CN114978652B - Authority control method of edge device, resource access method and device - Google Patents

Authority control method of edge device, resource access method and device Download PDF

Info

Publication number
CN114978652B
CN114978652B CN202210531123.2A CN202210531123A CN114978652B CN 114978652 B CN114978652 B CN 114978652B CN 202210531123 A CN202210531123 A CN 202210531123A CN 114978652 B CN114978652 B CN 114978652B
Authority
CN
China
Prior art keywords
edge device
resource
server
edge
identifier
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210531123.2A
Other languages
Chinese (zh)
Other versions
CN114978652A (en
Inventor
韩鹏飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Baidu Netcom Science and Technology Co Ltd
Original Assignee
Beijing Baidu Netcom Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Baidu Netcom Science and Technology Co Ltd filed Critical Beijing Baidu Netcom Science and Technology Co Ltd
Priority to CN202210531123.2A priority Critical patent/CN114978652B/en
Publication of CN114978652A publication Critical patent/CN114978652A/en
Application granted granted Critical
Publication of CN114978652B publication Critical patent/CN114978652B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The disclosure provides an authority control method, a resource access method and a device of edge equipment, and relates to the technical field of computers, in particular to the technical field of Internet of things and cloud computing. The implementation scheme is as follows: receiving a permission request of an edge device, wherein the permission request comprises an identifier of the edge device; determining information of a target resource accessible to the edge device based on the identification of the edge device; obtaining a temporary access credential for accessing the target resource; and returning the information of the target resource and the temporary access credential to the edge device.

