CN116033426A - Access control method, device and storage medium for network function - Google Patents

Access control method, device and storage medium for network function Download PDF

Info

Publication number
CN116033426A
CN116033426A CN202111243072.5A CN202111243072A CN116033426A CN 116033426 A CN116033426 A CN 116033426A CN 202111243072 A CN202111243072 A CN 202111243072A CN 116033426 A CN116033426 A CN 116033426A
Authority
CN
China
Prior art keywords
access token
request
target
nrf
valid access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111243072.5A
Other languages
Chinese (zh)
Inventor
闫茹
齐旻鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Communications Ltd Research Institute
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Communications Ltd Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Communications Ltd Research Institute filed Critical China Mobile Communications Group Co Ltd
Priority to CN202111243072.5A priority Critical patent/CN116033426A/en
Publication of CN116033426A publication Critical patent/CN116033426A/en
Pending legal-status Critical Current

Links

Images

Abstract

The application discloses a method, a device and a storage medium for controlling access of a Network Function (NF). The method comprises the following steps: acquiring a first request sent by a first NF in the NF set, wherein the first request is used for requesting an access token of a target NF; querying whether the NF set has a valid access token of the target NF based on the first request and management information of the NF set; and if the NF set is determined to have the effective access token of the target NF, the stored effective access token is sent to the first NF, so that the effective access token can be used by different NF in the NF set in the effective period, a large number of NF can be effectively prevented from requesting the access token of the target NF to the NRF, and the resource consumption of NF access is reduced.

Description

Access control method, device and storage medium for network function
Technical Field
The present invention relates to the field of Network security, and in particular, to a method and apparatus for controlling access to a Network Function (NF), and a storage medium.
Background
The 5G (5 th-Generation, fifth Generation mobile communication technology) core network adopts a Service-based Architecture (SBA) based architecture, and defines a Network Function (NF) as a plurality of relatively independent and flexibly-callable Service modules, which has a fundamental influence on the manner of creating new services and the communication manner of each NF.
In the related art, a service producer NF exposes its own capability as a service to a network through a service interface and is called by other NFs; the service consumer NF discovers and obtains the service producer NF instance that owns the desired service through the servitization interface. 5G introduced OAuth (Open Authorization ) 2.0 authorization mechanism, NRF (NF Repository Function, network storage function) as OAuth authorization server, providing authentication and authorization services for NF. The NRF receives a registration request of the NF and maintains related information and supported service information of the NF instance; the NRF receives the discovery request of the NF and returns corresponding NF instance information. The more open and flexible architecture presents new challenges for 5G network security, requiring research into different approaches to deal with new security threats.
In 3GPP (3 rd Generation Partnership Project, third generation partnership project) TS (Technical specification ) Rel-16 (Release 16), a service consumer NF requests an access Token (Token) from the NRF for requesting a service from a service producer NF. Because the concept of NF aggregation is introduced into the 5G SBA architecture, if the NRF grants an access token to the NF aggregation of service consumers, and other NFs in the NF aggregation request services from the same NF of service producers, a new access token needs to be applied to the NRF, which results in that the access token is not fully utilized by the NF aggregation within the validity period thereof, and a new access token is required each time a different NF instance requests an existing resource in the NF aggregation, the requirement for the access token request is multiplied, and resource waste is caused.
Disclosure of Invention
In view of this, embodiments of the present application provide a method, an apparatus, and a storage medium for controlling access to a network function, which aim to effectively reduce resource consumption for accessing the network function.
The technical scheme of the embodiment of the application is realized as follows:
in a first aspect, an embodiment of the present application provides a method for controlling access to a network function, including:
acquiring a first request sent by a first NF in a Network Function (NF) set, wherein the first request is used for requesting an access token of a target NF;
querying whether the NF set has a valid access token of the target NF based on the first request and management information of the NF set;
and if the NF set is determined to have the valid access token of the target NF, the stored valid access token is sent to the first NF.
In the above scheme, the method further comprises:
and if the NF set is determined to not exist the access token of the target NF or the access token of the target NF is expired, generating and sending the access token of the target NF to the first NF based on the first request.
In the above solution, before the sending the stored valid access token to the first NF, the method further includes:
Forwarding the first request to a second NF of the set of NFs that currently owns the valid access token;
and determining whether to send the stored valid access token to the first NF based on a response message returned by the second NF.
In the above solution, the determining whether to send the stored valid access token to the first NF based on the response message returned by the second NF includes:
if the response message returned by the second NF is a first message for confirming forwarding or the response message returned by the second NF is not received within a set time period, the stored effective access token is sent to the first NF; or alternatively, the process may be performed,
and if the response message returned by the second NF is the second message refusing forwarding, sending a third message refusing the first request to the first NF.
In the above scheme, the method further comprises:
and updating the management information of the NF set based on the transmission information of the effective access token or the transmission information of the newly generated access token.
In the above scheme, the method further comprises:
an access token generated based on the first request is stored.
In the above scheme, the method further comprises:
Authenticating the first NF based on the first request and management information of the NF set;
and determining that the first NF belongs to the NF set, and inquiring whether the NF set has a valid access token of the target NF or not based on the first request and management information of the NF set.
In a second aspect, an embodiment of the present application provides a method for controlling access to a network function, including:
obtaining a first request forwarded by a network storage function (NRF) from a first NF in a set of Network Functions (NF), the first request being for requesting an access token of a target NF;
and returning a response message to the NRF based on the use state of the valid access token corresponding to the target NF by the NF set which is currently owned, wherein the response message is used for indicating whether the NRF forwards the stored valid access token or not.
In the above solution, the returning, based on the usage status of the valid access token of the NF set currently owned corresponding to the target NF, a response message to the NRF includes:
transmitting a first message confirming forwarding to the NRF if it is determined that the valid access token is not being used; or alternatively, the process may be performed,
and if the valid access token is used, sending a second message refusing forwarding to the NRF.
In the above solution, if it is determined that the valid access token is not being used, the method further includes:
and deleting the locally stored valid access token.
In a third aspect, an embodiment of the present application provides an access control device for a network function, including:
a first obtaining module, configured to obtain a first request sent by a first NF in a Network Function (NF) set, where the first request is used to request an access token of a target NF;
a query module, configured to query, based on the first request and management information of the NF set, whether the NF set has a valid access token of the target NF;
and the first processing module is used for sending the stored valid access tokens to the first NF if the NF set is determined to have the valid access tokens of the target NF.
In a fourth aspect, an embodiment of the present application provides an access control device for a network function, including:
a second obtaining module, configured to obtain a first request forwarded by a network storage function (NRF) from a first NF in a Network Function (NF) set, where the first request is used to request an access token of a target NF;
and the second processing module is used for returning a response message to the NRF based on the use state of the valid access token corresponding to the target NF by the NF set which is currently owned, wherein the response message is used for indicating whether the NRF forwards the stored valid access token or not.
In a fifth aspect, embodiments of the present application further provide a network function device, including: a processor and a memory for storing a computer program capable of running on the processor, wherein the processor is adapted to perform the steps of the method according to the first aspect of the embodiments of the present application when the computer program is run.
In a sixth aspect, an embodiment of the present application further provides a network function device, including: a processor and a memory for storing a computer program capable of running on the processor, wherein the processor is adapted to perform the steps of the method according to the second aspect of the embodiments of the present application when the computer program is run.
In a seventh aspect, the embodiments of the present application further provide a storage medium having a computer program stored thereon, which when executed by a processor, implements the steps of any of the methods of the embodiments of the present application.
According to the technical scheme provided by the embodiment of the application, a first request sent by a first NF in the NF set is obtained, and the first request is used for requesting an access token of a target NF; querying whether the NF set has a valid access token of the target NF based on the first request and management information of the NF set; and if the NF set is determined to have the effective access token of the target NF, the stored effective access token is sent to the first NF, so that the effective access token can be used by different NF in the NF set in the effective period, a large number of NF can be effectively prevented from requesting the access token of the target NF to the NRF, and the resource consumption of NF access is reduced.
Drawings
FIG. 1 is a flow chart of an access control method of NF according to an embodiment of the present application;
FIG. 2 is a flow chart of an access control method of NF according to another embodiment of the present application;
FIG. 3 is a flow chart of an access control method of NF in an embodiment of the present application;
FIG. 4 is a schematic structural diagram of an access control device of NF according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an access control device of NF according to another embodiment of the present application;
fig. 6 is a schematic structural diagram of a first network function device according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a second network function device according to an embodiment of the present application.
Detailed Description
The present application is described in further detail below with reference to the accompanying drawings and examples.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein in the description of the application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application.
Before describing embodiments of the present application in further detail, the terms and terminology involved in the embodiments of the present application will be described, and the terms and terminology involved in the embodiments of the present application are suitable for the following explanation:
NF collections refer to collections of functionally equivalent and interchangeable NF or NF services.
The service consumer NF, as a consumer of NF service, needs to acquire an access token of the service producer NF through the NRF, and provide the acquired access token for the service producer NF to perform token authentication when invoking the service.
On one hand, the service producer NF is used as a provider of NF service, and on the other hand, an access token of the service producer NF is provided for the NRF to authenticate when the NF registers; on the other hand, the service consumer NF is authenticated when it invokes the service it provides.
The concept of NF aggregation was introduced in the 5G SBA architecture, in 3gpp TS 23.501/29.500, allowing access tokens to be used by all NF instances in the service consumer NF aggregation. However, the specific usage of access tokens in NF sets has not been specified at 3GPP TS Rel-16. In addition, all NF instances in the NF set share resources and contexts, which may cause a resource deadlock problem if multiple NF instances in the NF set use the access token to request the same resources or services at the same time.
Based on this, in various embodiments of the present application, an access control method for NF is provided, which can implement that an effective access token of a target NF (i.e. a service producer NF) is used by different NFs in an NF set (i.e. a service consumer NF set) during its validity period, so as to reduce resource consumption of NF access.
The embodiment of the application provides an access control method of NF, which can be applied to network equipment for managing NF, for example, NRF. It can be understood that the NRF may be used to perform NF registration, management, and status detection, to implement automatic NF management, where each NF needs to provide a service after registration and registration to the NRF when it is started, and the registration information includes NF type, address, service list, and the like.
As shown in fig. 1, the access control method includes:
step 101, acquiring a first request sent by a first NF in the NF set, where the first request is used to request an access token of a target NF.
It will be appreciated that the NRF, acting as an NF registration and discovery center within the 5G system, the first NF (i.e., service consumer NF) may obtain the address of the target NF (i.e., service producer NF) providing the service to the NRF based on the NF discovery request. The first NF may generate and send a first request to the NRF based on the address of the target NF.
Step 102, inquiring whether the NF set has a valid access token of the target NF or not based on the first request and the management information of the NF set.
Here, after the NRF obtains the first request sent by the first NF, it queries whether the NF set has a valid access token of the target NF based on the first request and management information of the NF set.
It may be appreciated that, if the other NFs in the NF set (such as the second NF) have previously requested the access token of the target NF, and the access token is in the validity period, a record of the valid access token of the target NF may exist in the management information of the NF set maintained by the NRF, for example, the record may include: the address of the target NF, the validity period of the access token, the NF address where the access token is currently located. Thus, whether the access token matched with the address of the target NF exists in the management information of the NF set can be queried based on the address of the target NF carried by the first request, and if so, the second NF which currently owns the effective access token in the NF set can be determined based on the NF address where the access token currently exists.
Step 103, if it is determined that the NF set has a valid access token of the target NF, the stored valid access token is sent to the first NF.
Here, the NRF determines that the NF set has a valid access token of the target NF based on the first request and management information of the NF set, and then the NRF transmits the stored valid access token to the first NF. It should be noted that the NRF may pre-store a backup of the valid access token and forward the backup to the first NF.
It can be understood that in the embodiment of the present application, if the NRF determines that the NF set has an effective access token of the target NF, the stored effective access token is forwarded to the first NF, so that the effective access token can be used by different NFs in the NF set in the validity period, a large number of NFs can be effectively avoided from requesting the NRF for the access token of the target NF, and resource consumption of NF access is further reduced.
Illustratively, the access control method further comprises:
if it is determined that the NF aggregate does not have the access token of the target NF or the access token of the target NF that is present has expired, generating and transmitting the access token of the target NF to the first NF based on the first request.
It may be appreciated that, based on the management information of the NF set of the target NF address query carried by the first request, if it is determined that there is no matching access token or the access token has expired, the NRF regenerates the access token of the target NF and sends the access token to the first NF.
Here, the NRF may generate an access token of the target NF according to an OAuth 2.0 authorization mechanism specified in 3gpp TS 33.501, and send the access token to the first NF, and the related authorization mechanism is not described herein.
In order to avoid the problem that when multiple NF instances in the NF set request the same resource or service by using the access token, a resource deadlock may be caused, in some embodiments, before the stored valid access token is sent to the first NF, the access control method includes:
Forwarding the first request to a second NF in the NF set currently having a valid access token;
based on the response message returned by the second NF, it is determined whether to send the stored valid access token to the first NF.
It can be understood that after the second NF receives the first request forwarded by the NRF from the first NF, the second NF determines whether the second NF is using the valid access token currently owned by the second NF, generates a response message to the NRF according to whether the second NF is using the valid access token, and determines whether to forward the stored valid access token to the first NF based on the response message, so that before forwarding the valid access token, the NRF confirms whether the problem of resource deadlock is caused based on the response message returned by the second NF, thereby improving the reliability of NF access.
Illustratively, determining whether to send the stored valid access token to the first NF based on the response message returned by the second NF comprises:
if the response message returned by the second NF is the first message for confirming forwarding or the response message returned by the second NF is not received within a set time period, the stored effective access token is sent to the first NF; or alternatively, the process may be performed,
and if the response message returned by the second NF is the second message refusing forwarding, sending a third message refusing the first request to the first NF.
It will be appreciated that the second NF generates and transmits a first message acknowledging forwarding to the NRF if it determines that the valid access token is not being used, and generates and transmits a first message refusing forwarding to the NRF if it determines that the valid access token is being used.
Here, the NRF may transmit the stored valid access token to the first NF based on the received first message; alternatively, the NRF may send a third message rejecting the first request to the first NF based on the received second message, and the first NF may resend the first request to re-request the access token after receiving the third message.
It should be noted that, when the NRF may not receive the response message returned by the second NF within the set period of time, it may confirm that the second NF has a network failure, and at this time, the NRF may also forward the effective access token to the first NF, so as to avoid the failure of forwarding the access token caused by the failure of the second NF.
Illustratively, the access control method further comprises:
the management information of the NF set is updated based on the transmission information of the valid access token or the transmission information of the newly generated access token.
It will be appreciated that the NRF also needs to update the management information of the maintained NF set. Here, for the case of forwarding the valid access token, the NRF may update the address of the NF currently having the access token in the management information of the NF set based on the transmission information of the valid access token (for example, the NRF forwards the valid access token to the first NF, and the first NF returns acknowledgement that the valid access token is received); for the case where the NRF generates an access token, the NRF may update management information of the NF set based on transmission information of the access token (e.g., the NRF transmits the generated access token to the first NF, and the first NF returns acknowledgement information of acknowledging receipt of the access token), e.g., records addresses of valid access tokens and corresponding NFs.
Illustratively, the access control method further comprises:
an access token generated based on the first request is stored.
It can be appreciated that, in addition to sending the newly generated access token to the NF, the NRF locally stores a backup of the access token, facilitating subsequent forwarding of the access token to other NFs in the NF set.
Illustratively, the access control method further comprises:
performing identity authentication on the first NF based on the first request and management information of the NF set;
and determining that the first NF belongs to the NF set, and inquiring whether the NF set has a valid access token of the target NF or not based on the first request and management information of the NF set.
It can be appreciated that the NRF may first perform identity authentication on the first NF based on the first request and management information of the NF set, so as to determine whether the first NF belongs to the NF set. Illustratively, the management information of the NF set maintained by the NRF may include: the NRF can determine whether the first NF belongs to the NF set based on the address of the first NF carried by the first request, and execute the subsequent steps only when determining that the first NF belongs to the NF set, so that malicious NFs can be prevented from masquerading as NF members of the NF set and applying for using access tokens of the NF set.
The embodiment of the present application further provides an access control method of a network function, which is applied to NFs currently having valid access tokens in an NF set, for example, the foregoing second NF, as shown in fig. 2, and the access control method includes:
step 201, obtaining a first request forwarded by NRF from a first NF in NF set, where the first request is used for requesting an access token of a target NF.
Step 202, based on the usage status of the valid access tokens of the NF corresponding to the target NF in the NF set currently owned, a response message is returned to the NRF, where the response message is used to indicate whether the NRF forwards the stored valid access token.
Considering that all NF instances in the NF set share resources and contexts, if multiple NF instances in the NF set use the access token to request the same resources or services at the same time, a resource deadlock problem may be caused. In the embodiment of the application, the second NF returns the response message to the NRF based on the use state of the valid access token of the NF set corresponding to the target NF currently owned, so that it can be ensured that only one NF instance in one NF set can acquire the access token at the same time, and the problem of resource deadlock is effectively eliminated.
Illustratively, returning a response message to the NRF based on the usage status of the valid access tokens of the currently owned NF sets for the target NF, including:
If it is determined that a valid access token is not being used, sending a first message confirming forwarding to the NRF; or alternatively, the process may be performed,
if it is determined that a valid access token is being used, a second message is sent to the NRF that denies forwarding.
Here, after receiving the first request forwarded by the NRF from the first NF, if it is determined that the valid access token is not used by the second NF, the second NF sends a first message confirming the forwarding to the NRF, and the NRF may forward the valid access token to the first NF based on the first message. If the second NF determines that the valid access token is being used, the second NF sends a second message for rejecting forwarding to the NRF, and the NRF sends a third message for rejecting the first request to the first NF, so that the first NF resends the first request. Thus, the first NF can receive the effective access token forwarded by the NRF and effectively avoid resource deadlock caused by that a plurality of NF in the NF set use the access token at the same time.
Illustratively, if the second NF determines that a valid access token is not being used, the access control method further comprises:
and deleting the locally stored valid access token.
Here, the second NF may delete the locally stored valid access tokens, so that only one NF in the NF set obtains and stores the valid access tokens, which is beneficial to meeting the requirement that the access tokens are uniquely called by the NF in the NF set.
It can be understood that, by using the NF access control method of the NF according to the embodiment of the present application, all NF instances in the NF set may share an effective access token, so as to implement sharing of resources and contexts, and based on a confirmation mechanism before forwarding the access token and maintenance of management information of the NF set, it may be implemented that only one NF instance in one NF set may use the access token at the same time. For example, a set of multiple SMF (Session Management Function ) instances and a UPF (User Plane Function, user plane function) establish a PDU (Packet Data Unit) session over an N4 connection, all of the SMF instances in the set can control the N4 connection, but only one SMF instance is allowed to control the connection at a time.
The present application is described in further detail below in connection with examples of application.
In this application embodiment, NFa and NFb belong to the same service consumer NF set, NFp is a service producer NF, and as shown in fig. 3, the method for controlling NF access in this application embodiment includes:
step 301, nfb sends Token request to NRF.
NFb sends a Token request (corresponding to the first request described above) to the NRF requesting NFp an access Token for service.
Step 302, nfb authentication and NF set authentication to which it belongs, query the status of the request Token.
After the NRF receives the Token request, firstly, authenticating the identity of NFb, verifying NFb whether it is in the NF set stated by it, after determining NFb that it is in the NF set, querying the access Token issuing state corresponding to NFp in the NF set, if no access Token requested by the NF instance in the current NF set has expired or the access Token has expired, the NRF directly issues the access Token to NFb; otherwise, the NRF forwards the Token request to the NF (NFa) in the NF set, which currently owns the access Token.
Step 303, forwarding Token request.
The NRF determines that a valid access Token exists for the current NF set and is owned by NFa, forwarding NFa the Token request.
Step 304, delete the local access token.
NFa delete the local access token.
It will be appreciated that if NFa is currently using the access token, then a reply is sent to the NRF refusing the forwarded second message.
This application embodiment is illustrated by taking NFa that the access token is not currently used, NFa deletes the local access token.
Step 305, transmit Token request acknowledgement.
NFa sends Token request acknowledgements to the NRF, i.e. sends the first message to the NRF acknowledging forwarding.
Step 306, forwarding the access token.
The NRF forwards the access token to NFb based on the received first message.
Step 307, send the forwarding result.
NFb after receiving the access token, the forwarding result of the received access token (e.g., acknowledgement of the received access token) is sent to the NRF.
In step 308, token status is recorded.
The NRF records and updates the state of the access token based on the forwarding result sent by NFb.
Step 309, a service request is sent.
NFb sends a service request to NFp based on the received access token.
Step 310, a service response is returned.
NFp authenticates the service request based on the access token carried by the service request, and if the authentication is passed, a service result corresponding to the service request is returned; if the authentication is not passed, a response message that the service request is refused is returned.
In order to implement the NF access control method of the embodiment of the present application, the embodiment of the present application further provides an NF access control device, where the NF access control device corresponds to the NF access control method, and each step in the NF access control method embodiment is also completely applicable to the NF access control device embodiment of the present application.
As shown in fig. 4, the access control device of NF may be applied to NRF, which includes: a first acquisition module 401, a query module 402 and a first processing module 403. The first obtaining module 401 is configured to obtain a first request sent by a first NF in the NF set, where the first request is used to request an access token of a target NF; the query module 402 is configured to query whether the NF set has a valid access token of the target NF based on the first request and management information of the NF set; the first processing module 403 is configured to send the stored valid access token to the first NF if it is determined that the NF aggregate has the valid access token of the target NF.
Illustratively, the first processing module 403 is further configured to:
if it is determined that the NF aggregate does not have the access token of the target NF or the access token of the target NF that is present has expired, generating and transmitting the access token of the target NF to the first NF based on the first request.
Illustratively, before the first processing module 403 sends the stored valid access token to the first NF, it is further configured to:
forwarding the first request to a second NF in the NF set currently having a valid access token;
based on the response message returned by the second NF, it is determined whether to send the stored valid access token to the first NF.
Illustratively, the first processing module 403 determines, based on the response message returned by the second NF, whether to send the stored valid access token to the first NF, including:
if the response message returned by the second NF is the first message for confirming forwarding or the response message returned by the second NF is not received within a set time period, the stored effective access token is sent to the first NF; or alternatively, the process may be performed,
and if the response message returned by the second NF is the second message refusing forwarding, sending a third message refusing the first request to the first NF.
Illustratively, the first processing module 403 is further configured to:
The management information of the NF set is updated based on the transmission information of the valid access token or the transmission information of the newly generated access token.
Illustratively, the first processing module 403 is further configured to:
an access token generated based on the first request is stored.
Illustratively, the first processing module 403 is further configured to: performing identity authentication on the first NF based on the first request and management information of the NF set; if it is determined that the first NF belongs to the NF set, then the querying module 402 queries whether the NF set has a valid access token for the target NF based on the first request and management information of the NF set.
In practical application, the first obtaining module 401, the querying module 402, and the first processing module 403 may be implemented by a processor in an access control device of NF. Of course, the processor needs to run a computer program in memory to implement its functions.
In another embodiment, as shown in fig. 5, the access control device of the NF may be applied to the NF currently having a valid access token in the NF set, which includes: a second acquisition module 501 and a second processing module 502. The second obtaining module 501 is configured to obtain a first request forwarded by the NRF from a first NF in the NF set, where the first request is used to request an access token of a target NF; the second processing module 502 is configured to return a response message to the NRF based on a usage status of the valid access token of the NF corresponding to the target NF in the currently owned NF set, where the response message is used to indicate whether the NRF forwards the stored valid access token.
Illustratively, the second processing module 502 is specifically configured to:
if it is determined that a valid access token is not being used, sending a first message confirming forwarding to the NRF; or alternatively, the process may be performed,
if it is determined that a valid access token is being used, a second message is sent to the NRF that denies forwarding.
Illustratively, the second processing module 502, if it is determined that a valid access token is not being used, is further configured to: and deleting the locally stored valid access token.
In practical application, the second obtaining module 501 and the second processing module 502 may be implemented by a processor in an NF access control apparatus. Of course, the processor needs to run a computer program in memory to implement its functions.
It should be noted that: in the NF access control device provided in the above embodiment, only the division of each program module is used for illustration when performing NF access control, in practical application, the processing allocation may be performed by different program modules according to needs, that is, the internal structure of the device is divided into different program modules, so as to complete all or part of the processing described above. In addition, the embodiments of the NF access control apparatus and the NF access control method provided in the foregoing embodiments belong to the same concept, and specific implementation processes thereof are detailed in the method embodiments and are not described herein again.
Based on the hardware implementation of the program modules, and in order to implement the method of the embodiment of the present application, the embodiment of the present application further provides a first network function device. Fig. 6 shows only an exemplary structure of the first network function device, not all of which may be implemented as needed.
As shown in fig. 6, a first network function device 600 provided in an embodiment of the present application includes: at least one processor 601, a memory 602, a user interface 603 and at least one network interface 604. The various components in the first network function device 600 are coupled together by a bus system 605. It is understood that the bus system 605 is used to enable connected communications between these components. The bus system 605 includes a power bus, a control bus, and a status signal bus in addition to a data bus. But for clarity of illustration the various buses are labeled as bus system 605 in fig. 6.
The user interface 603 may include, among other things, a display, keyboard, mouse, trackball, click wheel, keys, buttons, touch pad, or touch screen, etc.
The memory 602 in the embodiment of the present application is used to store various types of data to support the operation of the first network function device. Examples of such data include: any computer program for operating on a first network function device.
For example, the first network function device may be an NRF, and the access control method applied to NF on the NRF side disclosed in the embodiments of the present application may be applied to the processor 601 or implemented by the processor 601. The processor 601 may be an integrated circuit chip with signal processing capabilities. In implementation, the steps of the NF access control method may be accomplished by integrated logic circuitry of hardware in the processor 601 or instructions in the form of software. The processor 601 may be a general purpose processor, a digital signal processor (DSP, digital Signal Processor), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The processor 601 may implement or perform the methods, steps and logic blocks disclosed in embodiments of the present application. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly embodied in a hardware decoding processor or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in a storage medium, where the storage medium is located in the memory 602, and the processor 601 reads information in the memory 602, and in combination with hardware, performs the steps of the method for controlling NF access provided in the embodiments of the present application.
In an exemplary embodiment, the first network function device may be implemented by one or more application specific integrated circuits (ASIC, application Specific Integrated Circuit), DSPs, programmable logic devices (PLD, programmable Logic Device), complex programmable logic devices (CPLD, complex Programmable Logic Device), field programmable gate arrays (FPGA, field Programmable Gate Array), general purpose processors, controllers, microcontrollers (MCU, micro Controller Unit), microprocessors (Microprocessor), or other electronic elements for performing the aforementioned methods.
Based on the hardware implementation of the program modules, and in order to implement the method of the embodiment of the present application, the embodiment of the present application further provides a second network function device. Fig. 7 shows only an exemplary structure of the second network function device, not all of which may be implemented as needed.
As shown in fig. 7, a second network function device 700 provided in an embodiment of the present application includes: at least one processor 701, memory 702, a user interface 703, and at least one network interface 704. The various components in the second network function device 700 are coupled together by a bus system 705. It is to be appreciated that the bus system 705 is employed to facilitate connection communications between these components. The bus system 705 includes a power bus, a control bus, and a status signal bus in addition to the data bus. But for clarity of illustration, the various buses are labeled as bus system 705 in fig. 7.
The user interface 703 may include, among other things, a display, keyboard, mouse, trackball, click wheel, keys, buttons, touch pad, or touch screen, etc.
The memory 702 in the embodiments of the present application is used to store various types of data to support the operation of the second network function device. Examples of such data include: any computer program for operating on the second network function device.
For example, the second network function device may be an NF in the NF set that currently has a valid access token, and the NF access control method applied to the NF of the NF side disclosed in the embodiments of the present application may be applied to the processor 701 or implemented by the processor 701. The processor 701 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the NF access control method may be performed by integrated logic circuits of hardware in the processor 701 or by instructions in the form of software. The processor 701 may be a general purpose processor, a digital signal processor (DSP, digital Signal Processor), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The processor 701 may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present application. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly embodied in a hardware decoding processor or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in a storage medium, where the storage medium is located in a memory 702, and the processor 701 reads information in the memory 702, and in combination with hardware, performs the steps of the method for controlling NF access provided in the embodiments of the present application.
In an exemplary embodiment, the second network function device 700 may be implemented by one or more ASIC, DSP, PLD, CPLD, FPGA, general purpose processors, controllers, MCU, microprocessor, or other electronic elements for performing the foregoing methods.
It is to be appreciated that the memory 602, 702 can be either volatile memory or nonvolatile memory, and can include both volatile and nonvolatile memory. Wherein the nonvolatile Memory may be Read Only Memory (ROM), programmable Read Only Memory (PROM, programmable Read-Only Memory), erasable programmable Read Only Memory (EPROM, erasable Programmable Read-Only Memory), electrically erasable programmable Read Only Memory (EEPROM, electrically Erasable Programmable Read-Only Memory), magnetic random access Memory (FRAM, ferromagnetic random access Memory), flash Memory (Flash Memory), magnetic surface Memory, optical disk, or compact disk Read Only Memory (CD-ROM, compact Disc Read-Only Memory); the magnetic surface memory may be a disk memory or a tape memory. The volatile memory may be random access memory (RAM, random Access Memory), which acts as external cache memory. By way of example, and not limitation, many forms of RAM are available, such as static random access memory (SRAM, static Random Access Memory), synchronous static random access memory (SSRAM, synchronous Static Random Access Memory), dynamic random access memory (DRAM, dynamic Random Access Memory), synchronous dynamic random access memory (SDRAM, synchronous Dynamic Random Access Memory), double data rate synchronous dynamic random access memory (ddr SDRAM, double Data Rate Synchronous Dynamic Random Access Memory), enhanced synchronous dynamic random access memory (ESDRAM, enhanced Synchronous Dynamic Random Access Memory), synchronous link dynamic random access memory (SLDRAM, syncLink Dynamic Random Access Memory), direct memory bus random access memory (DRRAM, direct Rambus Random Access Memory). The memory described in the embodiments of the present application is intended to comprise, without being limited to, these and any other suitable types of memory.
In an exemplary embodiment, the present embodiment further provides a storage medium, that is, a computer storage medium, specifically may be a computer readable storage medium, for example, including a memory 602 storing a computer program, where the computer program may be executed by the processor 601 of the first network function device 600 to complete the steps of the access control method applied to NF on the NRF side in the present embodiment; as another example, a memory 702 storing a computer program executable by the processor 701 of the second network function device 700 to perform the steps of the access control method applied to the NF side according to the embodiment of the present application is included. The computer readable storage medium may be ROM, PROM, EPROM, EEPROM, flash Memory, magnetic surface Memory, optical disk, or CD-ROM.
It should be noted that: "first," "second," etc. are used to distinguish similar objects and not necessarily to describe a particular order or sequence.
In addition, the embodiments described in the present application may be arbitrarily combined without any collision.
The foregoing is merely a specific embodiment of the present application, but the protection scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered in the protection scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (15)

1. An access control method for a network function, comprising:
acquiring a first request sent by a first NF in a network function NF set, wherein the first request is used for requesting an access token of a target NF;
querying whether the NF set has a valid access token of the target NF based on the first request and management information of the NF set;
and if the NF set is determined to have the valid access token of the target NF, the stored valid access token is sent to the first NF.
2. The method according to claim 1, wherein the method further comprises:
and if the NF set is determined to not exist the access token of the target NF or the access token of the target NF is expired, generating and sending the access token of the target NF to the first NF based on the first request.
3. The method of claim 1, wherein prior to the sending the stored valid access token to the first NF, the method further comprises:
forwarding the first request to a second NF of the set of NFs that currently owns the valid access token;
and determining whether to send the stored valid access token to the first NF based on a response message returned by the second NF.
4. The method of claim 3, wherein the determining whether to send the stored valid access token to the first NF based on the response message returned by the second NF comprises:
if the response message returned by the second NF is a first message for confirming forwarding or the response message returned by the second NF is not received within a set time period, the stored effective access token is sent to the first NF; or alternatively, the process may be performed,
and if the response message returned by the second NF is the second message refusing forwarding, sending a third message refusing the first request to the first NF.
5. The method according to claim 1, wherein the method further comprises:
and updating the management information of the NF set based on the transmission information of the effective access token or the transmission information of the newly generated access token.
6. The method according to claim 2, wherein the method further comprises:
an access token generated based on the first request is stored.
7. The method according to claim 1, wherein the method further comprises:
authenticating the first NF based on the first request and management information of the NF set;
And determining that the first NF belongs to the NF set, and inquiring whether the NF set has a valid access token of the target NF or not based on the first request and management information of the NF set.
8. An access control method for a network function, comprising:
acquiring a first request forwarded by a network storage function (NRF) from a first NF in a network function NF set, wherein the first request is used for requesting an access token of a target NF;
and returning a response message to the NRF based on the use state of the valid access token corresponding to the target NF by the NF set which is currently owned, wherein the response message is used for indicating whether the NRF forwards the stored valid access token or not.
9. The method of claim 8, wherein the returning a response message to the NRF based on the usage status of the currently owned set of NFs for valid access tokens of the target NF comprises:
transmitting a first message confirming forwarding to the NRF if it is determined that the valid access token is not being used; or alternatively, the process may be performed,
and if the valid access token is used, sending a second message refusing forwarding to the NRF.
10. The method of claim 8, wherein if it is determined that the valid access token is not being used, the method further comprises:
And deleting the locally stored valid access token.
11. An access control device for a network function, comprising:
the first acquisition module is used for acquiring a first request sent by a first NF in the network function NF set, wherein the first request is used for requesting an access token of a target NF;
a query module, configured to query, based on the first request and management information of the NF set, whether the NF set has a valid access token of the target NF;
and the first processing module is used for sending the stored valid access tokens to the first NF if the NF set is determined to have the valid access tokens of the target NF.
12. An access control device for a network function, comprising:
a second obtaining module, configured to obtain a first request forwarded by a network storage function NRF from a first NF in a network function NF set, where the first request is used to request an access token of a target NF;
and the second processing module is used for returning a response message to the NRF based on the use state of the valid access token corresponding to the target NF by the NF set which is currently owned, wherein the response message is used for indicating whether the NRF forwards the stored valid access token or not.
13. A network function device, comprising: a processor and a memory for storing a computer program capable of running on the processor, wherein,
the processor being adapted to perform the steps of the method of any of claims 1 to 7 when the computer program is run.
14. A network function device, comprising: a processor and a memory for storing a computer program capable of running on the processor, wherein,
the processor being adapted to perform the steps of the method of any of claims 8 to 10 when the computer program is run.
15. A storage medium having a computer program stored thereon, which, when executed by a processor, implements the steps of the method of any of claims 1 to 10.
CN202111243072.5A 2021-10-25 2021-10-25 Access control method, device and storage medium for network function Pending CN116033426A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111243072.5A CN116033426A (en) 2021-10-25 2021-10-25 Access control method, device and storage medium for network function

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111243072.5A CN116033426A (en) 2021-10-25 2021-10-25 Access control method, device and storage medium for network function

Publications (1)

Publication Number Publication Date
CN116033426A true CN116033426A (en) 2023-04-28

Family

ID=86080008

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111243072.5A Pending CN116033426A (en) 2021-10-25 2021-10-25 Access control method, device and storage medium for network function

Country Status (1)

Country Link
CN (1) CN116033426A (en)

Similar Documents

Publication Publication Date Title
US10785037B2 (en) Managing secure content in a content delivery network
US11956361B2 (en) Network function service invocation method, apparatus, and system
US8327427B2 (en) System and method for transparent single sign-on
CA3026781C (en) A method for tee access control and a mobile terminal for implementing the method
US9319412B2 (en) Method for establishing resource access authorization in M2M communication
KR101475983B1 (en) System, method and program product for consolidated authentication
WO2017024791A1 (en) Authorization processing method and device
US9319413B2 (en) Method for establishing resource access authorization in M2M communication
US9338165B2 (en) Common internet file system proxy authentication of multiple servers
US8396220B2 (en) System and method of mobile content sharing and delivery in an integrated network environment
CN112995219B (en) Single sign-on method, device, equipment and storage medium
CN101400109B (en) General service opening interface system and general service opening method
US20130111573A1 (en) Single sign-on for applications
CN112470444A (en) Method and apparatus for revoking authorization to API callers
CN102739664A (en) Method for improving security of network identity authentication and devices
WO2009133419A1 (en) Method, apparatus, and computer program product for providing a group based decentralized authorization mechanism
CN113271289A (en) Method, system and computer storage medium for resource authorization and access
US20080086766A1 (en) Client-based pseudonyms
CN115603963A (en) User authorization method and device
US20110035794A1 (en) Method and entity for authenticating tokens for web services
KR20100060130A (en) System for protecting private information and method thereof
CN116033426A (en) Access control method, device and storage medium for network function
CN114389890B (en) User request proxy method, server and storage medium
CN116033425A (en) Access control method, device and storage medium for network function
US20230083529A1 (en) Selection of service-providing network functions in a 3gpp communication network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination