act as a master node in order in the random queue. After the central node and the edge node in the UDM system all act as primary nodes according to the sequence in the random queue, another node in the UDM system can generate a new random queue again by taking the time stamp as a seed, and the central node and the edge node in the UDM system can act as primary nodes according to the sequence in the new random queue in turn and circulate.

In one possible implementation, the master node may be acted upon by the first node. That is, the first node is a master node and the second node is a slave node. Fig. 4 is a schematic flow chart of another data management method according to an embodiment of the present application. As shown in fig. 4, when the first node functions as a master node, the method may include S401 to S407.

S401, the first node acquires authentication information of a first user.

S401 may be described with reference to S301, and will not be described herein.

S402, the first node generates a block according to authentication information of the first user.

The block may include authentication information of the first user and identity information of the first node, where the identity information of the first node is used by the second node to verify the identity of the first node.

Fig. 5 is a schematic block diagram of an embodiment of the present application. As shown in fig. 5, the block generated by the first node may include a block header (block header), block data (block data), and block metadata (block metadata). The block header may include a block number, a block hash value, and a previous block hash value. The block data may include authentication information of the first user. The chunk metadata may include identity information of the master node (the chunk creator, which may be the first node here). The identity information of the master node may include a certificate of the master node, a digital signature of the master node, and the like. The credentials of the node may be assigned by the operator at registration installation for verifying the identity of the node. The digital signature has a correspondence with the node.

S403, the first node broadcasts the block.

It should be noted that S402 and S403 are also one possible implementation of S302 described above. Alternatively, the first node broadcasts authentication information of the first user, which may include: the first node generates a block according to authentication information of the first user, the block comprises the authentication information of the first user and identity information of the first node, the identity information of the first node is used for verifying the identity of the first node by the second node, and the first node broadcasts the block.

Correspondingly, the second node may receive the block broadcast by the first node.

S404, the second node checks whether the first user is a valid registered user according to the authentication information of the first user and the registration information of the first user stored in the second node.

S404 may be described with reference to S303, and will not be described herein.

S405, the second node generates first information according to a result of checking whether the first user is a valid registered user.

S405 may be described with reference to S304, and will not be described herein.

S406, the second node transmits the first information to the first node.

S406 may be described with reference to S305, and will not be described herein.

It should be noted that, as described above, the master node may generate a block, and the slave node may vote on the block. The second node in S404 to S406 verifies whether the first user is a valid registered user according to the authentication information of the first user and the registration information of the first user stored in the second node, generates the first information according to the result of verifying whether the first user is a valid registered user, and transmits the first information to the first node, which may be regarded as a form of voting on the block by the second node (slave node).

S407, the first node determines an authentication result of the first user according to the first information.

S407 may be described with reference to S306 above, and will not be described here again.

In another possible implementation, the master node may be served by an edge node, or a central node, in the UDM system other than the first node. For example, the third node is a node other than the first node or a center node among the plurality of edge nodes, the third node is a master node, and all nodes other than the third node in the UDM system are slave nodes. Fig. 6 is a schematic flow chart of a data management method according to an embodiment of the present application. As shown in fig. 6, when the third node functions as a master node, the method may include S601 to S608.

S601, a first node acquires authentication information of a first user.

S601 may be described with reference to S301, and will not be described herein.

S602, the first node sends authentication information of the first user to the third node.

Optionally, the sending, by the first node, authentication information of the first user to the third node may include: the first node transmits authentication information of the first user to the third node in a broadcast form.

And S603, the third node generates a block according to the authentication information of the first user.

The block generated by the third node may be shown in fig. 5, and will not be described herein.

S604, the third node broadcasts the block.

It should be noted that S602 to S604 are one possible implementation manner of S303. Alternatively, the first node broadcasts authentication information of the first user, which may include: the first node sends authentication information of the first user to the third node so that the third node generates a block according to the authentication information of the first user and broadcasts the block.

Correspondingly, the second node may receive the block broadcast by the third node.

S605, the second node checks whether the first user is a valid registered user according to the authentication information of the first user and the registration information of the first user stored in the second node.

S605 may be described with reference to S303 above, and will not be described here again.

S606, the second node generates first information according to the result of checking whether the first user is a valid registered user.

S606 may be described with reference to S304, and will not be described herein.

S607, the second node transmits the first information to the first node.

For similar reasons to those of S404 to S406, S605 to S607 may also be regarded as a form of voting a block by the second node (slave node).

It should be noted that, in S606 to S607, the second node directly votes on the first information after generating the first information according to the result of checking whether the first user is a valid registered user.

Optionally, after generating the first information according to the result of checking whether the first user is a valid registered user, the second node may further send the first information to the third node, and the third node forwards the first information sent by the second node to the first node for voting.

And S608, the first node determines an authentication result of the first user according to the first information.

S608 may be described with reference to S306 above, and will not be described herein.

Optionally, when the proportion passed in the result of the voting of the slave node on the block is greater than a preset first proportion, the master node (for example, the first node or the third node described above) may also add the block as the highest block to the blockchain.

In the data management method provided by the embodiment of the application, the edge node and the center node in the UDM system can be further divided into a master node and a slave node. The master node may generate a block from the authentication information of the first user and broadcast to the slave nodes. The block may include a block header, block data, and block metadata, the block metadata may include identity information of a block creator, and the edge node and the center node in the UDM system may supervise authentication of the first user according to the identity information of the block creator in the block, thereby improving security of the UDM system as a whole.

In addition, the slave node may vote on the block according to the result of judging whether the first user is valid for registration, respectively. The master node may aggregate votes from the slave nodes. The first node may obtain a result of the voting, and determine an authentication result of the first user according to the result of the voting. The authentication process is combined with a consensus process and the consensus process comprises only generating blocks and voting blocks, the steps of the consensus process of the present application are fewer than the consensus process of the conventional practical bayer fault-tolerance algorithm (practical byzantine fault tolerance, PBFT).

It should be noted that, the first node in S301 may acquire the authentication information of the first user, and the first node in S302 broadcasts the authentication information of the first user, and any one of the second nodes may also acquire the authentication information of the first user. That is, after the first node determines that the first user is a valid registered user, each of the central node and the edge node in the UDM system may obtain authentication information of the first user.

Alternatively, after acquiring the authentication information of the first user, the central node and the edge node in the UDM system may record the authentication information of the first user in the temporary ledger. The master node generating a block according to authentication information of the first user may include: the master node generates a block according to authentication information of the first user recorded in the temporary account book.

In one possible implementation, the authentication information of the user in the block may include one. That is, when the master node obtains the authentication information of the first user and records the authentication information of the first user in the temporary account, the master node may trigger the step of generating a block according to the authentication information of the first user. Fig. 7 is a schematic diagram of another block composition according to an embodiment of the present application. As shown in fig. 7, taking the composition of the block shown in fig. 5 as an example, assuming that the first user is user 1, the block data in the block generated by the master node may include authentication information of user 1.

In another possible implementation, the authentication information of the user in the block may include a plurality of authentication information, and when the time difference between the current time and the generation time of the previous block reaches the first period, the master node may trigger the step of generating the block according to the authentication information of the first user. That is, the master node generating a block according to authentication information of the first user recorded in the temporary ledger may include: the master node generates a block according to authentication information of the first user recorded in the temporary account in a first period. Fig. 8 is a schematic diagram of another block composition according to an embodiment of the present application. As shown in fig. 8, taking the composition of the blocks shown in fig. 5 as an example, assuming that the authentication information of the user in the first period in the temporary account of the master node includes the authentication information of the user 1, the authentication information of the user 2, the authentication information of the user 3, and the authentication information of the user 4, the master node may include the authentication information of the user 1, the authentication information of the user 2, the authentication information of the user 3, and the authentication information of the user 4 according to the block data in the block generated by the authentication information of the first user recorded in the first period in the temporary account.

Wherein the first period may be preset by a manager. For example, the first period is 1 second, 2 seconds, etc. The embodiment of the application does not limit the specific duration of the first period.

In the data management method provided by the embodiment of the application, after the authentication information of the first user is broadcast by the first node, the node in the UDM system can acquire the authentication information of the first user and record the authentication information of the first user in the temporary account book. The master node can generate the block according to the authentication information of the first user in the first period recorded in the temporary account book, so that frequent generation of the block and frequent voting of the block can be avoided, and the authentication efficiency of the UDM system to the user is improved as a whole.

In some possible embodiments, the first node further stores service quality information of users of the sub-network corresponding to each edge node. After the first node determines that the first user is a valid registered user, the first node may further determine and record service quality information of the first user according to service quality information of users of subnets corresponding to each edge node stored in the first node. Similarly, after the second node determines that the first user is a valid registered user, the second node may further determine and record quality of service information of the first user according to quality of service information of users of the sub-network corresponding to each edge node stored in the second node.

Illustratively, taking the first node as an example, the authentication information of the first user may include an identity of the first user. The identity of the first user may be in one-to-one correspondence with the quality of service information of the first user. When the first node determines that the authentication result of the first user is passing, the first node can query the service quality information of the user of the subnet corresponding to each edge node stored in the first node according to the identity of the first user, determine the service quality information of the first user and record the service quality information.

In the data management method provided by the embodiment of the application, after the first node determines that the first user is an effective registered user, the first node can also determine and record the service quality information of the first user according to the service quality information stored in the first node. After the second node determines that the first user is a valid registered user, the second node may determine and record quality of service information of the first user according to the quality of service information stored in the second node. The second node can record and monitor the service quality information of the first user by a third party, and when the first user makes a query about the service quality actually obtained by the second node, the second node can carry out verification according to the service quality information of the first user recorded by the first node and the second node respectively, so that the transparency and the credibility of the service are improved.

Alternatively, the steps performed by the first node may be performed by functional modules in the first node. Fig. 9 is a schematic diagram of a first node according to an embodiment of the present application. As shown in fig. 9, the first node may include a service manager (service manager) module. The first node obtaining authentication information of the first user may include: the service management module in the first node obtains authentication information of the first user. For example, when the terminal device of the first user accesses the subnet corresponding to the first node, the service management module is connected, and authentication information of the first user is sent to the first node through the service management module.

Optionally, the edge node in the UDM system may also be connected to a network element of the data plane. When the first node determines that the authentication result of the first user is passing, the first node may send the service quality information of the first user to the network element of the data plane, so that the network element of the data plane provides services for the first user according to the service quality information of the first user.

For example, the network elements of the data plane may be arranged on the first network device. When the first node determines that the authentication result of the first user is passing, the first node sends the service quality information of the first user to the network element of the data plane, so that the network element of the data plane provides services for the first user according to the service quality information of the first user, and may include: when the first node determines that the authentication result of the first user is passing, the first node sends the service quality information of the first user to the first network device, so that the first network device provides service for the first user according to the service quality information of the first user.

For another example, the first node may send, through the service management module, quality of service information in the subscription data of the first user to the first network device, so that the first network device provides services for the first user according to the quality of service information in the subscription data of the first user.

Illustratively, the network elements of the data plane may include a Data Network (DN).

In some possible embodiments, before the first node sends the service quality information of the first user to the first network device, so that the first network device provides services for the first user according to the service quality information of the first user, the central node may further acquire the number of other edge nodes (edge nodes except the first node) connected to the first node. When the number of other edge nodes connected with the first node is smaller than a preset number threshold, the central node can control the first node to send basic service quality information to the first network device, so that the first network device provides services for the first user according to the basic service quality information.

Wherein the number threshold may be preset by the operator. For example, the number threshold is 3, or 4, or the like. The specific values of the numerical thresholds are not limited in the embodiments of the present application.

In a possible implementation, the step of the central node obtaining the number of other edge nodes to which the first node is connected may be performed before S301. Fig. 10 is a schematic flow chart of a data management method according to an embodiment of the present application. As shown in fig. 10, the method may include new edge node registration, new edge node initiation, new edge node establishment of P2P connection with old edge node, new edge node establishment of P2P connection with center node, synchronization of user registration information, update of node connection status, reception of user authentication information, completion of user authentication, etc.

1. Registration part for new edge node:

the first organization may apply for a new edge node to the operator based on the identity information of the first organization. When the new edge node is installed for the first time, a certificate distributed by an operator according to the identity information of the first organization can be obtained, the certificate corresponds to the identity information of the first organization one by one, and the certificate is used for verifying the identity of the node and the first organization. A central node in the UDM system may store identity information of the first authority.

Wherein the first institution may comprise any one of a unit or a person.

Illustratively, the identity information of the first institution may be as shown in table 2 below.

TABLE 2

Edge node	Certificate(s)	Identity information of a first institution
			Edge node 1	Certificate 1	Identity information 1
Edge node 2	Certificate 2	Identity information 2
			Edge node 3	Certificate 3	Identity information 3

As shown in table 2, the table may include an edge node item, a certificate item, and an identity information item of the first organization. The edge node items may include edge nodes such as edge node 1, edge node 2, edge node 3, and the like. Certificate items may include certificates such as certificate 1, certificate 2, and certificate 3. The identity information item of the first institution may include identity information of the first institution such as identity information 1, identity information 2, and identity information 3. The edge node 1, the certificate 1, and the identity information 1 have a correspondence relationship. The edge node 2, the certificate 2, and the identity information 2 have a correspondence. The edge node 3, the certificate 3, and the identity information 3 have a correspondence.

2. Starting a part for a new edge node:

after the new edge node is first installed, the new edge node can be started for the first time and is accepted by the configuration of the manager.

3. Establishing a P2P connection with an old edge node for the new edge node:

after the new edge node is started for the first time and receives the configuration of the manager, a P2P connection can be established with the old edge nodes of other subnets that are geographically close. For example, edge nodes in the same urban area, or edge nodes in the same city, or edge nodes in the same province, or the straight line distance between edge nodes is less than a preset distance threshold may be referred to as geographically close. Embodiments of the present application are not limited to specific criteria that are geographically close.

4. Establishing a P2P connection with the central node for the new edge node:

the new edge node can acquire network topology information of establishing P2P connection with the old edge node of other sub-networks adjacent to the new edge node in the geographic area after the first start; the new edge node may send its own certificate to the central node, as well as the network topology information. After the certificate of the new edge node is verified by the center node, a P2P connection between the new edge node and the center node can be established.

It can be understood that the above-mentioned central node obtains the number of other edge nodes connected to the first node, which can be obtained by the network topology information sent to the central node by the first node when the central node establishes a P2P connection portion with the central node according to the first node.

5. Registration information part for synchronous user:

as described above, the edge nodes in the UDM system may acquire registration information of users of the subnets corresponding to other edge nodes and subscription data of users of the operator network from the manager, the center node, and other edge nodes connected to the edge nodes, and the edge nodes in the UDM system may periodically synchronize and update the registration information of the users.

6. For the update node connection status portion:

the nodes connected with each other in the UDM system can send heartbeat packets to each other at regular time, and whether the connection is normal or not is checked at regular time. When a certain edge node cannot normally receive heartbeat packets sent by other edge nodes connected with the node, the edge node can determine the connection failure of the edge node corresponding to the heartbeat packets which cannot be normally received, and report the certificate of the edge node corresponding to the heartbeat packets which cannot be normally received to a central node.

It can be understood that the central node may obtain the number of other edge nodes connected to the first node, and may also obtain the certificate of the edge node corresponding to the heartbeat packet that cannot be normally received, which is reported by the edge node in the UDM system.

7. For a receiving user authentication request part:

as described in S301 above, a description thereof is omitted.

8. For the authentication part of the finished user:

as described in the embodiments shown in fig. 3, 4 and 6, the description thereof is omitted here.

Alternatively, as described above, the authentication result of the first user determined by the first node according to the first information may include pass and fail. When the number of other edge nodes connected with the first node is smaller than a preset number threshold, the central node can send a first instruction to the first node, and the first instruction is used for commanding the first node to send basic service quality information to the first network equipment when the authentication result of the first user is passed, so that the first network equipment provides services for the first user according to the basic service quality information.

For example, when the number of other edge nodes connected by the first node is smaller than a preset number threshold, the central node sends a first instruction to a service management module in the first node. The service management module may receive a first instruction. The service management module may be further configured to respond to the first instruction, and when the first node determines that the authentication result of the first user is passing, send basic service quality information to the first network device, so that the first network device provides services for the first user according to the basic service quality information.

In the data management method provided by the embodiment of the application, the central node can acquire the number of other edge nodes connected with the first node. When the first node determines that the authentication result of the first user is passing and the number of other edge nodes connected with the first node is smaller than a preset number threshold, the central node can control the first node to send basic service quality information to the first network device, so that the first network device provides services for the first user according to the basic service quality information. When the number of other edge nodes connected to the first node is too small, there is a risk that the subnet user maliciously disconnects the edge nodes from the other edge nodes and the center node, and privately falsifies the service quality information of the user. At this time, the service quality information of the users of the sub-network corresponding to the first node is limited, so that the user of the sub-network can be prevented from maliciously disconnecting the edge node from other edge nodes and the center node, the service quality information is tampered privately, and the safety of the UDM system is improved.

As described above, the first organization may apply for a new edge node to the operator based on the identity information of the first organization. When the new edge node is installed for the first time, a certificate distributed by an operator according to the identity information of the first organization can be obtained, the certificate corresponds to the identity information of the first organization one by one, and the certificate is used for verifying the identity of the node and the first organization. The central node in the UDM system may store identity information of the first authority. And the master node may generate a block based on the authentication information of the first user and broadcast to the slave nodes. The slave node may vote on the block according to the result of determining whether the first user is a valid registered user, respectively.

In some possible embodiments, the voting of the block by the slave node may be performed in an anonymous voting manner. The edge nodes can verify identity through certificates. That is, the slave node votes for the block according to the result of determining whether the first user is a valid registered user, respectively, may include: the slave nodes anonymously vote on the block according to the result of judging whether the first user is a valid registered user or not.

Optionally, the central node, as well as the edge nodes in the UDM system may also record the procedure of each authentication in a respective system log set, respectively. The system log set may include one or more logs. The log may include the edge node, and event information corresponding to the edge node.

Optionally, the central node and the edge node in the UDM system may further obtain event information in the system log set, and when the event information corresponding to the node in the system log meets a preset condition, the central node and the edge node in the UDM system may vote to reveal identity information of the first mechanism corresponding to the edge node.

The following description will take an example of the central node in the UDM system initiating the vote to reveal the identity information of the first mechanism corresponding to the edge node. Fig. 11 is a schematic flow chart of a data management method according to an embodiment of the present application. As shown in fig. 11, the method may further include S1101 to S1104.

S1101, the central node obtains the first request and a first log corresponding to the first request.

The first request is used for requesting to reveal identity information of a first mechanism corresponding to the malicious node. The first log may include a log in which event information corresponding to the malicious node is centrally recorded in the system log.

In one possible implementation, the first request may be generated by a central node. That is, the central node obtaining the first request may include: the central node generates a first request from the system log set.

For example, for each edge node, when the event information corresponding to the edge node in the system log set meets the preset condition, the central node may determine that the edge node is a malicious node, and generate the first request.

The preset conditions may include:

1. the number of times the edge node broadcasts the wrong authentication information is larger than a preset number of times threshold.

2. The edge node acts as a master node, and the failure times of generating the block are larger than a preset time threshold.

3. The time length that the number of the nodes connected by the edge nodes is smaller than the number threshold value is larger than a preset time length threshold value.

It should be noted that the time threshold, the time length threshold, etc. may be preset in a node in the UDM system by a manager. For example, the threshold number of times is 3 times, or 5 times, or the like. The duration threshold is one week, one month, or the like. The embodiment of the application does not limit specific numerical values of the time threshold and the time length threshold.

It should be noted that, in the above preset conditions, the frequency threshold corresponding to the edge node broadcast error authentication information and the frequency threshold corresponding to the edge node serving as the master node generating block failure may be the same or different, which is not limited in the embodiment of the present application.

In another possible implementation, the first request may be generated by an edge node. That is, the new node obtains the first request, which may include: the central node receives a first request sent by the edge node, the first request being generated by the edge node from the system log set.

It should be noted that, the step of generating the first request by the edge node may be described in the step of generating the first request by the central node, which is not described herein.

S1102, the central node broadcasts a first request and a first log corresponding to the first request.

S1103, the center node acquires the vote of the edge node on the first request.

Wherein the edge node's voting for the first request may include approving the first request, or disapproving the first request.

S1104, when the proportion of the first requests is agreed to be larger than a preset second proportion in the voting of the edge nodes to the first requests, the center node broadcasts the identity information of the first mechanism corresponding to the malicious node corresponding to the first requests.

Wherein the second ratio may be preset by an administrator in a node in the UDM system. For example, the second ratio is 50%, or 70%, etc. The specific values of the second ratio are not limited in this embodiment.

It should be noted that, when the proportion of the nodes that agree with the first request is smaller than the preset second proportion, the central node may reject the first request. That is, after the central node obtains the vote for the first request sent by the edge node for each edge node in the UDM system, it may also determine whether to broadcast the identity information of the first mechanism corresponding to the malicious node corresponding to the first request according to the proportion of the edge nodes that agree to the first request and the preset second proportion.

In the data management method provided by the embodiment of the application, when the UDM system has the malicious node, the central node and the edge node in the UDM system can also record each authentication process in the respective system log set respectively, determine the malicious node according to the system log set, and vote to reveal the identity information of the first mechanism corresponding to the malicious node, thereby preventing the first mechanism corresponding to the malicious node from continuously utilizing the malicious node to interfere with the normal authentication of the UDM system.

In an exemplary embodiment, the functional modules in the first node may also be integrated into a unit. The present application provides a data management apparatus, which may be applied to the first node in the above method embodiment. Fig. 12 is a schematic diagram of a data management device according to an embodiment of the present application. As shown in fig. 12, the data management apparatus 1200 may include: an acquisition unit 1201, a transmission unit 1202, and a processing unit 1203. The obtaining unit 1201 may be configured to obtain authentication information of a first user, where the first user is a user of a subnet corresponding to the first node. A transmitting unit 1202 may be configured to broadcast authentication information of the first user. The obtaining unit 1201 may be further configured to receive first information sent by at least one second node respectively; the second node is at least one of a node other than the first node among the plurality of edge nodes, and a center node; the first information is generated after the second node verifies whether the first user is a valid registered user according to the authentication information of the first user and the registration information of the first user stored in the second node; the first information may be used to indicate whether the authentication confidence of the first user is verified by the second node. The processing unit 1203 may be configured to determine an authentication result of the first user according to the first information indicating the verification by the second node, the duty ratios in all the first information, and the preset first ratio.

In some possible embodiments, the processing unit 1203 may be further configured to determine, before the sending unit 1202 broadcasts the authentication information of the first user, that the first user is a valid registered user according to the authentication information of the first user and the registration information of the first user stored in the first node.

In other possible embodiments, the obtaining unit 1201 may be further configured to receive, in a case where the central node and the edge node are disconnected, registration information of the first user sent from an edge node other than the first node and/or input by a manager of a subnet corresponding to the first node, and store the registration information of the first user.

In still other possible embodiments, the sending unit 1202 may be specifically configured to generate a block according to the authentication information of the first user, where the block includes the authentication information of the first user and the identity information of the first node; the identity information of the first node can be used by the second node to verify the identity of the first node; broadcasting the block.

In still other possible embodiments, the sending unit 1202 may be specifically configured to send the authentication information of the first user to the third node, so that the third node generates a block according to the authentication information of the first user and broadcasts the block; the third node is an edge node or a center node of the plurality of edge nodes other than the first node.

In still other possible embodiments, the first node is connected to the first network device, where the first node stores service quality information of users of the sub-network corresponding to each edge node; the authentication result of the first user includes: pass or not pass. The processing unit 1203 may be further configured to determine, after determining that the first user is a valid registered user, the quality of service information of the first user according to the quality of service information of the user of the subnet corresponding to each edge node, and record the quality of service information. The sending unit 1202 may be further configured to send the quality of service information of the first user to the first network device when the authentication result of the first user is passed, so that the first network device provides services for the first user according to the service quality information of the first user.

In still other possible embodiments, the obtaining unit 1201 may be further configured to receive a first instruction sent by the central node, where the first instruction may be configured to instruct the first node to send the basic quality of service information to the first network device when the authentication result of the first user is passing; the first instruction is sent by the central node when the number of other edge nodes to which the first node is connected is less than a preset number threshold. The sending unit 1202 may be further configured to send basic quality of service information to the first network device when the authentication result of the first user is that the first user passes in response to the first instruction, so that the first network device provides services for the first user according to the basic quality of service information.

In still other possible embodiments, the central node comprises a plurality of; a plurality of central nodes are interconnected. Each edge node is connected with the central node, which means that: each edge node is connected to one of the plurality of center nodes. The second node is a central node, which means: the second node is one of a plurality of central nodes.

In an exemplary embodiment, the embodiment of the present application further provides a data management apparatus, which may be applied to the second node in the above method embodiment. Fig. 13 is a schematic diagram of a data management device according to an embodiment of the present application. As shown in fig. 13, the data management apparatus 1300 may include: acquisition unit 1301, processing unit 1302, and transmission unit 1303. The obtaining unit 1301 may be configured to receive authentication information of a first user broadcasted by a first node, where the first user is a user of a subnet corresponding to the first node. The processing unit 1302 may be configured to verify whether the first user is a valid registered user according to the authentication information of the first user and the registration information of the first user stored in the second node; and generating first information according to the result of checking whether the first user is a valid registered user, wherein the first information can be used for indicating whether authentication information of the first user passes the check of the second node. The sending unit 1303 may be configured to send the first information to the first node, so that the first node determines an authentication result of the first user according to the first information indicating the verification by the second node, the duty ratio in all the first information, and a preset first ratio.

In some possible embodiments, the authentication information of the first user, which is received by the second node and broadcast by the first node, is sent after the first node determines that the first user is a valid registered user according to the authentication information of the first user and the registration information of the first user stored in the first node.

In other possible embodiments, in the case where the central node and the edge node are disconnected, the registration information of the first user stored in the first node is sent by an edge node other than the first node, and/or is input by a manager of the subnet corresponding to the first node.

In still other possible embodiments, the obtaining unit 1301 may specifically be configured to receive a block broadcasted by the first node, where the block is generated by the first node according to authentication information of the first user, and the block includes the authentication information of the first user and identity information of the first node; the identity information of the first node may be used by the second node to verify the identity of the first node.

In still other possible embodiments, the obtaining unit 1301 may specifically be configured to receive a block broadcasted by the third node, where the block is generated by the third node according to the authentication information of the first user after the first node sends the authentication information of the first user to the third node; the third node is an edge node or a center node of the plurality of edge nodes other than the first node.

In still other possible embodiments, the second node stores quality of service information of users of the sub-network corresponding to each edge node. The processing unit 1302 may be further configured to determine, when it is determined that the first user is a valid registered user, quality of service information of the first user according to quality of service information of users of the sub-network corresponding to each edge node stored in the second node, and record the quality of service information.

In still other possible embodiments, the central node comprises a plurality of; a plurality of central nodes are interconnected. Each edge node is connected with the central node, which means that: each edge node is connected to one of the plurality of center nodes. The second node is a central node, which means: the second node is one of a plurality of central nodes.

In an exemplary embodiment, the embodiment of the present application further provides a data management apparatus, which may be applied to the central node in the foregoing method embodiment. Fig. 14 is a schematic diagram of a data management device according to an embodiment of the present application. As shown in fig. 14, the data management apparatus 1400 may include: an acquisition unit 1401, a processing unit 1402, and a transmission unit 1403. The acquiring unit 1401 may be configured to acquire a system log set, where the system log set includes an edge node and event information corresponding to the edge node. The processing unit 1402 may be configured to determine, for each edge node, that the edge node is a malicious node when event information corresponding to the edge node satisfies a preset condition in the system log set, and generate a first request. The sending unit 1403 may be configured to broadcast a first request, and a first log corresponding to the first request, where the first request may be used to request to reveal identity information of a first mechanism corresponding to a malicious node, and the first log is a log in which event information corresponding to the malicious node is centrally recorded in a system log. The obtaining unit 1401 may be further configured to obtain a vote of the edge node on the first request. The sending unit 1403 may be further configured to broadcast identity information of a first organization corresponding to a malicious node corresponding to the first request when the proportion of the first request is agreed to be greater than a preset second proportion in voting.

In an exemplary embodiment, the present application further provides a Unified Data Management (UDM) system, including a central node, and a plurality of edge nodes; each edge node is connected with the center node, and each edge node is connected with at least one other edge node in the plurality of edge nodes; the first node acquires authentication information of a first user, wherein the first user is a user of a subnet corresponding to the first node; the first node is one of a plurality of edge nodes; the first node broadcasts authentication information of a first user; the second node checks whether the first user is an effective registered user according to the authentication information of the first user and the registration information of the first user stored in the second node; the second node generates first information according to a result of checking whether the first user is a valid registered user; the first information is used for indicating whether authentication information of the first user passes verification of the second node; the first node determines an authentication result of the first user according to the first information indicating the verification by the second node, the duty ratio in all the first information and the preset first proportion.

It should be noted that, the unified data management UDM system provided in the embodiment of the present application may further execute steps executed by the first node, the second node, the central node, and the like in the foregoing method embodiment, so as to implement all functions of the first node, the second node, the central node, and the like in the foregoing method embodiment, which are not described herein in detail.

In an exemplary embodiment, the present application also provides a computer program product, which when run on a computer causes the computer to perform the above-mentioned related method steps to implement the data management method in the above-mentioned embodiments.

In an exemplary embodiment, the embodiment of the application further provides a network device. Fig. 15 is a schematic structural diagram of a network device according to an embodiment of the present application. As shown in fig. 15, the network device may include: a processor 1501 and a memory 1502; the memory 1502 stores instructions executable by the processor 1501; the processor 1501, when configured to execute the instructions, causes the network device to implement the method as described in the method embodiments described above.

In an exemplary embodiment, embodiments of the application also provide a computer-readable storage medium having stored thereon computer program instructions; the computer program instructions, when executed by a network device, cause the network device to implement the method as described in the previous embodiments. The computer readable storage medium may be a non-transitory computer readable storage medium, which may be, for example, ROM, random Access Memory (RAM), CD-ROM, magnetic tape, floppy disk, optical data storage device, etc.

The foregoing is merely illustrative of specific embodiments of the present application, and the scope of the present application is not limited thereto, but any changes or substitutions within the technical scope of the present application should be covered by the scope of the present application. Therefore, the protection scope of the present application should be subject to the protection scope of the claims.

Claims (11)

1. A data management method, characterized in that the method is applied to a first node in a unified data management, UDM, system comprising a central node, and a plurality of edge nodes; each of the edge nodes is connected with the central node, and each of the edge nodes is connected with at least one other edge node of the plurality of edge nodes; the first node is one of a plurality of the edge nodes;

the method comprises the following steps:

the first node acquires authentication information of a first user, wherein the first user is a user of a subnet corresponding to the first node;

the first node broadcasts authentication information of the first user;

the first node receives first information sent by at least one second node respectively; the second node is a node other than the first node among the plurality of edge nodes or the center node; the first information is generated after the second node verifies whether the first user is a valid registered user according to the authentication information of the first user and the registration information of the first user stored in the second node; the first information is used for indicating whether authentication information of the first user passes verification of the second node;

The first node determines an authentication result of the first user according to the first information which indicates that the second node passes through verification, the duty ratio of the first information and a preset first proportion;

and under the condition that the central node and the edge node are disconnected, the first node receives the registration information of the first user, which is sent by the edge nodes except the first node and/or is input by a manager of a subnet corresponding to the first node, and stores the registration information of the first user.

2. The method of claim 1, wherein prior to the first node broadcasting the authentication information of the first user, the method further comprises:

the first node determines that the first user is an effective registered user according to the authentication information of the first user and the registration information of the first user stored in the first node.

3. The method of claim 1, wherein the first node broadcasting authentication information of the first user comprises:

the first node generates a block according to authentication information of the first user; the block comprises authentication information of the first user and identity information of the first node; the identity information of the first node is used for the second node to verify the identity of the first node;

The first node broadcasts the block.

4. The method of claim 1, wherein the first node broadcasting authentication information of the first user comprises:

the first node sends authentication information of the first user to a third node so that the third node generates a block according to the authentication information of the first user and broadcasts the block; the third node is an edge node or the center node among the plurality of edge nodes other than the first node.

5. The method according to any of claims 1-4, wherein the first node is connected to a first network device, and wherein the first node stores quality of service information of users of the sub-network to which each of the edge nodes corresponds; the authentication result of the first user comprises: pass or fail; the method further comprises the steps of:

after the first node determines that the first user is an effective registered user, determining and recording service quality information of the first user according to service quality information of users of the sub-networks corresponding to each edge node;

and when the authentication result of the first user is that the first user passes, the first node sends the service quality information of the first user to the first network equipment, so that the first network equipment provides service for the first user according to the service quality information of the first user.

6. The method according to any of claims 1-4, wherein the first node is connected to a first network device, and wherein the first node stores quality of service information of users of the sub-network to which each of the edge nodes corresponds; the authentication result of the first user comprises: pass or fail; the method further comprises the steps of:

the first node receives a first instruction sent by the central node, wherein the first instruction is used for commanding the first node to send basic service quality information to the first network equipment when the authentication result of the first user is passing; the first instruction is sent by the central node when the number of other edge nodes connected with the first node is smaller than a preset number threshold;

and responding to the first instruction, and when the authentication result of the first user is that the first user passes, sending the basic service quality information to the first network equipment by the first node so that the first network equipment provides services for the first user according to the basic service quality information.

7. The method of claim 1, wherein the central node comprises a plurality of;

A plurality of the central nodes are connected with each other;

each of the edge nodes is connected with the central node, which means that: each of the edge nodes is connected to one of the plurality of center nodes;

the second node is the central node, which means: the second node is one of a plurality of the central nodes.

8. A data management apparatus, the apparatus being applied to a first node in a unified data management, UDM, system, the UDM system comprising a central node, and a plurality of edge nodes; each of the edge nodes is connected with the central node, and each of the edge nodes is connected with at least one other edge node of the plurality of edge nodes; the first node is one of a plurality of edge nodes, and the first node stores registration information of users of the subnetworks corresponding to each edge node;

the device comprises: the device comprises an acquisition unit, a sending unit and a processing unit;

the acquisition unit is used for acquiring authentication information of a first user, wherein the first user is a user of a subnet corresponding to the first node;

the sending unit is used for broadcasting the authentication information of the first user;

The acquisition unit is further used for receiving first information sent by at least one second node respectively; the second node is a node other than the first node among the plurality of edge nodes or the center node; the first information is determined by the second node according to the authentication information of the first user and the registration information of the first user stored in the second node after checking whether the first user is an effective registered user or not and the second node according to the result of checking whether the first user is an effective registered user or not; the first information is used for indicating the authentication information of the first node passing through the first user or not passing through the authentication information of the first user;

the processing unit is used for determining an authentication result of the first user according to the proportion of the authentication information, which indicates the first node to pass through the first user, in the first information respectively sent by the at least one second node and a preset first proportion;

the acquiring unit is further configured to receive, when the central node and the edge node are disconnected, registration information of the first user, which is sent from an edge node other than the first node and/or input by a manager of a subnet corresponding to the first node, and store the registration information of the first user.

9. A network device, the network device comprising: a processor and a memory;

the memory stores instructions executable by the processor;

the processor is configured to, when executing the instructions, cause the network device to implement the method of any of claims 1-7.

10. A computer-readable storage medium, the computer-readable storage medium comprising: computer software instructions;

the computer software instructions, when run in a network device, cause the network device to implement the method of any one of claims 1-7.

11. A unified data management, UDM, system, characterized in that the UDM system comprises a central node, and a plurality of edge nodes; each of the edge nodes is connected with the central node, and each of the edge nodes is connected with at least one other edge node of the plurality of edge nodes;

the method comprises the steps that a first node obtains authentication information of a first user, wherein the first user is a user of a subnet corresponding to the first node; the first node is one of a plurality of the edge nodes;

the first node broadcasts authentication information of the first user;

The second node checks whether the first user is a valid registered user according to the authentication information of the first user and the registration information of the first user stored in the second node; the second node is a node other than the first node among the plurality of edge nodes or the center node;

the second node generates first information according to a result of checking whether the first user is a valid registered user; the first information is used for indicating whether authentication information of the first user passes verification of a second node;

the second node sends the first information to the first node;

the first node determines an authentication result of the first user according to the first information which indicates that the second node passes through verification, the duty ratio of the first information and a preset first proportion;

and under the condition that the central node and the edge node are disconnected, the first node receives the registration information of the first user, which is sent by the edge nodes except the first node and/or is input by a manager of a subnet corresponding to the first node, and stores the registration information of the first user.