Description

Authority control method of edge device, resource access method and device
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to the field of internet of things and cloud computing technologies, and in particular, to a method and an apparatus for controlling an authority of an edge device, a method and an apparatus for accessing resources of an edge device, an electronic device, a computer-readable storage medium, and a computer program product.
Background
Cloud computing (cloud computing) refers to a technology architecture that accesses a flexibly extensible shared physical or virtual resource pool through a network, where resources may include servers, operating systems, networks, software, applications, storage devices, and the like, and may be deployed and managed in an on-demand, self-service manner. Through the cloud computing technology, high-efficiency and strong data processing capacity can be provided for technical application and model training of artificial intelligence, block chains and the like.
With the introduction of the concept of Internet of Things (IoE), internet of Things (IoT) devices gradually become the center of data production, and data computation in the field of Internet of Things is gradually closing from cloud computing to edge computing.
The approaches described in this section are not necessarily approaches that have been previously conceived or pursued. Unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by virtue of their inclusion in this section. Similarly, the problems mentioned in this section should not be considered as having been acknowledged in any prior art, unless otherwise indicated.
Disclosure of Invention
The disclosure provides an authority control method of an edge device, a resource access method and device, an electronic device, a computer readable storage medium and a computer program product.
According to an aspect of the present disclosure, there is provided an authority control method of an edge device, including: receiving a permission request of an edge device, wherein the permission request comprises an identifier of the edge device; determining information of a target resource accessible to the edge device based on the identification of the edge device; obtaining a temporary access credential for accessing the target resource; and returning the information of the target resource and the temporary access credential to the edge device.
According to an aspect of the present disclosure, there is provided a resource access method for an edge device, including: sending a permission request to a permission server, wherein the permission request comprises the identifier of the edge device; receiving an authorization result returned by an authority server, wherein the authorization result comprises information of a target resource accessible by the edge device and a temporary access certificate for accessing the target resource; and sending an access request aiming at the target resource to a resource server where the target resource is located based on the temporary access certificate.
According to an aspect of the present disclosure, there is provided an authority control apparatus of an edge device, including: a receiving module configured to receive a permission request of an edge device, the permission request including an identification of the edge device; a determination module configured to determine information of a target resource accessible to the edge device based on the identity of the edge device; an obtaining module configured to obtain a temporary access credential for accessing the target resource; and a return module configured to return the information of the target resource and the temporary access credential to the edge device.
According to an aspect of the present disclosure, there is provided a resource access apparatus of an edge device, including: a first request module configured to send a permission request to a permission server, the permission request including an identification of the edge device; the receiving module is configured to receive an authorization result returned by the authority server, wherein the authorization result comprises information of a target resource accessible by the edge device and a temporary access credential for accessing the target resource; and the second request module is configured to send an access request aiming at the target resource to a resource server where the target resource is located based on the temporary access certificate.
According to an aspect of the present disclosure, there is provided an electronic device including: at least one processor; and a memory communicatively coupled to the at least one processor, the memory storing instructions executable by the at least one processor to enable the at least one processor to perform the method of any of the aspects.
According to an aspect of the present disclosure, there is provided a non-transitory computer readable storage medium having stored thereon computer instructions for causing a computer to perform the method of any of the above aspects.
According to an aspect of the disclosure, there is provided a computer program product comprising a computer program which, when executed by a processor, implements the method of any of the above aspects.
According to one or more embodiments of the disclosure, the security of the edge device for accessing cloud resources can be improved.
It should be understood that the statements in this section do not necessarily identify key or critical features of the embodiments of the present disclosure, nor do they limit the scope of the present disclosure. Other features of the present disclosure will become apparent from the following description.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate exemplary embodiments of the embodiments and, together with the description, serve to explain the exemplary implementations of the embodiments. The illustrated embodiments are for purposes of example only and do not limit the scope of the claims. Throughout the drawings, identical reference numbers designate similar, but not necessarily identical, elements.
FIG. 1 illustrates a schematic diagram of an exemplary system in which various methods described herein may be implemented, according to an embodiment of the present disclosure;
FIG. 2 shows a flow chart of a method of entitlement control for an edge device in accordance with an embodiment of the present disclosure;
FIG. 3 shows a flow diagram of a resource access method of an edge device according to an embodiment of the present disclosure;
FIG. 4 shows a schematic diagram of a resource access procedure of an edge device according to an embodiment of the disclosure;
fig. 5 is a block diagram illustrating a structure of a rights management unit of an edge device according to an embodiment of the present disclosure;
fig. 6 shows a block diagram of a resource access apparatus of an edge device according to an embodiment of the present disclosure; and
FIG. 7 illustrates a block diagram of an exemplary electronic device that can be used to implement embodiments of the present disclosure.
Detailed Description
Exemplary embodiments of the present disclosure are described below with reference to the accompanying drawings, in which various details of the embodiments of the disclosure are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope of the present disclosure. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
In the present disclosure, unless otherwise specified, the use of the terms "first", "second", etc. to describe various elements is not intended to limit the positional relationship, the timing relationship, or the importance relationship of the elements, and such terms are used only to distinguish one element from another. In some examples, a first element and a second element may refer to the same instance of the element, and in some cases, based on the context, they may also refer to different instances.
The terminology used in the description of the various described examples in this disclosure is for the purpose of describing particular examples only and is not intended to be limiting. Unless the context clearly indicates otherwise, if the number of elements is not specifically limited, the element may be one or a plurality of. Furthermore, the term "and/or" as used in this disclosure is intended to encompass any and all possible combinations of the listed items.
In the disclosure, the processes of collecting, storing, using, processing, transmitting, providing, disclosing and the like of the personal information of the related users are all in accordance with the regulations of related laws and regulations, and do not violate the customs of the public order.
In an edge computing scenario, one user may manage multiple edge devices simultaneously. Edge devices typically have a need to access cloud resources, such as uploading resources to the cloud for storage (i.e., "writing") or downloading cloud resources (i.e., "reading").
For example, the edge device may be a camera deployed by a user in a scene such as industrial quality control, urban traffic management, and the like, and the camera may upload image data acquired by the camera and a working state log thereof to the cloud for storage.
For another example, the edge device may also be a local area network node (e.g., a gateway, an industrial personal computer, a server, etc.) deployed with an AI (Artificial Intelligence) model. The local area network node can acquire environment data acquired by local equipment (such as a camera, a sensor and the like), complete edge calculation reasoning based on an AI model, and upload a reasoning result to a cloud. In addition, the local area network node can also read resources such as configuration files, application scripts and the like from the cloud so as to update data.
In order to ensure the security of the cloud resources, when the edge device requests to access the cloud resources, the corresponding resource server verifies the access authority of the edge device.
In the related art, a user identifier (Access Key, AK, equivalent to a user name) and an Access Key (Secret Key, SK, equivalent to a password) of a user are usually issued to an edge device managed by the edge device, and the edge device obtains an Access right of a cloud resource based on the AK/SK of the user and accesses the cloud resource. However, there is a safety risk in issuing the AK/SK of the user to the edge device. Issuing AK/SK to the edge device means that the edge device has the top-level access right of the user and can access all data of the user, thereby posing a threat to the data security of the user. In addition, when the edge device has a security hole, the AK/SK of the user may leak, so that the data of the user may be acquired by other lawless persons, thereby threatening the data security of the user.
In view of the above problems, embodiments of the present disclosure provide an authority control method for an edge device, which can perform automatic and temporary authorization on the edge device when the edge device needs to access a cloud resource, so as to avoid storing AK/SK of a user at the edge device, and improve security of the edge device accessing the cloud resource.
Embodiments of the present disclosure will be described in detail below with reference to the accompanying drawings.
Fig. 1 illustrates a schematic diagram of an exemplary system 100 in which various methods and apparatus described herein may be implemented in accordance with embodiments of the present disclosure. Referring to FIG. 1, the system 100 includes one or more edge devices 101-1-101-N (N ≧ 1 and N is an integer), a rights server 122, a resource server 124, and one or more communication networks 110 coupling the one or more edge devices 101-1-101-N to the rights server 122 and the resource server 124.
The Edge devices 101-1 to 101-N may be, for example, local devices (e.g., cameras, industrial sensors, intelligent vehicle-mounted devices, intelligent home devices, etc.), local area Network nodes (e.g., gateways, industrial computers, servers, etc.), wide area Network nodes (e.g., base stations, 5G-MECs (Multi-access Edge Computing), CDNs (Content Delivery networks), etc., but are not limited thereto.
According to some embodiments, the edge device 101 may also provide an interface that enables a user to interact with the edge device. The edge device may also output information to the user via the interface. One skilled in the art will appreciate that any number of edge devices may be supported by the present disclosure.
According to some embodiments, the edge devices 101-1-101-N may form an edge device cluster, and one or more of the edge devices 101-1-101-N may act as an edge gateway for communicating with devices external to the edge device cluster (e.g., rights server 122, resource server 124, etc.). For example, edge device 101-2 may act as an edge gateway in a cluster of edge devices. Edge devices 101-1 and 101-N communicate with external devices through edge device 101-2.
According to other embodiments, the edge gateways in the edge device cluster may also be implemented as other devices besides edge devices 101-1-101-N.
Edge devices 101-1 through 101-N are communicatively coupled to rights server 122 and resource server 124 via network 110. Network 110 may be any type of network known to those skilled in the art that may support data communications using any of a variety of available protocols, including but not limited to TCP/IP, SNA, IPX, etc. By way of example only, one or more networks 110 may be a Local Area Network (LAN), an ethernet-based network, a token ring, a Wide Area Network (WAN), the internet, a virtual network, a Virtual Private Network (VPN), an intranet, an extranet, a blockchain network, a Public Switched Telephone Network (PSTN), an infrared network, a wireless network (e.g., bluetooth, wi-Fi), and/or any combination of these and/or other networks.
In some embodiments, rights server 122 and resource server 124 may be implemented as cloud servers. In some embodiments, rights server 122 and resource server 124 may also provide other services or software applications including non-virtual environments and virtual environments. In some embodiments, these services may be provided as web-based services or cloud services, such as provided to the edge devices 101-1-101-N under a software as a service (SaaS) model.
In the configuration shown in FIG. 1, rights server 122 and resource server 124 may include one or more components for implementing the functions performed by rights server 122 or resource server 124. These components may include software components, hardware components, or a combination thereof, which may be executed by one or more processors. The edge devices 101-1-101-N may, in turn, utilize respective application scripts to interact with the rights server 122 and the resource server 124 to take advantage of the services provided by these components. It should be understood that a variety of different system configurations are possible, which may differ from system 100. Accordingly, fig. 1 is one example of a system for implementing the various methods described herein and is not intended to be limiting.
Rights server 122 and resource server 124 may include one or more general purpose computers, special purpose server computers (e.g., PC (personal computer) servers, UNIX servers, mid-end servers), blade servers, mainframe computers, server clusters, or any other suitable arrangement and/or combination. Rights server 122 and resource server 124 may include one or more virtual machines running a virtual operating system, or other computing architecture involving virtualization (e.g., one or more flexible pools of logical storage that may be virtualized to maintain virtual storage for the servers).
The computing units in rights server 122 and resource server 124 may run one or more operating systems including any of the operating systems described above, as well as any commercially available server operating systems. Entitlement server 122 and resource server 124 may also run any of a variety of additional server applications and/or mid-tier applications, including HTTP servers, FTP servers, CGI servers, JAVA servers, database servers, and the like.
In some embodiments, rights server 122 and resource server 124 may be servers of a distributed system, or servers that incorporate a blockchain. Rights server 122 and resource server 124 may also be cloud servers, or smart cloud computing servers or smart cloud hosts with artificial intelligence technology. The cloud Server is a host product in a cloud computing service system, and is used for solving the defects of high management difficulty and weak service expansibility in the traditional physical host and Virtual Private Server (VPS) service.
The system 100 may also include one or more databases 130. In some embodiments, these databases may be used to store resource data and other information that the edge devices 101-1-101-N need to access. For example, one or more of the databases 130 may be used to store data collected by the edge devices 101-1-101-N. The database 130 may reside in various locations. For example, the database used by the resource server 124 may be local to the resource server 124, or may be remote from the resource server 124 and may communicate with the resource server 124 via a network-based or dedicated connection. The database 130 may be of different types. In certain embodiments, the database used by the resource server 124 may be, for example, a relational database or a non-relational database. One or more of these databases may store, update, and retrieve data to and from the database in response to the command.
In some embodiments, one or more of the databases 130 may also be used by applications to store application data. The databases used by the application may be different types of databases, such as key-value stores, object stores, or regular stores supported by a file system.
The system 100 of fig. 1 may be configured and operated in various ways to enable application of the various methods and apparatus described in accordance with the present disclosure.
In an embodiment of the present disclosure, the edge devices 101-1 to 101-N may perform the resource access method of the edge device of the embodiment of the present disclosure, and when there is a resource access requirement, send an authorization request to the authorization server 122, to obtain a temporary access credential for a target resource through the authorization server 122, and access the target resource at the resource server 124 based on the temporary access credential. The permission server 122 may execute the permission control method of the edge device in the embodiment of the present disclosure, and provide a temporary access credential for a target resource to the edge device in response to a permission request of the edge device 101-1 to 101-N, so as to implement automatic and temporary authorization for the edge device, and improve security of the edge device accessing cloud resources.
Fig. 2 shows a flowchart of a method 200 for controlling the rights of an edge device according to an embodiment of the present disclosure. Method 200 is performed at a rights server, such as rights server 122 shown in FIG. 1. That is, the subject of execution of the various steps of method 200 may be rights server 122 shown in FIG. 1.
As shown in FIG. 2, the method 200 includes steps S210-S240.
In step S210, a permission request of the edge device is received, where the permission request includes an identifier of the edge device.
In step S220, information of a target resource accessible to the edge device is determined based on the identification of the edge device.
In step S230, a temporary access credential for accessing the target resource is acquired.
In step S240, the information of the target resource and the temporary access credential are returned to the edge device.
According to the embodiment of the disclosure, the target resource which can be accessed by the edge device is determined based on the identifier of the edge device, and the temporary access certificate for accessing the target resource is distributed to the edge device, so that the automatic temporary authorization of the edge device is realized, the AK/SK of a user is prevented from being stored at the edge device, and the security of the edge device for accessing the cloud resource is improved.
Further, according to the embodiment of the present disclosure, the target resources accessible by different edge devices may be different, so that different access rights can be automatically provided for different edge devices, and flexibility of rights control is improved.
According to some embodiments, the edge device may communicate directly with the rights server. Accordingly, the permission request received by the permission server may be sent directly by the edge device, that is, the edge device sends its permission request to the permission server. The edge device may communicate with the authority server through a TLS (Transport Layer Security) protocol, for example, so as to improve Security of data transmission.
According to other embodiments, the edge device may communicate with the rights server through an edge gateway, where the edge gateway and the edge device belong to the same edge device cluster. Therefore, in the edge device cluster, only the edge gateway can directly communicate with the external device of the cluster, and other edge devices in the cluster need to communicate with the external device through the edge device, so that the number of the edge devices directly communicating with the authority server is reduced, and the network bandwidth consumption and the edge device management pressure of the authority server are reduced. The edge gateway may communicate with the entitlement server, for example, via the TLS protocol, thereby improving the security of data transfer.
In the case that the edge device communicates with the authority server through the edge gateway, the authority request received by the authority server is forwarded by the edge gateway, that is, the edge device sends its authority request to the edge gateway in the edge device cluster, and the edge gateway forwards the authority request to the authority server. Correspondingly, the authority server receives the authority request forwarded by the edge gateway. Further, after the subsequent authority server obtains the information of the target resource accessible by the edge device and the temporary access credential of the target resource, the information of the target resource and the corresponding temporary access credential are returned to the edge device through the edge gateway.
According to some embodiments, in the method for controlling the authority of the edge gateway, a user may configure a device white list through a web page or a corresponding application program (App), and an identifier of an edge device that can access the cloud resource is recorded in the device white list. The entitlement server may send a device white list to the edge gateway. After receiving the authority request of the edge device, the edge gateway first determines whether the identifier of the edge device belongs to the device white list. If yes, forwarding the permission request to a permission server; if not, the permission request is discarded and is not forwarded to the permission server. That is, in this embodiment, the entitlement server receives an entitlement request forwarded by the edge gateway in response to the edge gateway determining that the identity of the edge device belongs to the device whitelist.
According to the embodiment, the edge gateway can screen the authority request sent by the edge device, and only forwards the authority request sent by the edge device belonging to the device white list to the authority server, so that an invalid request is prevented from being sent to the authority server, and the calculation pressure of the authority server is reduced.
In accordance with some embodiments, where the edge device is in direct communication with the rights server, the rights server may have a device white list stored thereon, and accordingly, the step of determining information of target resources accessible to the edge device based on the identification of the edge device includes: and in response to determining that the identifier of the edge device belongs to the preset device white list, determining information of the target resource based on the identifier of the edge device. In response to determining that the identity of the edge device does not belong to the device white list, the permission request is discarded and no further processing is performed. Therefore, the authority server can filter invalid authority requests, so that unnecessary calculation is avoided, and calculation pressure is relieved.
According to some embodiments, the permission request further comprises an identification of the resource server. The resource server may be, for example, an object storage server, a file storage server, or the like. Accordingly, the step of "determining information of a target resource accessible to the edge device based on the identification of the edge device" may comprise: and sending the identifier of the edge device to the resource server so that the resource server can determine the information of the target resource based on the identifier of the edge device. Therefore, the decoupling of the authority control service and the resource service is realized, so that the authority control method disclosed by the embodiment of the invention can be in butt joint with any existing resource service (such as object storage service, file storage service and the like), and the availability and the flexibility are improved.
According to some embodiments, the method of controlling authority of an edge device further comprises: determining a target user identifier (AK of a target user corresponding to the edge device) and a target access key (SK of the target user corresponding to the edge device) corresponding to the edge device based on a preset association relationship among the device identifier, the user identifier and the access key; generating an authentication string based on the target access key; and sending the target user identification and the authentication character string to the resource server so that the resource server determines whether the permission request is legal or not based on the locally stored access key corresponding to the authentication character string, the target user identification and the target user identification. Wherein the information of the target resource is determined in response to determining that the permission request is legitimate. Therefore, the resource server can perform identity authentication on the edge device based on the AK/SK of the target user, judge whether the permission request is legal or not and ensure the safety of resource access.
It should be noted that the association relationship among the device identifier, the user identifier, and the access key may be a direct association relationship, or an indirect association relationship established through other fields. For example, in the case where the edge device communicates with the rights server through the edge gateway, the rights server may store the association relationship of the edge gateway identifier, the user identifier, and the access key. When forwarding the authority request of the edge device, the edge gateway carries its own identifier, that is, the identifier of the edge gateway, so that the authority server can obtain the association relationship between the identifier of the edge device and the identifier of the edge gateway. And combining the incidence relation between the identifier of the edge equipment and the identifier of the edge gateway with the incidence relation among the identifier of the edge gateway, the user identifier and the access key to obtain the incidence relation among the equipment identifier, the user identifier and the access key.
According to some embodiments, a user may pre-configure resources accessible to each edge device at the entitlement server, i.e., configure an association between the identification of the edge device and the target resource accessible, and then synchronize the association to the resource server. Accordingly, the resource server may determine information of the target resource accessible to the edge device based on the association.
The information of the target resource is used to locate the target resource. The information of the target resource includes, for example, an identifier of the target resource, a file directory to which the target resource belongs, and the like.
According to some embodiments, in a case that the resource server is an object storage server, the target resource is a data object (object), and the information of the target resource may include an address (IP address or URL, which may also be referred to as access point address) of the object storage server, a user identifier (user) corresponding to the edge device, a storage space (bucket) corresponding to the edge device, an identifier (cluster) of the edge device where the edge device is located, and an identifier (worker) of the edge device. The above information can be combined (endpoint/user/bucket/cluster/worker) as the identification of the target resource (data object). Therefore, the edge device can only access the target resource (data object) with the specified identification, the minimization of the authority of the edge device is realized, and the overflow of the authority is avoided.
According to some embodiments, in the case that the resource server is a file storage server, the target resource is a file, and the information of the target resource may include a preset file directory corresponding to the identifier of the edge device. Therefore, the edge device can only access target resources (files) under a specific file directory, the minimization of the authority of the edge device is realized, and the overflow of the authority is avoided.
According to some embodiments, the step of obtaining the temporary access ticket for accessing the target resource may include: and acquiring the temporary access certificate generated by the resource server. The temporary access credential may be, for example, randomly generated by the resource server. Therefore, the decoupling of the authority control service and the resource service can be realized.
According to some embodiments, the temporary access credential includes a temporary user identifier (ak), a temporary access key (sk) and a temporary token (token), the temporary user identifier and the temporary access key are used for verifying whether the access request sent by the edge device is legal, and the temporary token is used for verifying whether the edge device has the access right of the target resource. Based on the temporary user identification, the temporary access key and the temporary token, the safety of the edge device for accessing the cloud resources can be ensured.
It should be understood that the temporary user identity AK, the temporary access key SK is different from the user AK/SK.
And after the authority server obtains the temporary access certificate generated by the resource server, returning the temporary access certificate and the information of the target resource to the edge device together so that the edge device initiates an access request aiming at the target resource based on the temporary access certificate.
According to some embodiments, the validity period of the temporary access ticket may be preset (e.g., 1 hour). When the validity period of the temporary access credential is over, the method for controlling the authority of the edge device according to the embodiment of the present disclosure needs to be executed again to provide a new temporary access credential to the edge device.
Fig. 3 shows a flow diagram of a resource access method 300 of an edge device according to an embodiment of the disclosure. The method 300 is performed at an edge device (e.g., the edge devices 101-1-101-N shown in fig. 1). That is, the execution bodies for the various steps of the method 300 may be the edge devices 101-1 through 101-N shown in FIG. 1.
As shown in FIG. 3, the method 300 includes steps S310-S330.
In step S310, a permission request is sent to the permission server, where the permission request includes an identification of the edge device.
In step S320, an authorization result returned by the authority server is received, where the authorization result includes information of the target resource accessible by the edge device and a temporary access credential for accessing the target resource.
In step S330, an access request for the target resource is sent to the resource server where the target resource is located based on the temporary access credential.
According to the embodiment of the disclosure, when the edge device has a resource access requirement, the edge device can automatically obtain the temporary authorization, the AK/SK of the user is prevented from being stored at the edge device, and the security of the edge device for accessing the cloud resource is improved.
According to some embodiments, the edge device may send the permission request to the permission server through an edge gateway, where the edge gateway and the edge device belong to the same edge device cluster. Thereby, the network bandwidth consumption and the edge device management pressure of the authority server can be relieved.
According to some embodiments, the authorization result may be obtained, for example, by the above-described method for controlling the rights of the edge device.
According to some embodiments, the temporary access credentials include a temporary user identity (ak), a temporary access key (sk) and a temporary token (token), the temporary user identity and the temporary access key being used to verify whether the access request is legitimate, and the temporary token being used to verify whether the edge device has access rights to the target resource. Based on the temporary user identification, the temporary access key and the temporary token, the safety of the edge device for accessing the cloud resources can be ensured.
The access request may be an HTTP request or an HTTPs request. According to some embodiments, a portion of the request content of the access request may be signed with the temporary access key sk (e.g., by the SHA256 algorithm) to generate an authentication string. And attaching the temporary user identification ak, the authentication character string and the temporary token to the access request.
After the resource server receives an access request sent by the edge device, the information of the temporary user identifier ak, the authentication character string, the temporary token and the target resource in the request can be extracted. And determining the temporary access key sk based on the incidence relation between the temporary user identifier ak and the temporary access key sk which are locally stored, and then adopting the temporary access key sk to sign the corresponding request content in the access request to obtain a character string. And comparing the character string with the authentication character string carried in the access request, and if the character string and the authentication character string are the same, determining that the access request is legal.
Further, based on the corresponding relationship between the temporary token stored locally and the resource information, the corresponding resource information is determined. And comparing the resource information with the information of the target resource carried in the access request, and if the information of the target resource carried in the request belongs to the resource information, determining that the edge equipment has the access authority of the target resource.
The resource server will allow the edge device to access the target resource only if it is determined that the access request is legitimate and the edge device has access rights for the target resource.
Fig. 4 shows a schematic diagram of a resource access procedure 400 of an edge device according to an embodiment of the disclosure. In process 400, edge device 410 is a camera that needs to upload the captured image to the object storage server.
As shown in FIG. 4, the resource access process 400 includes steps S451-S460.
In step S451, the edge device 410 sends a rights request to the edge gateway 420, the request content is as follows:
Figure BDA0003646267100000121
Figure BDA0003646267100000131
in step S452, the edge gateway 420 determines whether the worker1 belongs to the device white list, if yes, step S453 is executed to send the permission request and the identifier of the edge gateway 420 to the permission server 430. If not, the permission request is discarded, and a message of permission error is returned to the edge device 410.
In step S454, the authorization server 430 determines the user identifier AK and the access key SK corresponding to the edge gateway 420 based on the locally stored association relationship between the edge gateway identifier, the user identifier, and the access key. An authentication string is generated based on the access key SK.
In step S455, the authority server 430 sends the identifier worker1 of the edge device, the user identifier AK, and the authentication string to the resource server 440.
In step S456, the resource server 440 determines the access key SK corresponding to the user identifier AK based on the association relationship between the locally stored user identifier and the access key, generates a character string based on the access key SK, compares the character string with the authentication character string, and if the character string and the authentication character string are the same, determines that the authorization request of the edge device 410 is legal, and generates the following response message:
Figure BDA0003646267100000132
in the response message, the ak, sk, and token fields are temporary access credentials, and the other fields are information of target resources accessible by the edge device 410.
In steps S457-S459, the resource server 440 sequentially passes through the authority server 430 and the edge gateway 420, and returns a response message to the edge device 410.
In step S460, the edge device 410 may upload the acquired image to a data object identified as "bj.mini.com/user 1/test/cluster1/worker1" for storage based on the temporary access credentials ak, sk and token.
After one hour, the temporary access credentials ak, sk, and token expire, and the edge device 410 needs to re-execute step S451 to obtain a new temporary access credential.
According to the embodiment of the disclosure, an authority control device of the edge device is also provided. Fig. 5 shows a block diagram of a structure of a rights control apparatus 500 of an edge device according to an embodiment of the present disclosure. As shown in fig. 5, the apparatus 500 includes:
a receiving module 510 configured to receive a permission request of an edge device, the permission request including an identification of the edge device;
a determination module 520 configured to determine information of a target resource accessible to the edge device based on the identity of the edge device;
an obtaining module 520 configured to obtain temporary access credentials for accessing the target resource; and
a returning module 540 configured to return the information of the target resource and the temporary access credential to the edge device.
According to the embodiment of the disclosure, the target resource which can be accessed by the edge device is determined based on the identifier of the edge device, and the temporary access certificate for accessing the target resource is distributed to the edge device, so that the automatic temporary authorization of the edge device is realized, the AK/SK of a user is prevented from being stored at the edge device, and the security of the edge device for accessing the cloud resource is improved.
According to some embodiments, the receiving module 510 is further configured to receive the permission request forwarded by an edge gateway, where the edge gateway and the edge device belong to the same edge device cluster; the returning module 540 is further configured to return the information of the target resource and the temporary access credential to the edge device via the edge gateway.
According to some embodiments, the permission request further comprises an identification of a resource server, the determining module 520 is further configured to: and sending the identifier of the edge device to the resource server so that the resource server can determine the information of the target resource based on the identifier of the edge device.
According to the embodiment of the disclosure, a resource access device of an edge device is also provided. Fig. 6 shows a block diagram of an authority control apparatus 600 of an edge device according to an embodiment of the present disclosure. As shown in fig. 6, the apparatus 600 includes:
a first request module 610 configured to send a permission request to a permission server, the permission request including an identification of the edge device;
a receiving module 620 configured to receive an authorization result returned by the authority server, where the authorization result includes information of a target resource accessible by the edge device and a temporary access credential for accessing the target resource; and
a second request module 630, configured to send, based on the temporary access credential, an access request for the target resource to a resource server where the target resource is located.
According to the embodiment of the disclosure, when the edge device has a resource access requirement, the edge device can automatically obtain the temporary authorization, the AK/SK of the user is prevented from being stored at the edge device, and the security of the edge device for accessing the cloud resource is improved.
It should be understood that the various modules or units of the apparatus 500 shown in fig. 5 may correspond to the various steps in the method 200 described with reference to fig. 2, and the various modules or units of the apparatus 600 shown in fig. 6 may correspond to the various steps in the method 300 described with reference to fig. 3. Thus, the operations, features and advantages described above with respect to method 200 are equally applicable to apparatus 500 and the modules and units included therein, and the operations, features and advantages described above with respect to method 300 are equally applicable to apparatus 600 and the modules and units included therein. Certain operations, features and advantages may not be described in detail herein for the sake of brevity.
Although specific functionality is discussed above with reference to particular modules, it should be noted that the functionality of the various modules discussed herein may be divided into multiple modules and/or at least some of the functionality of multiple modules may be combined into a single module. For example, the receive module 510 and the return module 540 described above may be combined into a single module in some embodiments.
It should also be appreciated that various techniques may be described herein in the general context of software, hardware elements, or program modules. The various modules described above with respect to fig. 7 may be implemented in hardware or in hardware in combination with software and/or firmware. For example, the modules may be implemented as computer program code/instructions configured to be executed in one or more processors and stored in a computer-readable storage medium. Alternatively, the modules may be implemented as hardware logic/circuitry. For example, in some embodiments, one or more of the modules 510-630 may be implemented together in a System on Chip (SoC). The SoC may include an integrated circuit chip (which includes one or more components of a Processor (e.g., a Central Processing Unit (CPU), microcontroller, microprocessor, digital Signal Processor (DSP), etc.), memory, one or more communication interfaces, and/or other circuitry), and may optionally execute received program code and/or include embedded firmware to perform functions.
According to an embodiment of the present disclosure, there is also provided an electronic apparatus including: at least one processor; and a memory communicatively coupled to the at least one processor, the memory storing instructions executable by the at least one processor, the instructions being executable by the at least one processor to enable the at least one processor to perform a method for controlling the rights of the edge device.
There is also provided, according to an embodiment of the present disclosure, a non-transitory computer-readable storage medium storing computer instructions for causing a computer to execute the authority control method of the edge device described above.
There is also provided, in accordance with an embodiment of the present disclosure, a computer program product including a computer program which, when executed by a processor, implements the above-described method of entitlement control for an edge device.
Referring to fig. 7, a block diagram of a structure of an electronic device 700, which may be a server or a client of the present disclosure, which is an example of a hardware device that may be applied to aspects of the present disclosure, will now be described. Electronic device is intended to represent various forms of digital electronic computer devices, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital assistants, cellular telephones, smart phones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be examples only, and are not meant to limit implementations of the disclosure described and/or claimed herein.
As shown in fig. 7, the electronic device 700 includes a computing unit 701, which may perform various appropriate actions and processes according to a computer program stored in a Read Only Memory (ROM) 702 or a computer program loaded from a storage unit 708 into a Random Access Memory (RAM) 703. In the RAM 703, various programs and data required for the operation of the device 700 can also be stored. The computing unit 701, the ROM 702, and the RAM 703 are connected to each other by a bus 704. An input/output (I/O) interface 705 is also connected to bus 704.
A number of components in the electronic device 700 are connected to the I/O interface 705, including: an input unit 706, an output unit 707, a storage unit 708, and a communication unit 709. The input unit 706 may be any type of device capable of inputting information to the device 700, and the input unit 706 may receive input numeric or character information and generate key signal inputs related to user settings and/or function controls of the electronic device, and may include, but is not limited to, a mouse, a keyboard, a touch screen, a track pad, a track ball, a joystick, a microphone, and/or a remote controller. Output unit 707 may be any type of device capable of presenting information and may include, but is not limited to, a display, speakers, a video/audio output terminal, a vibrator, and/or a printer. Storage unit 708 may include, but is not limited to, magnetic or optical disks. The communication unit 709 allows the device 700 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks, and may include, but is not limited to, a modem, a network card, an infrared communication device, a wireless communication transceiver, and/or a chipset, such as bluetooth TM Devices, 802.11 devices, wi-Fi devices, wiMAX devices, cellular communication devices, and/or the like.
Computing unit 701 may be a variety of general and/or special purpose processing components with processing and computing capabilities. Some examples of the computing unit 701 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various dedicated Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, and so forth. The computing unit 701 performs the various methods and processes described above, such as the method 200 or 300. For example, in some embodiments, the methods 200 or 300 may be implemented as a computer software program tangibly embodied in a machine-readable medium, such as the storage unit 708. In some embodiments, part or all of a computer program may be loaded onto and/or installed onto device 700 via ROM 702 and/or communications unit 709. When the computer program is loaded into RAM 703 and executed by the computing unit 701, one or more steps of the methods 200 or 300 described above may be performed. Alternatively, in other embodiments, the computing unit 701 may be configured to perform the methods 200 or 300 in any other suitable manner (e.g., by way of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), system on a chip (SOCs), complex Programmable Logic Devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for implementing the methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowchart and/or block diagram to be performed. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), and the Internet.
The computer system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server may be a cloud server, a server of a distributed system, or a server with a combined blockchain.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present disclosure may be performed in parallel, sequentially or in different orders, and are not limited herein as long as the desired results of the technical solutions disclosed in the present disclosure can be achieved.
Although embodiments or examples of the present disclosure have been described with reference to the accompanying drawings, it is to be understood that the above-described methods, systems and apparatus are merely exemplary embodiments or examples and that the scope of the present invention is not limited by these embodiments or examples, but only by the claims as issued and their equivalents. Various elements in the embodiments or examples may be omitted or may be replaced with equivalents thereof. Further, the steps may be performed in an order different from that described in the present disclosure. Further, various elements in the embodiments or examples may be combined in various ways. It is important that as technology evolves, many of the elements described herein may be replaced with equivalent elements that appear after the present disclosure.

Claims (16)

1. An authority control method of an edge device includes:
receiving an authority request of an edge device, wherein the authority request comprises an identifier of the edge device and an identifier of a resource server;
sending the identifier of the edge device to the resource server so that the resource server can determine the information of the target resource accessible by the edge device based on the identifier of the edge device;
acquiring a temporary access certificate generated by the resource server and used for accessing the target resource; and
and returning the information of the target resource and the temporary access certificate to the edge device.
2. The method of claim 1, wherein,
the receiving the authority request of the edge device comprises: receiving the permission request forwarded by an edge gateway, wherein the edge gateway and the edge device belong to the same edge device cluster;
returning the information of the target resource and the temporary access credential to the edge device comprises: returning, via the edge gateway, the information of the target resource and the temporary access credential to the edge device.
3. The method of claim 2, further comprising: sending a device white list to the edge gateway,
wherein the receiving the permission request forwarded by the edge gateway includes: receiving the permission request forwarded by the edge gateway in response to the edge gateway determining that the identifier of the edge device belongs to the device white list.
4. The method of claim 1, wherein sending the identification of the edge device to the resource server comprises:
and in response to determining that the identifier of the edge device belongs to a preset device white list, sending the identifier of the edge device to the resource server.
5. The method of claim 1, further comprising:
determining a target user identifier and a target access key corresponding to the edge device based on the preset association relationship among the device identifier, the user identifier and the access key;
generating an authentication string based on the target access key; and
sending the target user identifier and the authentication character string to the resource server so that the resource server determines whether the permission request is legal or not based on the locally stored access key corresponding to the authentication character string, the target user identifier and the target user identifier,
wherein the information of the target resource is determined in response to determining that the permission request is legitimate.
6. The method of claim 1, wherein the resource server comprises an object storage server, and the information of the target resource comprises an address of the object storage server, a user identifier corresponding to the edge device, a storage space corresponding to the edge device, an identifier of an edge device cluster where the edge device is located, and an identifier of the edge device.
7. The method of claim 1, wherein the resource server comprises a file storage server, and the information of the target resource comprises a preset file directory corresponding to the identifier of the edge device.
8. The method of any of claims 1-7, wherein the temporary access credentials comprise a temporary user identification, a temporary access key, and a temporary token, the temporary user identification and the temporary access key to verify that an access request sent by the edge device is legitimate, and the temporary token to verify that the edge device has access to the target resource.
9. A resource access method of an edge device comprises the following steps:
sending an authority request to an authority server, wherein the authority request comprises the identifier of the edge device and the identifier of the resource server;
receiving an authorization result returned by an authority server, wherein the authorization result is obtained by the method of any one of claims 1-8, and the authorization result comprises information of a target resource accessible by the edge device and a temporary access credential for accessing the target resource; and
and sending an access request aiming at the target resource to the resource server where the target resource is located based on the temporary access certificate.
10. The method of claim 9, wherein the temporary access credentials comprise a temporary user identification, a temporary access key, and a temporary token, the temporary user identification and the temporary access key to verify that the access request is legitimate, and the temporary token to verify that the edge device has access to the target resource.
11. The method of claim 9 or 10, wherein the sending a permission request to a permission server comprises:
and sending an authority request to an authority server through an edge gateway, wherein the edge gateway and the edge device belong to the same edge device cluster.
12. An authority control apparatus of an edge device, comprising:
a receiving module configured to receive a permission request of an edge device, the permission request including an identification of the edge device and an identification of a resource server;
a determining module configured to send the identifier of the edge device to the resource server so that the resource server determines information of a target resource accessible to the edge device based on the identifier of the edge device;
an obtaining module configured to obtain a temporary access credential generated by the resource server for accessing the target resource; and
a return module configured to return the information of the target resource and the temporary access credential to the edge device.
13. The apparatus of claim 12, wherein,
the receiving module is further configured to receive the permission request forwarded by an edge gateway, where the edge gateway and the edge device belong to the same edge device cluster;
the return module is further configured to return the information of the target resource and the temporary access credential to the edge device via the edge gateway.
14. A resource access apparatus of an edge device, comprising:
a first request module configured to send a permission request to a permission server, the permission request including an identifier of the edge device and an identifier of a resource server;
a receiving module configured to receive an authorization result returned by an authority server, wherein the authorization result is obtained by the method of any one of claims 1 to 8, and the authorization result includes information of a target resource accessible by the edge device and a temporary access credential for accessing the target resource; and
a second request module configured to send an access request for the target resource to the resource server where the target resource is located based on the temporary access credential.
15. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein
The memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-11.
16. A non-transitory computer readable storage medium having stored thereon computer instructions for causing a computer to perform the method of any one of claims 1-11.
CN202210531123.2A 2022-05-16 2022-05-16 Authority control method of edge device, resource access method and device Active CN114978652B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210531123.2A CN114978652B (en) 2022-05-16 2022-05-16 Authority control method of edge device, resource access method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210531123.2A CN114978652B (en) 2022-05-16 2022-05-16 Authority control method of edge device, resource access method and device

Publications (2)

Publication Number Publication Date
CN114978652A CN114978652A (en) 2022-08-30
CN114978652B true CN114978652B (en) 2023-04-11

Family

ID=82984007

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210531123.2A Active CN114978652B (en) 2022-05-16 2022-05-16 Authority control method of edge device, resource access method and device

Country Status (1)

Country Link
CN (1) CN114978652B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024074066A1 (en) * 2022-10-08 2024-04-11 华为云计算技术有限公司 Internet-of-things device management method based on cloud computing technology, and platform
CN117056248B (en) * 2023-10-13 2024-02-27 联通在线信息科技有限公司 Resource reading method, device, electronic equipment and storage medium

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102624757A (en) * 2011-01-26 2012-08-01 中山爱科数字家庭产业孵化基地有限公司 Data security access method in cloud computing environment
US10601813B2 (en) * 2017-10-26 2020-03-24 Bank Of America Corporation Cloud-based multi-factor authentication for network resource access control
CN112235400B (en) * 2020-10-14 2024-02-02 腾讯科技(深圳)有限公司 Communication method, communication system, communication device, server, and storage medium
CN112637214B (en) * 2020-12-24 2023-04-07 北京金山云网络技术有限公司 Resource access method and device and electronic equipment
CN114095200B (en) * 2021-09-28 2023-12-01 阿里巴巴(中国)有限公司 Resource access authority management method and device, electronic equipment and medium

Also Published As

Publication number Publication date
CN114978652A (en) 2022-08-30

Similar Documents

Publication Publication Date Title
US10693864B2 (en) Single sign-on between multiple data centers
US10237254B2 (en) Conditional login promotion
CN114978652B (en) Authority control method of edge device, resource access method and device
US20200137125A1 (en) Managing computer security services for cloud computing platforms
EP3047629B1 (en) Web-based interface integration for single sign-on
CN106664291B (en) System and method for providing secure access to local network devices
US9635005B2 (en) Computer readable storage media for tiered connection pooling and methods and systems for utilizing same
US20200329032A1 (en) Secure gateway onboarding via mobile devices for internet of things device management
US11645102B2 (en) Connection leasing system and related methods for use with legacy virtual delivery appliances
US20220294788A1 (en) Customizing authentication and handling pre and post authentication in identity cloud service
WO2021043062A1 (en) Cross-network wake-up method and related device
WO2022227311A1 (en) Access processing method for performing remote control on terminal, and device and storage medium
US20210344676A1 (en) Method and system for securing communications between a lead device and a secondary device
US20220300630A1 (en) Resource access with use of bloom filters
CN111541649A (en) Password resetting method, device, server and storage medium
JP2023538870A (en) Techniques for persisting data across cloud shell instances
CN103067365A (en) Set top box, client-side, system and method for virtual desktop access
CN110048864B (en) Method and apparatus for authenticating an administrator of a device-specific message group
US9571478B2 (en) Conditional request processing
US20230137359A1 (en) Multi-region login
US20230103886A1 (en) Single sign-on between 2 independent states
CN118055157A (en) Service calling method, device, equipment and storage medium
US20240073205A1 (en) Secure access to devices in a virtual environment using security tokens
KR20230101524A (en) Method and apparatus for mobile device management

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant