CN107147728A - A kind of management method of object storage system multi-tenant - Google Patents

A kind of management method of object storage system multi-tenant Download PDF

Info

Publication number
CN107147728A
CN107147728A CN201710396173.3A CN201710396173A CN107147728A CN 107147728 A CN107147728 A CN 107147728A CN 201710396173 A CN201710396173 A CN 201710396173A CN 107147728 A CN107147728 A CN 107147728A
Authority
CN
China
Prior art keywords
storage
tenant
user
module
storage user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710396173.3A
Other languages
Chinese (zh)
Other versions
CN107147728B (en
Inventor
卢宇彤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sun Yat Sen University
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN201710396173.3A priority Critical patent/CN107147728B/en
Publication of CN107147728A publication Critical patent/CN107147728A/en
Application granted granted Critical
Publication of CN107147728B publication Critical patent/CN107147728B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/06Buying, selling or leasing transactions
    • G06Q30/0645Rental transactions; Leasing transactions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/50Network service management, e.g. ensuring proper service fulfilment according to agreements
    • H04L41/508Network service management, e.g. ensuring proper service fulfilment according to agreements based on type of value added network service under agreement
    • H04L41/5096Network service management, e.g. ensuring proper service fulfilment according to agreements based on type of value added network service under agreement wherein the managed service relates to distributed or central networked applications

Abstract

The present invention relates to a kind of management method of object storage system multi-tenant, include initialization step and specific implementation step, initialization step is the support of specific implementation step, for primary tenant's management function simple question in distributed storage, unified multi-tenant layer provides various rolls and complete function to meet multi-tenant regulatory requirement;For the problem of unified multi-tenant is managed in multiple storage systems, the present invention provides downwards customizable storage driving module to be linked into different storage systems, unified access interface is provided upwards so that storage user easily can be stored using unified multi-tenant management and rear end.Meanwhile, the present invention uses a kind of new request analysis method, only the interface specification of main flow need to just can be used according to its required parameter of rules modification;For the multi-tenant efficiency of management of the tradition based on database it is not high the problem of, use a kind of way to manage based on salted hash Salted to improve the efficiency of management of multi-tenant.

Description

A kind of management method of object storage system multi-tenant
Technical field
The present invention relates to computer distribution type field of storage, and in particular to a kind of to provide system to different distributions formula storage system One, the method that transparent multi-tenant is managed.
Background technology
Multi-tenant mainly provides resource isolation, data isolation and service quality isolation as the key character of cloud computing Etc. function, so that it is guaranteed that the various applications such as the virtual machine on upper strata, container can desirably, safely use cloud computing system.Cause This, multi-tenant management plays highly important role in cloud computing system.The problem of current storage multi-tenant is present master Exist several:First, in distributed memory system, simple tenant's management is largely only provided, and in actual applications, The structure of tenant is often more complicated, it is meant that the primary tenant's management of storage system can not meet practical application at all;Second, In cloud computing system, different distributed memory systems may be used to meet different scenes, each storage system is needed Multi-tenant management is each done, the management of storage resource becomes very inconvenient, therefore develop the cost of O&M also increases;3rd, Traditional multi-tenant technology be based on database realizing, so, when tenant amount it is larger, complicated when, in order to reduce to many The influence of tenant's efficiency of management, it is necessary to the work of point storehouse point table is done, so as to bring no small expense.Therefore, one kind is needed badly Solve the management method of the multi-tenant of problem above.
The content of the invention
In view of this, the present invention provides a kind of pipe for the object storage system multi-tenant for solving or partly solving the above problems Reason method.
To reach the effect of above-mentioned technical proposal, the technical scheme is that:A kind of object storage system multi-tenant Management method, comprising:Initialization step is carried out first, then carries out specific step;
First, the initialization step is as follows:
1) initialization multi-tenant layer, multi-tenant layer includes publicly-owned memory space and some users, and user can use publicly-owned Memory space is stored, and user is represented using user role, and tenant is equal to the set of user, and user role is divided into tub of tissue Reason person, tenant manager and storage user's three types;Organizer and governor, tenant manager are all special storage user, are The manager of user is stored, organizer and governor is a global role of manager, and tenant manager is assigned by organizer and governor The storage user of tenant's administration authority, tenant manager possesses the function of storage user, possesses the publicly-owned memory space to tenant Administration authority, storage user be storage service user, storage system can use in the storage resource of distribution, storage System is distributed memory system;
2) set up tenant's structure, tenant's structure to represent the tree structure of the structural relation of user, referred to as organization structure tree, It is made up of a root node, multiple nonleaf nodes and leaf node, root node constitutes the root of organization structure tree, is organization structure tree It is top, nonleaf node constitute organization structure tree multiple intermediate layers, leaf node constitute organization structure tree the bottom;Root section Point represents organizer and governor, and nonleaf node represents tenant manager, and leaf node represents to store user;
2nd, specific implementation step is:
1) organizer and governor is created, while the major parameter of organizer and governor is created, including the account of tenant's structure With password, total storage size of tenant's structure, the default size of the public space of tenant and its maxima and minima, The memory space default size and its maxima and minima of user is stored, the major parameter of organizer and governor is joined to be global Number, organizer and governor possesses authority at the highest level, and authority at the highest level includes:The tenant for creating, changing, inquiring about in tenant's structure With storage user, the subordinate relation for creating, changing, inquiring about between tenant and storage user, modification, inquiry global parameter;Subordinate Relation is reflected directly in organization structure tree;
2) using the 1) organizer and governor that step is created log in, organizer and governor initializes the storage pool of tenant's structure, and Gateway module is arrived in the storage pool request for sending initialization tenant's structure, wherein, storage pool is used to store tenant's structure, gateway module For unified multi-tenant layer, organizer and governor describes the internal structure of tenant's structure using XML file, and gateway module is received initially After the storage pool request for changing tenant's structure, XML file is parsed;
3) the storage pool request for initializing tenant's structure is converted into multiple child-operations and asked by gateway module, then by child-operation Request is distributed in other modules and performed, and child-operation request mainly includes two kinds of request:The request of first type, will Node in organization structure tree to create the operation of tenant or creating the operation of storage user, the operation for creating tenant or The operation for creating storage user is sent to organization and administration module, the parameter of establishment include storage user ID and its corresponding deposit Store up quota;The request of second of type, in order to realize the data isolation of tenant, it is necessary to be every paths wound in organization structure tree Purview certification code is built, is that each operation can generate a command code, operation includes read operation, write operation, by tenant in tissue The purview certification code in the path in structure tree and the matching of command code, have carried out the data isolation of tenant;
The purview certification information request that gateway module can generate tenant is sent to purview certification module, wherein, purview certification Main request parameter includes ID and its path in organization structure tree of storage user in information request;
4) organization and administration module carries out multi-tenant management using the management method based on Hash, mainly comprises the following steps:First, group Knit management module to have received the operation for the establishment tenant that gateway module is sent or create the operation of storage user, create tenant's Operation is equal to the operation for repeatedly creating storage user, represents storage user in organization structure tree using the form of file path Path, is expressed as ' bis- grades of tenant tenant2/ storage users storage_ of/tenant structure org1/ one-level tenants tenant1/ Uid ', its implication belongs to tenant structure org1 for storage user storage_uid, and institutional framework is while belonging to one Under level tenant tenant1 and two grades of tenant tenant2, one-level tenant tenant1 organization structure trees where storage user Top organizer and governor, tenant's management in two grades of tenant tenant2 intermediate layers of organization structure tree where storage user Person;
Then, organization and administration module can create and safeguard a storage user message table, and storage user message table includes depositing The ID of storage user, the storage quota of the key for storing user and storage user, the authority for storing user, wherein storage user Path representations of the ID using storage user in organization structure tree, the authority of storage user can be stored comprising storage user The memory space of operation;
Finally, the storage pool write-in of tenant's structure by initialization is stored user message table by organization and administration module;
5) purview certification module carries out the authority of initialization storage user, comprises the following steps that:
5.a) purview certification module is received after the purview certification information request that gateway module is sent, and extracts what is wherein included The position of user is stored, i.e. its path in organization structure tree, while generating key pair for storage user;
The purview certification code of user 5.b) is stored to generation according to path of the storage user in organization structure tree and key, Specific method is:To every one-level subpath of the storage user since the root of organization structure tree, if subpath is not complete trails, i.e., The tenant on subpath upper strata of organization structure tree where storage user, is that subpath assigns read right;If subpath has been complete Path, i.e. subpath are the private rooms for storing user, and private room is expressed as not allowing other tenants to use subpath, are son Path assigns access limit, the authority that read right, access limit are all endowed for subpath;
5.c) purview certification code generating process is that the authority for being endowed key pair and subpath is spliced into a pre- place Character string is managed, the cryptographic Hash of pretreatment character string is then calculated, detailed process is:First, purview certification code generating function is created, It is all from first order path in the path in purview certification code, purview certification code generating function traversal organization structure tree for generating All subpaths started, according to 5.b) step, if subpath is not complete trails, its read right is assigned, purview certification code is Store user key it is right+'@'+subpath+' r ', wherein r represents read right, if subpath is complete trails, assign its read-write Authority, purview certification code for storage user key it is right+'@'+subpath+' rw ', wherein ' rw ' represent access limit, traversal After complete all subpaths, purview certification code all write-ins that subpaths at different levels are generated are stored in the purview certification table of user, authority Purview certification code that verification table is owned by for each storage user, for depositing storage user;
6) completing the, 5) step, the are 6) after step, and by notification gateway management module, gateway management module is for gateway module Tension management, and storage driving module can be asked, think that tenant, storage user are carried out just in bottom distributed memory system Beginningization, storage driving module can call different drivings according to different bottom distributed memory systems, be driven by corresponding Move and associative operation is performed in different bottom distributed memory systems, associative operation includes creating bottom distributed memory system In user, allocated storage quota and the parameter of establishment are set;
7) complete after the initialization in bottom distributed memory system, storage user can pass through unified multi-tenant layer To use storage service, storage user, which accesses bottom distributed memory system, to be needed to provide call parameter, that is, passes through gateway module Sent to bottom distributed memory system and call parameter is included in access request, access request, call parameter includes storage user ID with storage user key, access object path, wherein access object path with storage user in organization structure tree Path is of equal value;Gateway module in multi-tenant layer supports the S3 interfaces of compatibility standard, and storage user can call S3 interfaces, will deposit The ID and ID and key parameter value of the key as S3 interfaces of user is stored up, object path will be accessed and joined as the key in S3 interfaces Number package request, key parameter package requests is sent to the address of gateway module;
8) gateway module is received after access request, extracts the ID for storing user in access request with storing the close of user Key, access object path, and generate access module together as storage request certification be sent to purview certification module carry out authority Certification, access module includes read operation, write operation, modification operation;
9) purview certification module carries out operating right certification, and its specific steps is improved as follows:
9.1) purview certification module receives the storage request certification that gateway module is sent, and certification is asked according to specific storage An authentication operation code is generated, specific generating process is:User key is stored according to object path is accessed first, one is constituted Operational character string, operational character string for storage user key it is right+'@'+access object path+<op>,<op>For concrete operations, Comprising the read operation in access module, write operation, ' r ' is write operation, and ' w ' is read operation;
9.2) the operational character string generated according to 9.1) step, the Hash that certification is asked in this storage is calculated using hash function Value, the i.e. cryptographic Hash of operational character string are used as authentication operation code, the purview certification table of matching storage user, if purview certification table In exist purview certification code with authentication operation code match, then storage request certification it is legal, otherwise, storage request certification illegally, by Whether certification is legal as purview certification result to be sent to gateway module;
10) gateway module is received after the purview certification result of purview certification module transmission, if storage request certification is illegal, Storage user is notified to access failure and return to authority authentication code and the unmatched description of command code simultaneously, if storage request certification is closed The concrete operations of operational character string are forwarded to storage system drive module to perform by method, gateway module;
11) call parameter of the storage system drive module in access request, the concrete operations of operational character string are called The interface of corresponding bottom distributed memory system performs the concrete operations of operational character string, finally returns to its result Store user.
The present invention useful achievement be:The management method for the object storage system multi-tenant that the present invention is provided, for current Multi-tenant problem present in distributed memory system proposes a kind of unification, efficiently, customizable solution.Should Method mainly includes a unified object storage multi-tenant management interface, an efficient multi-tenant administrative skill and one Expansible heterogeneous storage system actuation techniques, current storage system multi-tenant work(is solved by these three main technologies respectively Can be not enough, the efficiency of management is not high and the problem of poor transplantability autgmentability.
Brief description of the drawings
Fig. 1 stores the structure chart of multi-tenant management level for the object of the present invention;
The schematic diagram for the step of Fig. 2 is read-write operation of the invention.
Embodiment
In order that technical problems, technical solutions and advantages to be solved are more clearly understood, tie below Embodiment and accompanying drawing are closed, the present invention will be described in detail.It should be noted that specific embodiment described herein is only To explain the present invention, it is not intended to limit the present invention, can realizes that the product of said function belongs to equivalent substitution and improvement, wrap It is contained within protection scope of the present invention.Specific method is as follows:
Embodiment 1:Cloud computing has slowly been pushed to product from theoretical research and fallen as the developing direction of computer realm one Ground.The core concept of cloud computing be summarized as architecture service (IaaS), platform service (PaaS), service i.e. service (SaaS) three levels.Along with the core concept of cloud computing, corresponding technology such as software defined network (SDN), software definition Storage (SDS) etc. is also arisen at the historic moment.The characteristic of cloud computing is also carried while benefit is brought for user to computer body system structure Go out in new challenge, computer body system structure and contained calculating, stored, network.Under new demand, many products and system Emerge.There are many kinds in typical product, have the framework OpenStack of the management for virtual machine, container to transport with system Row platform Docker, container programming facility Kubernetes etc..And wherein, virtual machine virtualization is cloud meter with container virtualization Most crucial technology in the calculation epoch.
Virtual machine is virtualized has KVM, QEMU with container virtualization, realizing the major technique of virtual machine level virtualization Deng, its principle is that hardware resource is isolated, and realize containerization major technique have LXC and on the basis of LXC realize Docker.And container is a kind of virtualization of lightweight, relative to virtualization schemes such as KVM, with stronger transplantability with And smaller expense.Both above virtualization mode suffers from different application scenarios, wherein, virtual machine virtualization is mainly used in The fields such as cloud desktop, and container virtualization is mainly used in the fields such as service arrangement.The virtualization of both types is all cloud computing Basis.
Multi-tenant mainly provides resource isolation, data isolation and service quality isolation as the key character of cloud computing Etc. function, so that it is guaranteed that the various applications such as the virtual machine on upper strata, container can desirably, safely use cloud computing system.Cause This, multi-tenant management plays highly important role in cloud computing system.Within the storage system, multi-tenant management is related to Aspect includes the behaviour such as the management of tenant's storage location, tenant's storage quotas administered, tenant's rights management, the establishment of tenant deletion modification Make.For cloud computing user, multi-tenant management ensure storage user can normally, safely use its tenant Interior storage resource, while the efficiency of tenant's management also contributes to the efficiency of whole storage system.At this point, tenant manages The function of mainly providing includes the purview certification of storage access operations, the management in user's tenant space etc..Secondly, for cloud For computing system manager, multi-tenant management allows keeper to obtain and manage tenant's information of whole storage system, On this aspect, the establishment modification that the function that tenant's management is mainly provided includes tenant is deleted, and the setting modification of tenant's storage quota is rented Setting modification of family authority etc..
Distributed memory system as cloud computing system an important component, therefore, to bottom distributed storage The management of system also contributes to the performance of whole cloud computing system.Due to different business demands, industry has many distributions to deposit Storage system is all used in cloud computing platform.From different storage classes, file storage, object storage, block storage can be divided into Three kinds.Wherein, file storage is main provides a distributed memory system with the unified name space, is mainly used in cloud meter The scene of shared file is needed in calculation, typical file system has HDFS, GlusterFS, CephFS etc..And object storage is provided A kind of storage of key-value types, is mainly used in unstructured data storage, such as virtual machine image, container mirror image, typical case Object storage system have Ceph Object Storage, Swift, Dynamo etc..Block storage is directly set storage resource with block Standby mode is supplied to user, thereafter, user independently manages the address space of block device, is mainly used in virtual machine, container Book carry, typical block storage system has Ceph Block Storage, Sheepdog etc..
The problem of current storage multi-tenant is present mainly has several, is only provided first, distributed memory system is most of Simple tenant's management, and in actual applications, the structure of tenant is often more complicated, it is meant that the primary tenant of storage system Management can not meet practical application.Second, different distributed memory systems may be used to be used for not in cloud computing system Same scene, such as while doing block storage using Ceph, and stored using Swift as object, so, each storage system Need each to do multi-tenant management, the management of so i.e. inconvenient storage resource increases the cost of exploitation O&M again.Third, Traditional multi-tenant technology be based on database realizing, so, when tenant measure it is larger, when complicated, in order to reduce to many The influence of tenant's efficiency of management needs to do the work of point storehouse point table, so as to bring no small expense.
The present invention is directed to present situation of the multi-tenant on distributed memory system, is come using a unified multi-tenant management level Solve three above-mentioned problems.For primary tenant's management function simple question in distributed storage, unified multi-tenant layer is carried For various rolls and complete function to meet multi-tenant regulatory requirement;For unified multi-tenant management in multiple storage systems The problem of, the present invention provides downwards customizable storage driving module to be linked into different storage systems, while service end Suitable storage system driving can be customized according to actual conditions to meet different demands;Unified access is provided upwards to connect Mouthful, it is that must store user easily can store using unified multi-tenant management and rear end.Meanwhile, the present invention uses a kind of new Request analysis method, only the interface specification of main flow need to just can be used, such as according to its required parameter of rules modification in order storage user S3 interfaces have used unified multi-tenant management module;For the multi-tenant efficiency of management of the tradition based on database it is not high the problem of, The present invention improves the efficiency of management of multi-tenant using a kind of way to manage based on salted hash Salted, even in the increase of tenant's scale or In the case that tenant is complicated, the efficiency of management of multi-tenant is also hardly influenceed.
Embodiment 2:The present embodiment carries out brief explanation to some nouns of the present invention.Unify rent for convenience more The management of family layer, wherein, tenant's layer includes the set of a variety of tenants, substantially user, possesses certain publicly-owned memory space With some users.User is represented using user role.User role is divided into organizer and governor, tenant manager by the present invention With storage user's three types.First two type is inherently to store some or the multiple storages in the tenant of user, i.e., one User can be authorized to be tenant manager, and organizer and governor is then a global role of manager.Tenant manager be by In addition to organizer and governor assigns the storage user of tenant's administration authority, the function of storing user common except possessing, also to tenant Publicly-owned space possess administration authority.Storage user is the user of real storage service, can be in the storage resource of distribution Use storage system.
Need organizing user to include all storage resources belonging to the tissue each tenant's storage resource, each storage user to deposit Storage resource and tenant's structure in the tissue, tenant manager, storage user are managed.Tenant's structure may be considered A kind of tree structure, referred to as organization structure tree, wherein, tenant is represented using nonleaf node, leaf node represents to store user.Such as Fig. 1, stores multi-tenant management level using object and includes gateway module, organization and administration module, purview certification module, storage driving mould Block, storage user stores multi-tenant management level by the content deposit object storage system of needs using object.Such as Fig. 2, for read-write The specific steps of operation, are written and read operation, first parse read-write requests if desired, are obtained during read-write requests are parsed Action type and courses of action, and the command code of this operation is generated, by the purview certification code in comparison system, finally obtain Going out allows or refuses this read-write operation.
A kind of specific implementation step of the management method of object storage system multi-tenant is:
1) organizer and governor is created, the major parameter needed for creating includes tissue account and password, organizes total memory space Size, tenant's public space default size and its maximin, storage user's space default size and maximin etc. Global configuration.Organizer and governor possesses authority at the highest level, and its major function is including tenant in establishment modification inquiry tissue with depositing Store up user and the subordinate relation between them, i.e. organization structure tree;Modification inquiry global configuration etc..
2) logged in using the organizer and governor of presence, tenant structure initialization of the organizer and governor according to needed for its tissue is rented The storage pool of family structure.Organizer and governor describes the internal structure of tissue, the gateway module of unified multi-tenant layer using XML file After the storage pool request for receiving initialization tenant's structure, the XML file of the institutional framework is parsed.
3) the storage pool request for initializing tenant's structure is converted into multiple child-operations and asked by gateway module, then by child-operation Request is distributed in suitable module and performed, and child-operation request mainly includes two kinds of request:First, by organization structure tree On Node for create tenant operation or storage user operation, create tenant operation or storage user operation request send out Organization and administration module is sent to, the parameter of establishment includes tenant or the ID for storing user and its corresponding storage quota etc.;Second, In order to realize the data isolation of tenant, it is necessary to create purview certification code for every paths in organization structure tree, and read and write every time A command code can be generated Deng storage operation, storage sky has been carried out by accessing the purview certification code of position and the matching of command code Between isolate.The purview certification information request for generating tenant can be sent to purview certification module by gateway module, wherein, main request Parameter includes the path of storage ID and the user in organization structure tree etc..
4) organization and administration module have received tenant's request to create that gateway module is sent, first, checking request it is legal Property, the legitimacy that the card content tested includes tenant ID legitimacy, storage quota is set, wherein the content included is that may not exceed The maximum that organizer and governor is set, while the space sum of all tenants no more than organizes total memory space, if deposited In illegal operation, tissue initialization procedure is interrupted immediately.Organization and administration module often completes the initialization of a storage user, please Seek the access authority information of purview certification module initialization storage user.
5) purview certification module is received after the purview certification information request for the tenant that gateway module is sent, and is deposited for each User is stored up, according to its path in organization structure tree, a purview certification code is all created to every one-level subpath, wherein giving tacit consent to Storage user has access rights to the tenant space on its path.
6), will after a tenant, storage user successfully complete the initialization of organization and administration module and purview certification module Notification gateway management module, gateway management module can ask storage driving module, be tenant, storage user deposited in bottom distribution Initialized in storage system, storage driving module can call different drivings according to different storage systems, pass through correspondence Driving perform associative operation in different storage systems, associative operation includes creating user in storage system, sets and match somebody with somebody Volume and relevant parameter etc..
7) complete after being initialized in bottom distributed memory system, storage user can be made by unified tenant's management level Use storage service.Storage user, which accesses storage system, to be needed to provide call parameter, i.e., sent by gateway module to storage system Call parameter is included in access request, access request, call parameter includes storage ID and key, access object path, its Middle access object path is described with similar file path.The gateway module of multi-tenant unified management layer supports the S3 of compatibility standard Interface, storage user can call S3 interfaces, will access pair using ID and key as the ID and key parameter value of S3 interfaces As path is as the key parameter package requests in S3 interfaces, key parameter package requests are sent to the address of gateway module.
8) gateway module is received after the access request of storage user, extracts the ID in access request and key, visit Ask that object path, access module are sent to purview certification module as storage request certification and carry out purview certification, access module bag Containing reading and writing, modification etc..
9) purview certification module is received after storage request certification, judges to store user's according to ID and key first Legitimacy, the command code of this access is produced according to access object path and access module, is possessed with storage user after success Purview certification code matched, if there is command code and some purview certification code-phase etc., the access request is legal, otherwise access Request is illegal, by this purview certification result notification gateway module.
10) gateway module is received after the purview certification result of purview certification module transmission, if request is illegal, notifies storage User accesses the description that failure returns to failure cause simultaneously, if request is legal, the operation of access request is forwarded to by gateway module Storage system drive module performs corresponding operation.
11) storage system type, the type of access of the storage system drive module in access request, object path is adjusted Access operation is performed with the interface of respective stored system, the result for accessing operation is finally returned into storage user.
The improvement of above-mentioned technical proposal of the present invention is as follows:
Step 4) in traditional multi-tenant management, organization and administration module is based on database technology, and the present invention uses base Multi-tenant management is carried out in the management method of Hash.Multi-tenant management method based on Hash is mainly comprised the following steps:
4.1) form similar to file path is used to represent its position in the tissue, such as path storage user first '/org1/tenant1/tenant2/storage_uid ' represents storage_uid storage user attachings in tissue org1, and Simultaneously under one-level tenant tenant1 and two grades of tenant tenant2.
4.2) then, organization and administration module can create and safeguard a storage user message table, the main list item bag wherein wanted The essential informations such as quota, the authority of storage ID, the key information of user and the user are included, wherein storage ID is used Store the path representation of user.
4.3) finally, each initial information write-in in storage is stored user message table by organization and administration module.
Step 5) in purview certification module initialization storage user right information specific steps improve as follows:
5.1) purview certification module is received after initialization storage user's request that gateway module is sent, and is extracted initialization and is deposited The storage customer location in user's request, the as absolute path in organization structure tree are stored up, while being generated for storage user close Key pair.
5.2) authority of storage user is generated with its key information according to path of the storage user in organization structure tree Authentication code, specific method is every one-level subpath since the root position of organization structure tree to user, if the path is not complete Path, the i.e. subpath are the upper strata tenant of storage user, and read right is assigned for the subpath;If subpath has been complete trails, I.e. the subpath is the private room for storing user, is that it assigns access limit.
5.3) purview certification code generating process be by the key for storing user, subpath is assigned authority be spliced into one it is pre- Processing character string, then calculates the cryptographic Hash of pretreatment character string.For example, the absolute path of user is /org1/t1/t2/t3/ User1, purview certification code generating function can travel through all subpaths since first order path of absolute path, such as time When going through to/org1/t1, the absolute path is not complete trails, should assign read right, purview certification code for AuthNum=Hash ("< access_key>+<secret_key>+ '@'+'/org1/t1 '+' r ' "), traverse/org1/t1/t2/t3/user1 when, road Footpath is complete trails, purview certification code for AuthNum=Hash ("<access_key>+<secret_key>+‘@’+‘/org1/ t1/t2/t3/user1’+’rw’”).After all subpaths have been traveled through, the purview certification code of coordinates measurements at different levels is all write In the purview certification table of the user.
Step 9) in purview certification module carry out operating right certification specific steps improve it is as follows:
9.1) purview certification module receives the operation requests that gateway module is sent, and one is generated according to specific operation requests Command code, specific generating process is:User key is stored according to access path first, access type then constitutes an operational word Symbol string, operational character string is as follows:Op_str=<access_key>+<secret_key>+‘@’+<path>+<op>, wherein Access_key and secret_key are the keys pair for storing user, and path is the position accessed, with object within the storage system Absolute path represent;Op is the type of request, ' r ' it is write operation, ' w ' it is read operation.
9.2) the operational character string generated according to previous step, the cryptographic Hash of operation is calculated using hash function, this is used as The command code of operation requests.The purview certification table of tissue belonging to matching storage user, if purview certification table right of possession limits certification Code is matched with command code, then the request is legal, otherwise, and the request is illegal.
, but those skilled in the art once know basic creation although preferred embodiments of the present invention have been described Property concept, then can make other change and modification to these embodiments.So, appended claims are intended to be construed to include excellent Select embodiment and fall into having altered and changing for the scope of the invention.
Obviously, those skilled in the art can carry out various changes and modification without departing from this hair to the embodiment of the present invention The spirit and scope of bright embodiment.So, if these modifications and variations of the embodiment of the present invention belong to the claims in the present invention And its within the scope of equivalent technologies, then the present invention is also intended to comprising including these changes and modification.

Claims (1)

1. a kind of management method of object storage system multi-tenant, it is characterised in that walked comprising initialization step with specific implementation Suddenly, particular content is as follows:
First, the initialization step is as follows:
1) initialization multi-tenant layer, the multi-tenant layer includes publicly-owned memory space and some users, and the user can use The publicly-owned memory space is stored, and the user is represented using user role, and the tenant is equal to the set of user, institute State user role and be divided into organizer and governor, tenant manager and storage user's three types;The organizer and governor, the tenant Manager is all special storage user, is the manager of the storage user, the organizer and governor is a global pipe Role is managed, the tenant manager is the storage user that tenant's administration authority is assigned by the organizer and governor, tenant's pipe Reason person possesses the function of the storage user, possesses the administration authority to the publicly-owned memory space of the tenant, described to deposit Storage user is the user of storage service, and storage system can be used in the storage resource of distribution, and the storage system is to divide Cloth storage system;
2) tenant's structure is set up, tenant's structure is the tree structure for representing the structural relation of the user, referred to as knot of tissue Paper mulberry, is made up of a root node, multiple nonleaf nodes and leaf node, and the root node constitutes the organization structure tree Root, is the top of the organization structure tree, and the nonleaf node constitutes multiple intermediate layers of the organization structure tree, the leaf Node constitutes the bottom of the organization structure tree;The root node represents the organizer and governor, and the nonleaf node is represented The tenant manager, the leaf node represents the storage user;
2nd, the specific implementation step is:
1) organizer and governor is created, while creating the major parameter of the organizer and governor, is tied including the tenant The account of structure and password, total storage size of tenant's structure, the default size of the public space of the tenant and its Maxima and minima, the memory space default size of the storage user and its maxima and minima, the tissue The major parameter of manager is global parameter, and the organizer and governor possesses authority at the highest level, the authority at the highest level bag Include:The tenant for create, change, inquiring about in tenant's structure and the storage user, create, change, inquiring about the rent Subordinate relation between family and the storage user, changes, inquires about the global parameter;The subordinate relation is reflected directly in institute State in organization structure tree;
2) using the 1) organizer and governor that step is created log in, the organizer and governor initializes depositing for tenant's structure Reservoir, and the storage pool request for initializing tenant's structure is sent to gateway module, wherein, the storage pool is used to store institute Tenant's structure is stated, the gateway module is used for the unified multi-tenant layer, and the organizer and governor is described using XML file description The internal structure of tenant's structure, the gateway module is received after the storage pool request of initialization tenant's structure, parsing The XML file;
3) the storage pool request of initialization tenant's structure is converted into multiple child-operations and asked by the gateway module, then Child-operation request is distributed in other modules and performed, the child-operation request mainly includes two kinds of request:The A type of request, by the Node in the organization structure tree is the operation of the establishment tenant or creates the storage The operation for creating the tenant or the operation for creating the storage user, are sent to organization and administration module, created by the operation of user The parameter built includes the ID and its corresponding storage quota of the storage user;The request of second of type, in order to realize The data isolation of tenant is stated, it is necessary to create purview certification code for every paths in the organization structure tree, is each operation meeting A command code is generated, the operation includes read operation, write operation, passes through path of the tenant in the organization structure tree The purview certification code and the command code matching, carried out the data isolation of the tenant;
The purview certification information request that the gateway module can generate the tenant is sent to purview certification module, wherein, it is described In purview certification information request main request parameter include it is described storage user ID and its in the organization structure tree Path;
4) the organization and administration module carries out multi-tenant management using the management method based on Hash, mainly comprises the following steps:First, institute Organization and administration module is stated to have received described in the operation or the establishment for the establishment tenant that the gateway module is sent The operation of user is stored, the operation for creating the tenant is equal to the operation for repeatedly creating the storage user, uses file path Form represent the path of the storage user in the organization structure tree, be expressed as '/tenant structure org1/ one-level tenants Bis- grades of tenant tenant2/ storage user storage_uid ' of tenant1/, its implication is the storage user storage_uid Tenant's structure org1 is belonged to, the institutional framework is while belonging to one-level tenant tenant1 and two grades of tenants Under tenant2, the top organization and administration of one-level tenant tenant1 organization structure trees where the storage user Person, the tenant manager in two grades of tenant tenant2 intermediate layers of organization structure tree where the storage user;
Then, the organization and administration module can create and safeguard a storage user message table, the storage user message table bag Include ID, the storage quota of the key of the storage user and the storage user, the storage user of the storage user Authority, it is described wherein the ID of the storage user is using the path representation of the storage user in the organization structure tree The authority of storage user can carry out storing the memory space of operation comprising the storage user;
Finally, the storage pool of tenant's structure by initialization is write the storage user letter by the organization and administration module Cease table;
5) the purview certification module carries out the authority of the initialization storage user, comprises the following steps that:
5.a) the purview certification module is received after the purview certification information request that the gateway module is sent, and extracts it In the position of the storage user that includes, i.e. its path in the organization structure tree, while being the storage user life Into key pair;
5.b) according to the path for storing user in organization structure tree and the key to generating the power for storing user Authentication code is limited, specific method is:To subpath described in every one-level of the storage user since the root of the organization structure tree, If the subpath is not complete trails, i.e., the tenant on described subpath upper strata of organization structure tree where the storage user, Read right is assigned for the subpath;If the subpath has been complete trails, i.e., described subpath is the private of the storage user There is space, the private room is expressed as not allowing other tenants to use the subpath, be that the subpath assigns read-write power Limit, the authority that the read right, the access limit are all endowed for the subpath;
5.c) the purview certification code generating process is that the authority for being endowed the key pair and the subpath is spliced into One pretreatment character string, then calculates the cryptographic Hash of the pretreatment character string, and detailed process is:First, authority is created to recognize Code generating function is demonstrate,proved, for generating the purview certification code, the purview certification code generating function travels through the organization structure tree In path in all subpaths since first order path, according to 5.b) step, if the subpath is not complete Path, assigns its read right, the purview certification code for the storage user key it is right+'@'+subpath+' r ', its Middle r represents the read right, if the subpath is complete trails, assigns its access limit, the purview certification code is described The key that stores user is right+' '+subpath+' rw ', wherein ' rw ' represents the access limit, traveling through all institutes State after subpath, the purview certification code that subpaths at different levels are generated all is write in the purview certification table of the storage user, described Purview certification code that purview certification table is owned by for each described storage user, for depositing the storage user;
6) completing the, 5) step, the are 6) after step, and by notification gateway management module, the gateway management module is to be directed to the gateway mould The tension management of block, and storage driving module can be asked, think the tenant, the storage user in bottom distributed storage Initialized in system, the storage driving module can call difference according to the different bottom distributed memory systems Driving, associative operation is performed in the different bottom distributed memory systems by corresponding driving, the related behaviour Make to include creating the user in the bottom distributed memory system, allocated storage quota and the ginseng of the establishment are set Number;
7) complete after the initialization in the bottom distributed memory system, the storage user can be by described in unification Multi-tenant layer uses storage service, and the storage user accesses the bottom distributed memory system needs to provide necessary ginseng Number, i.e., sent in access request, the access request comprising described by gateway module to the bottom distributed memory system Call parameter, the call parameter includes the ID of the storage user and the key of the storage user, accesses object path, its Described in access object path and the path of the storage user in the organization structure tree is of equal value;In the multi-tenant layer The gateway module supports the S3 interfaces of compatibility standard, and the storage user can call the S3 interfaces, and the storage is used The ID at family and ID and key parameter value of the key as the S3 interfaces, using the access object path as in the S3 interfaces Key parameter package requests, the key parameters package request is sent to the address of the gateway module;
8) gateway module is received after the access request, extract the ID of the storage user in the access request with It is described storage user key, the access object path, and generate access module together as storage request certification be sent to The purview certification module carries out purview certification, and the access module includes read operation, write operation, modification operation;
9) the purview certification module carries out operating right certification, and its specific steps is improved as follows:
9.1) purview certification module receives the storage request certification that gateway module is sent, and is asked according to the specific storage Certification generates an authentication operation code, and specific generating process is:User key is stored according to the access object path first, Constitute an operational character string, the operational character string for the storage user key it is right+'@'+described access object path+ <op>,<op>For concrete operations, comprising the read operation in the access module, the write operation, ' r ' is write operation, ' w ' For read operation;
9.2) the operational character string generated according to 9.1) step, calculates this described storage using hash function and asks certification Cryptographic Hash, i.e., the cryptographic Hash of described operational character string matches the purview certification of the storage user as authentication operation code Table, is matched, the storage request if there is the purview certification code in the purview certification table with authentication operation code Certification is legal, otherwise, and the storage request certification is illegal, as purview certification result is sent to the net using whether certification is legal Close module;
10) gateway module is received after the purview certification result that the purview certification module is sent, if the storage please Ask certification illegal, then notify the storage user to access failure and mismatched while returning to the purview certification code with the command code Description, if it is described storage request certification it is legal, the concrete operations of the operational character string are forwarded to institute by the gateway module Storage system drive module is stated to perform;
11) call parameter of the storage system drive module in the access request, the operational character string it is specific The interface of the corresponding bottom distributed memory system of operation calls performs the concrete operations of the operational character string, finally Its result is returned into the storage user.
CN201710396173.3A 2017-05-31 2017-05-31 Multi-tenant management method for object storage system Active CN107147728B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710396173.3A CN107147728B (en) 2017-05-31 2017-05-31 Multi-tenant management method for object storage system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710396173.3A CN107147728B (en) 2017-05-31 2017-05-31 Multi-tenant management method for object storage system

Publications (2)

Publication Number Publication Date
CN107147728A true CN107147728A (en) 2017-09-08
CN107147728B CN107147728B (en) 2020-10-09

Family

ID=59780501

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710396173.3A Active CN107147728B (en) 2017-05-31 2017-05-31 Multi-tenant management method for object storage system

Country Status (1)

Country Link
CN (1) CN107147728B (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108228842A (en) * 2018-01-08 2018-06-29 平安科技(深圳)有限公司 Docker mirror sites file memory method, terminal, equipment and storage medium
CN108989091A (en) * 2018-06-22 2018-12-11 杭州才云科技有限公司 Based on the tenant network partition method of Kubernetes network, storage medium, electronic equipment
CN109714193A (en) * 2018-12-05 2019-05-03 国云科技股份有限公司 A method of based on zuul routing forwarding mode takeover objective storage service
CN109756333A (en) * 2018-11-26 2019-05-14 西安得安信息技术有限公司 key management system
CN110414252A (en) * 2019-08-02 2019-11-05 湖南御家科技有限公司 A kind of method for processing business, system and electronic equipment and storage medium
CN110913021A (en) * 2019-12-23 2020-03-24 和元达信息科技有限公司 Multi-tenant management system and method for Internet cloud computing
CN111399980A (en) * 2020-03-16 2020-07-10 中国联合网络通信集团有限公司 Safety authentication method, device and system for container organizer
CN111950866A (en) * 2020-07-24 2020-11-17 合肥森亿智能科技有限公司 Role-based multi-tenant organizational structure management system, method, device and medium
CN112019543A (en) * 2020-08-27 2020-12-01 四川长虹电器股份有限公司 Multi-tenant permission system based on BRAC model
CN112579999A (en) * 2019-09-30 2021-03-30 北京国双科技有限公司 Data processing method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102307185A (en) * 2011-06-27 2012-01-04 北京大学 Data isolation method used in storage cloud
CN102651775A (en) * 2012-03-05 2012-08-29 国家超级计算深圳中心(深圳云计算中心) Method, equipment and system for managing shared objects of a plurality of lessees based on cloud computation
US20120233668A1 (en) * 2011-03-08 2012-09-13 Rackspace Us, Inc. Pluggable Allocation in a Cloud Computing System
CN103218175A (en) * 2013-04-01 2013-07-24 无锡成电科大科技发展有限公司 Multi-tenant cloud storage platform access control system
US20140330869A1 (en) * 2013-05-02 2014-11-06 International Business Machines Corporation Secure isolation of tenant resources in a multi-tenant storage system using a security gateway

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120233668A1 (en) * 2011-03-08 2012-09-13 Rackspace Us, Inc. Pluggable Allocation in a Cloud Computing System
CN102307185A (en) * 2011-06-27 2012-01-04 北京大学 Data isolation method used in storage cloud
CN102651775A (en) * 2012-03-05 2012-08-29 国家超级计算深圳中心(深圳云计算中心) Method, equipment and system for managing shared objects of a plurality of lessees based on cloud computation
CN103218175A (en) * 2013-04-01 2013-07-24 无锡成电科大科技发展有限公司 Multi-tenant cloud storage platform access control system
US20140330869A1 (en) * 2013-05-02 2014-11-06 International Business Machines Corporation Secure isolation of tenant resources in a multi-tenant storage system using a security gateway

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
RAÚL GRACIA-TINEDO 等: ""Crystal: Software-Defined Storage for Multi-Tenant Object Stores"", 《THE 15TH USENIX CONFERENCE ON FILE AND STORAGE TECHNOLOGIES》 *
孙鹏: ""面向SaaS应用的多租户海量存储系统设计与实现"", 《中国优秀硕士学位论文全文数据库信息科技辑》 *
彭暄: ""基于Swift的海量小文件对象存储研究 "", 《中国优秀硕士学位论文全文数据库信息科技辑》 *

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108228842A (en) * 2018-01-08 2018-06-29 平安科技(深圳)有限公司 Docker mirror sites file memory method, terminal, equipment and storage medium
CN108228842B (en) * 2018-01-08 2020-09-25 平安科技(深圳)有限公司 Docker mirror image library file storage method, terminal, device and storage medium
CN108989091A (en) * 2018-06-22 2018-12-11 杭州才云科技有限公司 Based on the tenant network partition method of Kubernetes network, storage medium, electronic equipment
CN108989091B (en) * 2018-06-22 2022-02-11 杭州才云科技有限公司 Tenant network isolation method based on Kubernetes network, storage medium and electronic equipment
CN109756333A (en) * 2018-11-26 2019-05-14 西安得安信息技术有限公司 key management system
CN109714193A (en) * 2018-12-05 2019-05-03 国云科技股份有限公司 A method of based on zuul routing forwarding mode takeover objective storage service
CN110414252A (en) * 2019-08-02 2019-11-05 湖南御家科技有限公司 A kind of method for processing business, system and electronic equipment and storage medium
CN112579999A (en) * 2019-09-30 2021-03-30 北京国双科技有限公司 Data processing method and device
CN110913021A (en) * 2019-12-23 2020-03-24 和元达信息科技有限公司 Multi-tenant management system and method for Internet cloud computing
CN110913021B (en) * 2019-12-23 2022-06-28 和元达信息科技有限公司 Multi-tenant management system and method for Internet cloud computing
CN111399980A (en) * 2020-03-16 2020-07-10 中国联合网络通信集团有限公司 Safety authentication method, device and system for container organizer
CN111950866A (en) * 2020-07-24 2020-11-17 合肥森亿智能科技有限公司 Role-based multi-tenant organizational structure management system, method, device and medium
CN111950866B (en) * 2020-07-24 2023-11-07 合肥森亿智能科技有限公司 Role-based multi-tenant organization structure management system, method, equipment and medium
CN112019543A (en) * 2020-08-27 2020-12-01 四川长虹电器股份有限公司 Multi-tenant permission system based on BRAC model

Also Published As

Publication number Publication date
CN107147728B (en) 2020-10-09

Similar Documents

Publication Publication Date Title
CN107147728A (en) A kind of management method of object storage system multi-tenant
US9928111B2 (en) System and method for configuration tagging in a multitenant application server environment
CN104160381B (en) Managing method and system for tenant-specific data sets in a multi-tenant environment
US8200705B2 (en) Method and apparatus for applying database partitioning in a multi-tenancy scenario
US10560458B2 (en) Resource sharing in cloud computing
CN107077388A (en) System and method for providing end-to-end life cycle in multi-tenant application server environment
CN107003906A (en) The type of cloud computing technology part is to type analysis
CN107077389A (en) For using system and method during global operation in multi-tenant application server environment
US20210318998A1 (en) Dynamic schema based multitenancy
US20120159479A1 (en) Providing a persona-based application experience
CN108255497A (en) The dispositions method and device of a kind of application
US20090133100A1 (en) Access control on dynamically instantiated portal applications
CN109542861B (en) File management method, device and system
US20190361618A1 (en) Maintaining container to storage volume relations
TWI724570B (en) Method, device, electronic equipment and storage medium for reading and updating data structure
CN104182503A (en) Cloud platform data access safety isolation method
Aghera et al. An approach to build multi-tenant SaaS application with monitoring and SLA
US8676847B2 (en) Visibility control of resources
KR101563292B1 (en) Cloud virtualization system and method using virtual session manager
CN109032799A (en) Storage resource management method, apparatus, equipment and readable storage medium storing program for executing
US9679013B2 (en) Generating and accessing a data table
US11868500B2 (en) Fine-grained access control of column-major relational database management systems
US11334600B1 (en) Partial reloading in data synchronization
Camarinha-Matos et al. Cloud-based collaboration spaces for enterprise networks
US6460028B1 (en) System and method for data organization

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20200714

Address after: 510275 Xingang West Road, Guangdong, Guangzhou, No. 135, No.

Applicant after: SUN YAT-SEN University

Address before: 510006. National Supercomputing Center, No. 132, East Ring Road, University of Guangdong, Guangzhou, Guangzhou

Applicant before: Mo Qian

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant