CN107147728A - A kind of management method of object storage system multi-tenant - Google Patents
A kind of management method of object storage system multi-tenant Download PDFInfo
- Publication number
- CN107147728A CN107147728A CN201710396173.3A CN201710396173A CN107147728A CN 107147728 A CN107147728 A CN 107147728A CN 201710396173 A CN201710396173 A CN 201710396173A CN 107147728 A CN107147728 A CN 107147728A
- Authority
- CN
- China
- Prior art keywords
- storage
- tenant
- user
- module
- storage user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q30/00—Commerce
- G06Q30/06—Buying, selling or leasing transactions
- G06Q30/0645—Rental transactions; Leasing transactions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/50—Network service management, e.g. ensuring proper service fulfilment according to agreements
- H04L41/508—Network service management, e.g. ensuring proper service fulfilment according to agreements based on type of value added network service under agreement
- H04L41/5096—Network service management, e.g. ensuring proper service fulfilment according to agreements based on type of value added network service under agreement wherein the managed service relates to distributed or central networked applications
Abstract
The present invention relates to a kind of management method of object storage system multi-tenant, include initialization step and specific implementation step, initialization step is the support of specific implementation step, for primary tenant's management function simple question in distributed storage, unified multi-tenant layer provides various rolls and complete function to meet multi-tenant regulatory requirement;For the problem of unified multi-tenant is managed in multiple storage systems, the present invention provides downwards customizable storage driving module to be linked into different storage systems, unified access interface is provided upwards so that storage user easily can be stored using unified multi-tenant management and rear end.Meanwhile, the present invention uses a kind of new request analysis method, only the interface specification of main flow need to just can be used according to its required parameter of rules modification;For the multi-tenant efficiency of management of the tradition based on database it is not high the problem of, use a kind of way to manage based on salted hash Salted to improve the efficiency of management of multi-tenant.
Description
Technical field
The present invention relates to computer distribution type field of storage, and in particular to a kind of to provide system to different distributions formula storage system
One, the method that transparent multi-tenant is managed.
Background technology
Multi-tenant mainly provides resource isolation, data isolation and service quality isolation as the key character of cloud computing
Etc. function, so that it is guaranteed that the various applications such as the virtual machine on upper strata, container can desirably, safely use cloud computing system.Cause
This, multi-tenant management plays highly important role in cloud computing system.The problem of current storage multi-tenant is present master
Exist several:First, in distributed memory system, simple tenant's management is largely only provided, and in actual applications,
The structure of tenant is often more complicated, it is meant that the primary tenant's management of storage system can not meet practical application at all;Second,
In cloud computing system, different distributed memory systems may be used to meet different scenes, each storage system is needed
Multi-tenant management is each done, the management of storage resource becomes very inconvenient, therefore develop the cost of O&M also increases;3rd,
Traditional multi-tenant technology be based on database realizing, so, when tenant amount it is larger, complicated when, in order to reduce to many
The influence of tenant's efficiency of management, it is necessary to the work of point storehouse point table is done, so as to bring no small expense.Therefore, one kind is needed badly
Solve the management method of the multi-tenant of problem above.
The content of the invention
In view of this, the present invention provides a kind of pipe for the object storage system multi-tenant for solving or partly solving the above problems
Reason method.
To reach the effect of above-mentioned technical proposal, the technical scheme is that:A kind of object storage system multi-tenant
Management method, comprising:Initialization step is carried out first, then carries out specific step;
First, the initialization step is as follows:
1) initialization multi-tenant layer, multi-tenant layer includes publicly-owned memory space and some users, and user can use publicly-owned
Memory space is stored, and user is represented using user role, and tenant is equal to the set of user, and user role is divided into tub of tissue
Reason person, tenant manager and storage user's three types;Organizer and governor, tenant manager are all special storage user, are
The manager of user is stored, organizer and governor is a global role of manager, and tenant manager is assigned by organizer and governor
The storage user of tenant's administration authority, tenant manager possesses the function of storage user, possesses the publicly-owned memory space to tenant
Administration authority, storage user be storage service user, storage system can use in the storage resource of distribution, storage
System is distributed memory system;
2) set up tenant's structure, tenant's structure to represent the tree structure of the structural relation of user, referred to as organization structure tree,
It is made up of a root node, multiple nonleaf nodes and leaf node, root node constitutes the root of organization structure tree, is organization structure tree
It is top, nonleaf node constitute organization structure tree multiple intermediate layers, leaf node constitute organization structure tree the bottom;Root section
Point represents organizer and governor, and nonleaf node represents tenant manager, and leaf node represents to store user;
2nd, specific implementation step is:
1) organizer and governor is created, while the major parameter of organizer and governor is created, including the account of tenant's structure
With password, total storage size of tenant's structure, the default size of the public space of tenant and its maxima and minima,
The memory space default size and its maxima and minima of user is stored, the major parameter of organizer and governor is joined to be global
Number, organizer and governor possesses authority at the highest level, and authority at the highest level includes:The tenant for creating, changing, inquiring about in tenant's structure
With storage user, the subordinate relation for creating, changing, inquiring about between tenant and storage user, modification, inquiry global parameter;Subordinate
Relation is reflected directly in organization structure tree;
2) using the 1) organizer and governor that step is created log in, organizer and governor initializes the storage pool of tenant's structure, and
Gateway module is arrived in the storage pool request for sending initialization tenant's structure, wherein, storage pool is used to store tenant's structure, gateway module
For unified multi-tenant layer, organizer and governor describes the internal structure of tenant's structure using XML file, and gateway module is received initially
After the storage pool request for changing tenant's structure, XML file is parsed;
3) the storage pool request for initializing tenant's structure is converted into multiple child-operations and asked by gateway module, then by child-operation
Request is distributed in other modules and performed, and child-operation request mainly includes two kinds of request:The request of first type, will
Node in organization structure tree to create the operation of tenant or creating the operation of storage user, the operation for creating tenant or
The operation for creating storage user is sent to organization and administration module, the parameter of establishment include storage user ID and its corresponding deposit
Store up quota;The request of second of type, in order to realize the data isolation of tenant, it is necessary to be every paths wound in organization structure tree
Purview certification code is built, is that each operation can generate a command code, operation includes read operation, write operation, by tenant in tissue
The purview certification code in the path in structure tree and the matching of command code, have carried out the data isolation of tenant;
The purview certification information request that gateway module can generate tenant is sent to purview certification module, wherein, purview certification
Main request parameter includes ID and its path in organization structure tree of storage user in information request;
4) organization and administration module carries out multi-tenant management using the management method based on Hash, mainly comprises the following steps:First, group
Knit management module to have received the operation for the establishment tenant that gateway module is sent or create the operation of storage user, create tenant's
Operation is equal to the operation for repeatedly creating storage user, represents storage user in organization structure tree using the form of file path
Path, is expressed as ' bis- grades of tenant tenant2/ storage users storage_ of/tenant structure org1/ one-level tenants tenant1/
Uid ', its implication belongs to tenant structure org1 for storage user storage_uid, and institutional framework is while belonging to one
Under level tenant tenant1 and two grades of tenant tenant2, one-level tenant tenant1 organization structure trees where storage user
Top organizer and governor, tenant's management in two grades of tenant tenant2 intermediate layers of organization structure tree where storage user
Person;
Then, organization and administration module can create and safeguard a storage user message table, and storage user message table includes depositing
The ID of storage user, the storage quota of the key for storing user and storage user, the authority for storing user, wherein storage user
Path representations of the ID using storage user in organization structure tree, the authority of storage user can be stored comprising storage user
The memory space of operation;
Finally, the storage pool write-in of tenant's structure by initialization is stored user message table by organization and administration module;
5) purview certification module carries out the authority of initialization storage user, comprises the following steps that:
5.a) purview certification module is received after the purview certification information request that gateway module is sent, and extracts what is wherein included
The position of user is stored, i.e. its path in organization structure tree, while generating key pair for storage user;
The purview certification code of user 5.b) is stored to generation according to path of the storage user in organization structure tree and key,
Specific method is:To every one-level subpath of the storage user since the root of organization structure tree, if subpath is not complete trails, i.e.,
The tenant on subpath upper strata of organization structure tree where storage user, is that subpath assigns read right;If subpath has been complete
Path, i.e. subpath are the private rooms for storing user, and private room is expressed as not allowing other tenants to use subpath, are son
Path assigns access limit, the authority that read right, access limit are all endowed for subpath;
5.c) purview certification code generating process is that the authority for being endowed key pair and subpath is spliced into a pre- place
Character string is managed, the cryptographic Hash of pretreatment character string is then calculated, detailed process is:First, purview certification code generating function is created,
It is all from first order path in the path in purview certification code, purview certification code generating function traversal organization structure tree for generating
All subpaths started, according to 5.b) step, if subpath is not complete trails, its read right is assigned, purview certification code is
Store user key it is right+'@'+subpath+' r ', wherein r represents read right, if subpath is complete trails, assign its read-write
Authority, purview certification code for storage user key it is right+'@'+subpath+' rw ', wherein ' rw ' represent access limit, traversal
After complete all subpaths, purview certification code all write-ins that subpaths at different levels are generated are stored in the purview certification table of user, authority
Purview certification code that verification table is owned by for each storage user, for depositing storage user;
6) completing the, 5) step, the are 6) after step, and by notification gateway management module, gateway management module is for gateway module
Tension management, and storage driving module can be asked, think that tenant, storage user are carried out just in bottom distributed memory system
Beginningization, storage driving module can call different drivings according to different bottom distributed memory systems, be driven by corresponding
Move and associative operation is performed in different bottom distributed memory systems, associative operation includes creating bottom distributed memory system
In user, allocated storage quota and the parameter of establishment are set;
7) complete after the initialization in bottom distributed memory system, storage user can pass through unified multi-tenant layer
To use storage service, storage user, which accesses bottom distributed memory system, to be needed to provide call parameter, that is, passes through gateway module
Sent to bottom distributed memory system and call parameter is included in access request, access request, call parameter includes storage user
ID with storage user key, access object path, wherein access object path with storage user in organization structure tree
Path is of equal value;Gateway module in multi-tenant layer supports the S3 interfaces of compatibility standard, and storage user can call S3 interfaces, will deposit
The ID and ID and key parameter value of the key as S3 interfaces of user is stored up, object path will be accessed and joined as the key in S3 interfaces
Number package request, key parameter package requests is sent to the address of gateway module;
8) gateway module is received after access request, extracts the ID for storing user in access request with storing the close of user
Key, access object path, and generate access module together as storage request certification be sent to purview certification module carry out authority
Certification, access module includes read operation, write operation, modification operation;
9) purview certification module carries out operating right certification, and its specific steps is improved as follows:
9.1) purview certification module receives the storage request certification that gateway module is sent, and certification is asked according to specific storage
An authentication operation code is generated, specific generating process is:User key is stored according to object path is accessed first, one is constituted
Operational character string, operational character string for storage user key it is right+'@'+access object path+<op>,<op>For concrete operations,
Comprising the read operation in access module, write operation, ' r ' is write operation, and ' w ' is read operation;
9.2) the operational character string generated according to 9.1) step, the Hash that certification is asked in this storage is calculated using hash function
Value, the i.e. cryptographic Hash of operational character string are used as authentication operation code, the purview certification table of matching storage user, if purview certification table
In exist purview certification code with authentication operation code match, then storage request certification it is legal, otherwise, storage request certification illegally, by
Whether certification is legal as purview certification result to be sent to gateway module;
10) gateway module is received after the purview certification result of purview certification module transmission, if storage request certification is illegal,
Storage user is notified to access failure and return to authority authentication code and the unmatched description of command code simultaneously, if storage request certification is closed
The concrete operations of operational character string are forwarded to storage system drive module to perform by method, gateway module;
11) call parameter of the storage system drive module in access request, the concrete operations of operational character string are called
The interface of corresponding bottom distributed memory system performs the concrete operations of operational character string, finally returns to its result
Store user.
The present invention useful achievement be:The management method for the object storage system multi-tenant that the present invention is provided, for current
Multi-tenant problem present in distributed memory system proposes a kind of unification, efficiently, customizable solution.Should
Method mainly includes a unified object storage multi-tenant management interface, an efficient multi-tenant administrative skill and one
Expansible heterogeneous storage system actuation techniques, current storage system multi-tenant work(is solved by these three main technologies respectively
Can be not enough, the efficiency of management is not high and the problem of poor transplantability autgmentability.
Brief description of the drawings
Fig. 1 stores the structure chart of multi-tenant management level for the object of the present invention;
The schematic diagram for the step of Fig. 2 is read-write operation of the invention.
Embodiment
In order that technical problems, technical solutions and advantages to be solved are more clearly understood, tie below
Embodiment and accompanying drawing are closed, the present invention will be described in detail.It should be noted that specific embodiment described herein is only
To explain the present invention, it is not intended to limit the present invention, can realizes that the product of said function belongs to equivalent substitution and improvement, wrap
It is contained within protection scope of the present invention.Specific method is as follows:
Embodiment 1:Cloud computing has slowly been pushed to product from theoretical research and fallen as the developing direction of computer realm one
Ground.The core concept of cloud computing be summarized as architecture service (IaaS), platform service (PaaS), service i.e. service
(SaaS) three levels.Along with the core concept of cloud computing, corresponding technology such as software defined network (SDN), software definition
Storage (SDS) etc. is also arisen at the historic moment.The characteristic of cloud computing is also carried while benefit is brought for user to computer body system structure
Go out in new challenge, computer body system structure and contained calculating, stored, network.Under new demand, many products and system
Emerge.There are many kinds in typical product, have the framework OpenStack of the management for virtual machine, container to transport with system
Row platform Docker, container programming facility Kubernetes etc..And wherein, virtual machine virtualization is cloud meter with container virtualization
Most crucial technology in the calculation epoch.
Virtual machine is virtualized has KVM, QEMU with container virtualization, realizing the major technique of virtual machine level virtualization
Deng, its principle is that hardware resource is isolated, and realize containerization major technique have LXC and on the basis of LXC realize
Docker.And container is a kind of virtualization of lightweight, relative to virtualization schemes such as KVM, with stronger transplantability with
And smaller expense.Both above virtualization mode suffers from different application scenarios, wherein, virtual machine virtualization is mainly used in
The fields such as cloud desktop, and container virtualization is mainly used in the fields such as service arrangement.The virtualization of both types is all cloud computing
Basis.
Multi-tenant mainly provides resource isolation, data isolation and service quality isolation as the key character of cloud computing
Etc. function, so that it is guaranteed that the various applications such as the virtual machine on upper strata, container can desirably, safely use cloud computing system.Cause
This, multi-tenant management plays highly important role in cloud computing system.Within the storage system, multi-tenant management is related to
Aspect includes the behaviour such as the management of tenant's storage location, tenant's storage quotas administered, tenant's rights management, the establishment of tenant deletion modification
Make.For cloud computing user, multi-tenant management ensure storage user can normally, safely use its tenant
Interior storage resource, while the efficiency of tenant's management also contributes to the efficiency of whole storage system.At this point, tenant manages
The function of mainly providing includes the purview certification of storage access operations, the management in user's tenant space etc..Secondly, for cloud
For computing system manager, multi-tenant management allows keeper to obtain and manage tenant's information of whole storage system,
On this aspect, the establishment modification that the function that tenant's management is mainly provided includes tenant is deleted, and the setting modification of tenant's storage quota is rented
Setting modification of family authority etc..
Distributed memory system as cloud computing system an important component, therefore, to bottom distributed storage
The management of system also contributes to the performance of whole cloud computing system.Due to different business demands, industry has many distributions to deposit
Storage system is all used in cloud computing platform.From different storage classes, file storage, object storage, block storage can be divided into
Three kinds.Wherein, file storage is main provides a distributed memory system with the unified name space, is mainly used in cloud meter
The scene of shared file is needed in calculation, typical file system has HDFS, GlusterFS, CephFS etc..And object storage is provided
A kind of storage of key-value types, is mainly used in unstructured data storage, such as virtual machine image, container mirror image, typical case
Object storage system have Ceph Object Storage, Swift, Dynamo etc..Block storage is directly set storage resource with block
Standby mode is supplied to user, thereafter, user independently manages the address space of block device, is mainly used in virtual machine, container
Book carry, typical block storage system has Ceph Block Storage, Sheepdog etc..
The problem of current storage multi-tenant is present mainly has several, is only provided first, distributed memory system is most of
Simple tenant's management, and in actual applications, the structure of tenant is often more complicated, it is meant that the primary tenant of storage system
Management can not meet practical application.Second, different distributed memory systems may be used to be used for not in cloud computing system
Same scene, such as while doing block storage using Ceph, and stored using Swift as object, so, each storage system
Need each to do multi-tenant management, the management of so i.e. inconvenient storage resource increases the cost of exploitation O&M again.Third,
Traditional multi-tenant technology be based on database realizing, so, when tenant measure it is larger, when complicated, in order to reduce to many
The influence of tenant's efficiency of management needs to do the work of point storehouse point table, so as to bring no small expense.
The present invention is directed to present situation of the multi-tenant on distributed memory system, is come using a unified multi-tenant management level
Solve three above-mentioned problems.For primary tenant's management function simple question in distributed storage, unified multi-tenant layer is carried
For various rolls and complete function to meet multi-tenant regulatory requirement;For unified multi-tenant management in multiple storage systems
The problem of, the present invention provides downwards customizable storage driving module to be linked into different storage systems, while service end
Suitable storage system driving can be customized according to actual conditions to meet different demands;Unified access is provided upwards to connect
Mouthful, it is that must store user easily can store using unified multi-tenant management and rear end.Meanwhile, the present invention uses a kind of new
Request analysis method, only the interface specification of main flow need to just can be used, such as according to its required parameter of rules modification in order storage user
S3 interfaces have used unified multi-tenant management module;For the multi-tenant efficiency of management of the tradition based on database it is not high the problem of,
The present invention improves the efficiency of management of multi-tenant using a kind of way to manage based on salted hash Salted, even in the increase of tenant's scale or
In the case that tenant is complicated, the efficiency of management of multi-tenant is also hardly influenceed.
Embodiment 2:The present embodiment carries out brief explanation to some nouns of the present invention.Unify rent for convenience more
The management of family layer, wherein, tenant's layer includes the set of a variety of tenants, substantially user, possesses certain publicly-owned memory space
With some users.User is represented using user role.User role is divided into organizer and governor, tenant manager by the present invention
With storage user's three types.First two type is inherently to store some or the multiple storages in the tenant of user, i.e., one
User can be authorized to be tenant manager, and organizer and governor is then a global role of manager.Tenant manager be by
In addition to organizer and governor assigns the storage user of tenant's administration authority, the function of storing user common except possessing, also to tenant
Publicly-owned space possess administration authority.Storage user is the user of real storage service, can be in the storage resource of distribution
Use storage system.
Need organizing user to include all storage resources belonging to the tissue each tenant's storage resource, each storage user to deposit
Storage resource and tenant's structure in the tissue, tenant manager, storage user are managed.Tenant's structure may be considered
A kind of tree structure, referred to as organization structure tree, wherein, tenant is represented using nonleaf node, leaf node represents to store user.Such as
Fig. 1, stores multi-tenant management level using object and includes gateway module, organization and administration module, purview certification module, storage driving mould
Block, storage user stores multi-tenant management level by the content deposit object storage system of needs using object.Such as Fig. 2, for read-write
The specific steps of operation, are written and read operation, first parse read-write requests if desired, are obtained during read-write requests are parsed
Action type and courses of action, and the command code of this operation is generated, by the purview certification code in comparison system, finally obtain
Going out allows or refuses this read-write operation.
A kind of specific implementation step of the management method of object storage system multi-tenant is:
1) organizer and governor is created, the major parameter needed for creating includes tissue account and password, organizes total memory space
Size, tenant's public space default size and its maximin, storage user's space default size and maximin etc.
Global configuration.Organizer and governor possesses authority at the highest level, and its major function is including tenant in establishment modification inquiry tissue with depositing
Store up user and the subordinate relation between them, i.e. organization structure tree;Modification inquiry global configuration etc..
2) logged in using the organizer and governor of presence, tenant structure initialization of the organizer and governor according to needed for its tissue is rented
The storage pool of family structure.Organizer and governor describes the internal structure of tissue, the gateway module of unified multi-tenant layer using XML file
After the storage pool request for receiving initialization tenant's structure, the XML file of the institutional framework is parsed.
3) the storage pool request for initializing tenant's structure is converted into multiple child-operations and asked by gateway module, then by child-operation
Request is distributed in suitable module and performed, and child-operation request mainly includes two kinds of request:First, by organization structure tree
On Node for create tenant operation or storage user operation, create tenant operation or storage user operation request send out
Organization and administration module is sent to, the parameter of establishment includes tenant or the ID for storing user and its corresponding storage quota etc.;Second,
In order to realize the data isolation of tenant, it is necessary to create purview certification code for every paths in organization structure tree, and read and write every time
A command code can be generated Deng storage operation, storage sky has been carried out by accessing the purview certification code of position and the matching of command code
Between isolate.The purview certification information request for generating tenant can be sent to purview certification module by gateway module, wherein, main request
Parameter includes the path of storage ID and the user in organization structure tree etc..
4) organization and administration module have received tenant's request to create that gateway module is sent, first, checking request it is legal
Property, the legitimacy that the card content tested includes tenant ID legitimacy, storage quota is set, wherein the content included is that may not exceed
The maximum that organizer and governor is set, while the space sum of all tenants no more than organizes total memory space, if deposited
In illegal operation, tissue initialization procedure is interrupted immediately.Organization and administration module often completes the initialization of a storage user, please
Seek the access authority information of purview certification module initialization storage user.
5) purview certification module is received after the purview certification information request for the tenant that gateway module is sent, and is deposited for each
User is stored up, according to its path in organization structure tree, a purview certification code is all created to every one-level subpath, wherein giving tacit consent to
Storage user has access rights to the tenant space on its path.
6), will after a tenant, storage user successfully complete the initialization of organization and administration module and purview certification module
Notification gateway management module, gateway management module can ask storage driving module, be tenant, storage user deposited in bottom distribution
Initialized in storage system, storage driving module can call different drivings according to different storage systems, pass through correspondence
Driving perform associative operation in different storage systems, associative operation includes creating user in storage system, sets and match somebody with somebody
Volume and relevant parameter etc..
7) complete after being initialized in bottom distributed memory system, storage user can be made by unified tenant's management level
Use storage service.Storage user, which accesses storage system, to be needed to provide call parameter, i.e., sent by gateway module to storage system
Call parameter is included in access request, access request, call parameter includes storage ID and key, access object path, its
Middle access object path is described with similar file path.The gateway module of multi-tenant unified management layer supports the S3 of compatibility standard
Interface, storage user can call S3 interfaces, will access pair using ID and key as the ID and key parameter value of S3 interfaces
As path is as the key parameter package requests in S3 interfaces, key parameter package requests are sent to the address of gateway module.
8) gateway module is received after the access request of storage user, extracts the ID in access request and key, visit
Ask that object path, access module are sent to purview certification module as storage request certification and carry out purview certification, access module bag
Containing reading and writing, modification etc..
9) purview certification module is received after storage request certification, judges to store user's according to ID and key first
Legitimacy, the command code of this access is produced according to access object path and access module, is possessed with storage user after success
Purview certification code matched, if there is command code and some purview certification code-phase etc., the access request is legal, otherwise access
Request is illegal, by this purview certification result notification gateway module.
10) gateway module is received after the purview certification result of purview certification module transmission, if request is illegal, notifies storage
User accesses the description that failure returns to failure cause simultaneously, if request is legal, the operation of access request is forwarded to by gateway module
Storage system drive module performs corresponding operation.
11) storage system type, the type of access of the storage system drive module in access request, object path is adjusted
Access operation is performed with the interface of respective stored system, the result for accessing operation is finally returned into storage user.
The improvement of above-mentioned technical proposal of the present invention is as follows:
Step 4) in traditional multi-tenant management, organization and administration module is based on database technology, and the present invention uses base
Multi-tenant management is carried out in the management method of Hash.Multi-tenant management method based on Hash is mainly comprised the following steps:
4.1) form similar to file path is used to represent its position in the tissue, such as path storage user first
'/org1/tenant1/tenant2/storage_uid ' represents storage_uid storage user attachings in tissue org1, and
Simultaneously under one-level tenant tenant1 and two grades of tenant tenant2.
4.2) then, organization and administration module can create and safeguard a storage user message table, the main list item bag wherein wanted
The essential informations such as quota, the authority of storage ID, the key information of user and the user are included, wherein storage ID is used
Store the path representation of user.
4.3) finally, each initial information write-in in storage is stored user message table by organization and administration module.
Step 5) in purview certification module initialization storage user right information specific steps improve as follows:
5.1) purview certification module is received after initialization storage user's request that gateway module is sent, and is extracted initialization and is deposited
The storage customer location in user's request, the as absolute path in organization structure tree are stored up, while being generated for storage user close
Key pair.
5.2) authority of storage user is generated with its key information according to path of the storage user in organization structure tree
Authentication code, specific method is every one-level subpath since the root position of organization structure tree to user, if the path is not complete
Path, the i.e. subpath are the upper strata tenant of storage user, and read right is assigned for the subpath;If subpath has been complete trails,
I.e. the subpath is the private room for storing user, is that it assigns access limit.
5.3) purview certification code generating process be by the key for storing user, subpath is assigned authority be spliced into one it is pre-
Processing character string, then calculates the cryptographic Hash of pretreatment character string.For example, the absolute path of user is /org1/t1/t2/t3/
User1, purview certification code generating function can travel through all subpaths since first order path of absolute path, such as time
When going through to/org1/t1, the absolute path is not complete trails, should assign read right, purview certification code for AuthNum=Hash ("<
access_key>+<secret_key>+ '@'+'/org1/t1 '+' r ' "), traverse/org1/t1/t2/t3/user1 when, road
Footpath is complete trails, purview certification code for AuthNum=Hash ("<access_key>+<secret_key>+‘@’+‘/org1/
t1/t2/t3/user1’+’rw’”).After all subpaths have been traveled through, the purview certification code of coordinates measurements at different levels is all write
In the purview certification table of the user.
Step 9) in purview certification module carry out operating right certification specific steps improve it is as follows:
9.1) purview certification module receives the operation requests that gateway module is sent, and one is generated according to specific operation requests
Command code, specific generating process is:User key is stored according to access path first, access type then constitutes an operational word
Symbol string, operational character string is as follows:Op_str=<access_key>+<secret_key>+‘@’+<path>+<op>, wherein
Access_key and secret_key are the keys pair for storing user, and path is the position accessed, with object within the storage system
Absolute path represent;Op is the type of request, ' r ' it is write operation, ' w ' it is read operation.
9.2) the operational character string generated according to previous step, the cryptographic Hash of operation is calculated using hash function, this is used as
The command code of operation requests.The purview certification table of tissue belonging to matching storage user, if purview certification table right of possession limits certification
Code is matched with command code, then the request is legal, otherwise, and the request is illegal.
, but those skilled in the art once know basic creation although preferred embodiments of the present invention have been described
Property concept, then can make other change and modification to these embodiments.So, appended claims are intended to be construed to include excellent
Select embodiment and fall into having altered and changing for the scope of the invention.
Obviously, those skilled in the art can carry out various changes and modification without departing from this hair to the embodiment of the present invention
The spirit and scope of bright embodiment.So, if these modifications and variations of the embodiment of the present invention belong to the claims in the present invention
And its within the scope of equivalent technologies, then the present invention is also intended to comprising including these changes and modification.
Claims (1)
1. a kind of management method of object storage system multi-tenant, it is characterised in that walked comprising initialization step with specific implementation
Suddenly, particular content is as follows:
First, the initialization step is as follows:
1) initialization multi-tenant layer, the multi-tenant layer includes publicly-owned memory space and some users, and the user can use
The publicly-owned memory space is stored, and the user is represented using user role, and the tenant is equal to the set of user, institute
State user role and be divided into organizer and governor, tenant manager and storage user's three types;The organizer and governor, the tenant
Manager is all special storage user, is the manager of the storage user, the organizer and governor is a global pipe
Role is managed, the tenant manager is the storage user that tenant's administration authority is assigned by the organizer and governor, tenant's pipe
Reason person possesses the function of the storage user, possesses the administration authority to the publicly-owned memory space of the tenant, described to deposit
Storage user is the user of storage service, and storage system can be used in the storage resource of distribution, and the storage system is to divide
Cloth storage system;
2) tenant's structure is set up, tenant's structure is the tree structure for representing the structural relation of the user, referred to as knot of tissue
Paper mulberry, is made up of a root node, multiple nonleaf nodes and leaf node, and the root node constitutes the organization structure tree
Root, is the top of the organization structure tree, and the nonleaf node constitutes multiple intermediate layers of the organization structure tree, the leaf
Node constitutes the bottom of the organization structure tree;The root node represents the organizer and governor, and the nonleaf node is represented
The tenant manager, the leaf node represents the storage user;
2nd, the specific implementation step is:
1) organizer and governor is created, while creating the major parameter of the organizer and governor, is tied including the tenant
The account of structure and password, total storage size of tenant's structure, the default size of the public space of the tenant and its
Maxima and minima, the memory space default size of the storage user and its maxima and minima, the tissue
The major parameter of manager is global parameter, and the organizer and governor possesses authority at the highest level, the authority at the highest level bag
Include:The tenant for create, change, inquiring about in tenant's structure and the storage user, create, change, inquiring about the rent
Subordinate relation between family and the storage user, changes, inquires about the global parameter;The subordinate relation is reflected directly in institute
State in organization structure tree;
2) using the 1) organizer and governor that step is created log in, the organizer and governor initializes depositing for tenant's structure
Reservoir, and the storage pool request for initializing tenant's structure is sent to gateway module, wherein, the storage pool is used to store institute
Tenant's structure is stated, the gateway module is used for the unified multi-tenant layer, and the organizer and governor is described using XML file description
The internal structure of tenant's structure, the gateway module is received after the storage pool request of initialization tenant's structure, parsing
The XML file;
3) the storage pool request of initialization tenant's structure is converted into multiple child-operations and asked by the gateway module, then
Child-operation request is distributed in other modules and performed, the child-operation request mainly includes two kinds of request:The
A type of request, by the Node in the organization structure tree is the operation of the establishment tenant or creates the storage
The operation for creating the tenant or the operation for creating the storage user, are sent to organization and administration module, created by the operation of user
The parameter built includes the ID and its corresponding storage quota of the storage user;The request of second of type, in order to realize
The data isolation of tenant is stated, it is necessary to create purview certification code for every paths in the organization structure tree, is each operation meeting
A command code is generated, the operation includes read operation, write operation, passes through path of the tenant in the organization structure tree
The purview certification code and the command code matching, carried out the data isolation of the tenant;
The purview certification information request that the gateway module can generate the tenant is sent to purview certification module, wherein, it is described
In purview certification information request main request parameter include it is described storage user ID and its in the organization structure tree
Path;
4) the organization and administration module carries out multi-tenant management using the management method based on Hash, mainly comprises the following steps:First, institute
Organization and administration module is stated to have received described in the operation or the establishment for the establishment tenant that the gateway module is sent
The operation of user is stored, the operation for creating the tenant is equal to the operation for repeatedly creating the storage user, uses file path
Form represent the path of the storage user in the organization structure tree, be expressed as '/tenant structure org1/ one-level tenants
Bis- grades of tenant tenant2/ storage user storage_uid ' of tenant1/, its implication is the storage user storage_uid
Tenant's structure org1 is belonged to, the institutional framework is while belonging to one-level tenant tenant1 and two grades of tenants
Under tenant2, the top organization and administration of one-level tenant tenant1 organization structure trees where the storage user
Person, the tenant manager in two grades of tenant tenant2 intermediate layers of organization structure tree where the storage user;
Then, the organization and administration module can create and safeguard a storage user message table, the storage user message table bag
Include ID, the storage quota of the key of the storage user and the storage user, the storage user of the storage user
Authority, it is described wherein the ID of the storage user is using the path representation of the storage user in the organization structure tree
The authority of storage user can carry out storing the memory space of operation comprising the storage user;
Finally, the storage pool of tenant's structure by initialization is write the storage user letter by the organization and administration module
Cease table;
5) the purview certification module carries out the authority of the initialization storage user, comprises the following steps that:
5.a) the purview certification module is received after the purview certification information request that the gateway module is sent, and extracts it
In the position of the storage user that includes, i.e. its path in the organization structure tree, while being the storage user life
Into key pair;
5.b) according to the path for storing user in organization structure tree and the key to generating the power for storing user
Authentication code is limited, specific method is:To subpath described in every one-level of the storage user since the root of the organization structure tree,
If the subpath is not complete trails, i.e., the tenant on described subpath upper strata of organization structure tree where the storage user,
Read right is assigned for the subpath;If the subpath has been complete trails, i.e., described subpath is the private of the storage user
There is space, the private room is expressed as not allowing other tenants to use the subpath, be that the subpath assigns read-write power
Limit, the authority that the read right, the access limit are all endowed for the subpath;
5.c) the purview certification code generating process is that the authority for being endowed the key pair and the subpath is spliced into
One pretreatment character string, then calculates the cryptographic Hash of the pretreatment character string, and detailed process is:First, authority is created to recognize
Code generating function is demonstrate,proved, for generating the purview certification code, the purview certification code generating function travels through the organization structure tree
In path in all subpaths since first order path, according to 5.b) step, if the subpath is not complete
Path, assigns its read right, the purview certification code for the storage user key it is right+'@'+subpath+' r ', its
Middle r represents the read right, if the subpath is complete trails, assigns its access limit, the purview certification code is described
The key that stores user is right+' '+subpath+' rw ', wherein ' rw ' represents the access limit, traveling through all institutes
State after subpath, the purview certification code that subpaths at different levels are generated all is write in the purview certification table of the storage user, described
Purview certification code that purview certification table is owned by for each described storage user, for depositing the storage user;
6) completing the, 5) step, the are 6) after step, and by notification gateway management module, the gateway management module is to be directed to the gateway mould
The tension management of block, and storage driving module can be asked, think the tenant, the storage user in bottom distributed storage
Initialized in system, the storage driving module can call difference according to the different bottom distributed memory systems
Driving, associative operation is performed in the different bottom distributed memory systems by corresponding driving, the related behaviour
Make to include creating the user in the bottom distributed memory system, allocated storage quota and the ginseng of the establishment are set
Number;
7) complete after the initialization in the bottom distributed memory system, the storage user can be by described in unification
Multi-tenant layer uses storage service, and the storage user accesses the bottom distributed memory system needs to provide necessary ginseng
Number, i.e., sent in access request, the access request comprising described by gateway module to the bottom distributed memory system
Call parameter, the call parameter includes the ID of the storage user and the key of the storage user, accesses object path, its
Described in access object path and the path of the storage user in the organization structure tree is of equal value;In the multi-tenant layer
The gateway module supports the S3 interfaces of compatibility standard, and the storage user can call the S3 interfaces, and the storage is used
The ID at family and ID and key parameter value of the key as the S3 interfaces, using the access object path as in the S3 interfaces
Key parameter package requests, the key parameters package request is sent to the address of the gateway module;
8) gateway module is received after the access request, extract the ID of the storage user in the access request with
It is described storage user key, the access object path, and generate access module together as storage request certification be sent to
The purview certification module carries out purview certification, and the access module includes read operation, write operation, modification operation;
9) the purview certification module carries out operating right certification, and its specific steps is improved as follows:
9.1) purview certification module receives the storage request certification that gateway module is sent, and is asked according to the specific storage
Certification generates an authentication operation code, and specific generating process is:User key is stored according to the access object path first,
Constitute an operational character string, the operational character string for the storage user key it is right+'@'+described access object path+
<op>,<op>For concrete operations, comprising the read operation in the access module, the write operation, ' r ' is write operation, ' w '
For read operation;
9.2) the operational character string generated according to 9.1) step, calculates this described storage using hash function and asks certification
Cryptographic Hash, i.e., the cryptographic Hash of described operational character string matches the purview certification of the storage user as authentication operation code
Table, is matched, the storage request if there is the purview certification code in the purview certification table with authentication operation code
Certification is legal, otherwise, and the storage request certification is illegal, as purview certification result is sent to the net using whether certification is legal
Close module;
10) gateway module is received after the purview certification result that the purview certification module is sent, if the storage please
Ask certification illegal, then notify the storage user to access failure and mismatched while returning to the purview certification code with the command code
Description, if it is described storage request certification it is legal, the concrete operations of the operational character string are forwarded to institute by the gateway module
Storage system drive module is stated to perform;
11) call parameter of the storage system drive module in the access request, the operational character string it is specific
The interface of the corresponding bottom distributed memory system of operation calls performs the concrete operations of the operational character string, finally
Its result is returned into the storage user.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710396173.3A CN107147728B (en) | 2017-05-31 | 2017-05-31 | Multi-tenant management method for object storage system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710396173.3A CN107147728B (en) | 2017-05-31 | 2017-05-31 | Multi-tenant management method for object storage system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107147728A true CN107147728A (en) | 2017-09-08 |
CN107147728B CN107147728B (en) | 2020-10-09 |
Family
ID=59780501
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710396173.3A Active CN107147728B (en) | 2017-05-31 | 2017-05-31 | Multi-tenant management method for object storage system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107147728B (en) |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108228842A (en) * | 2018-01-08 | 2018-06-29 | 平安科技(深圳)有限公司 | Docker mirror sites file memory method, terminal, equipment and storage medium |
CN108989091A (en) * | 2018-06-22 | 2018-12-11 | 杭州才云科技有限公司 | Based on the tenant network partition method of Kubernetes network, storage medium, electronic equipment |
CN109714193A (en) * | 2018-12-05 | 2019-05-03 | 国云科技股份有限公司 | A method of based on zuul routing forwarding mode takeover objective storage service |
CN109756333A (en) * | 2018-11-26 | 2019-05-14 | 西安得安信息技术有限公司 | key management system |
CN110414252A (en) * | 2019-08-02 | 2019-11-05 | 湖南御家科技有限公司 | A kind of method for processing business, system and electronic equipment and storage medium |
CN110913021A (en) * | 2019-12-23 | 2020-03-24 | 和元达信息科技有限公司 | Multi-tenant management system and method for Internet cloud computing |
CN111399980A (en) * | 2020-03-16 | 2020-07-10 | 中国联合网络通信集团有限公司 | Safety authentication method, device and system for container organizer |
CN111950866A (en) * | 2020-07-24 | 2020-11-17 | 合肥森亿智能科技有限公司 | Role-based multi-tenant organizational structure management system, method, device and medium |
CN112019543A (en) * | 2020-08-27 | 2020-12-01 | 四川长虹电器股份有限公司 | Multi-tenant permission system based on BRAC model |
CN112579999A (en) * | 2019-09-30 | 2021-03-30 | 北京国双科技有限公司 | Data processing method and device |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102307185A (en) * | 2011-06-27 | 2012-01-04 | 北京大学 | Data isolation method used in storage cloud |
CN102651775A (en) * | 2012-03-05 | 2012-08-29 | 国家超级计算深圳中心(深圳云计算中心) | Method, equipment and system for managing shared objects of a plurality of lessees based on cloud computation |
US20120233668A1 (en) * | 2011-03-08 | 2012-09-13 | Rackspace Us, Inc. | Pluggable Allocation in a Cloud Computing System |
CN103218175A (en) * | 2013-04-01 | 2013-07-24 | 无锡成电科大科技发展有限公司 | Multi-tenant cloud storage platform access control system |
US20140330869A1 (en) * | 2013-05-02 | 2014-11-06 | International Business Machines Corporation | Secure isolation of tenant resources in a multi-tenant storage system using a security gateway |
-
2017
- 2017-05-31 CN CN201710396173.3A patent/CN107147728B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120233668A1 (en) * | 2011-03-08 | 2012-09-13 | Rackspace Us, Inc. | Pluggable Allocation in a Cloud Computing System |
CN102307185A (en) * | 2011-06-27 | 2012-01-04 | 北京大学 | Data isolation method used in storage cloud |
CN102651775A (en) * | 2012-03-05 | 2012-08-29 | 国家超级计算深圳中心(深圳云计算中心) | Method, equipment and system for managing shared objects of a plurality of lessees based on cloud computation |
CN103218175A (en) * | 2013-04-01 | 2013-07-24 | 无锡成电科大科技发展有限公司 | Multi-tenant cloud storage platform access control system |
US20140330869A1 (en) * | 2013-05-02 | 2014-11-06 | International Business Machines Corporation | Secure isolation of tenant resources in a multi-tenant storage system using a security gateway |
Non-Patent Citations (3)
Title |
---|
RAÚL GRACIA-TINEDO 等: ""Crystal: Software-Defined Storage for Multi-Tenant Object Stores"", 《THE 15TH USENIX CONFERENCE ON FILE AND STORAGE TECHNOLOGIES》 * |
孙鹏: ""面向SaaS应用的多租户海量存储系统设计与实现"", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
彭暄: ""基于Swift的海量小文件对象存储研究 "", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108228842A (en) * | 2018-01-08 | 2018-06-29 | 平安科技(深圳)有限公司 | Docker mirror sites file memory method, terminal, equipment and storage medium |
CN108228842B (en) * | 2018-01-08 | 2020-09-25 | 平安科技(深圳)有限公司 | Docker mirror image library file storage method, terminal, device and storage medium |
CN108989091A (en) * | 2018-06-22 | 2018-12-11 | 杭州才云科技有限公司 | Based on the tenant network partition method of Kubernetes network, storage medium, electronic equipment |
CN108989091B (en) * | 2018-06-22 | 2022-02-11 | 杭州才云科技有限公司 | Tenant network isolation method based on Kubernetes network, storage medium and electronic equipment |
CN109756333A (en) * | 2018-11-26 | 2019-05-14 | 西安得安信息技术有限公司 | key management system |
CN109714193A (en) * | 2018-12-05 | 2019-05-03 | 国云科技股份有限公司 | A method of based on zuul routing forwarding mode takeover objective storage service |
CN110414252A (en) * | 2019-08-02 | 2019-11-05 | 湖南御家科技有限公司 | A kind of method for processing business, system and electronic equipment and storage medium |
CN112579999A (en) * | 2019-09-30 | 2021-03-30 | 北京国双科技有限公司 | Data processing method and device |
CN110913021A (en) * | 2019-12-23 | 2020-03-24 | 和元达信息科技有限公司 | Multi-tenant management system and method for Internet cloud computing |
CN110913021B (en) * | 2019-12-23 | 2022-06-28 | 和元达信息科技有限公司 | Multi-tenant management system and method for Internet cloud computing |
CN111399980A (en) * | 2020-03-16 | 2020-07-10 | 中国联合网络通信集团有限公司 | Safety authentication method, device and system for container organizer |
CN111950866A (en) * | 2020-07-24 | 2020-11-17 | 合肥森亿智能科技有限公司 | Role-based multi-tenant organizational structure management system, method, device and medium |
CN111950866B (en) * | 2020-07-24 | 2023-11-07 | 合肥森亿智能科技有限公司 | Role-based multi-tenant organization structure management system, method, equipment and medium |
CN112019543A (en) * | 2020-08-27 | 2020-12-01 | 四川长虹电器股份有限公司 | Multi-tenant permission system based on BRAC model |
Also Published As
Publication number | Publication date |
---|---|
CN107147728B (en) | 2020-10-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107147728A (en) | A kind of management method of object storage system multi-tenant | |
US9928111B2 (en) | System and method for configuration tagging in a multitenant application server environment | |
CN104160381B (en) | Managing method and system for tenant-specific data sets in a multi-tenant environment | |
US8200705B2 (en) | Method and apparatus for applying database partitioning in a multi-tenancy scenario | |
US10560458B2 (en) | Resource sharing in cloud computing | |
CN107077388A (en) | System and method for providing end-to-end life cycle in multi-tenant application server environment | |
CN107003906A (en) | The type of cloud computing technology part is to type analysis | |
CN107077389A (en) | For using system and method during global operation in multi-tenant application server environment | |
US20210318998A1 (en) | Dynamic schema based multitenancy | |
US20120159479A1 (en) | Providing a persona-based application experience | |
CN108255497A (en) | The dispositions method and device of a kind of application | |
US20090133100A1 (en) | Access control on dynamically instantiated portal applications | |
CN109542861B (en) | File management method, device and system | |
US20190361618A1 (en) | Maintaining container to storage volume relations | |
TWI724570B (en) | Method, device, electronic equipment and storage medium for reading and updating data structure | |
CN104182503A (en) | Cloud platform data access safety isolation method | |
Aghera et al. | An approach to build multi-tenant SaaS application with monitoring and SLA | |
US8676847B2 (en) | Visibility control of resources | |
KR101563292B1 (en) | Cloud virtualization system and method using virtual session manager | |
CN109032799A (en) | Storage resource management method, apparatus, equipment and readable storage medium storing program for executing | |
US9679013B2 (en) | Generating and accessing a data table | |
US11868500B2 (en) | Fine-grained access control of column-major relational database management systems | |
US11334600B1 (en) | Partial reloading in data synchronization | |
Camarinha-Matos et al. | Cloud-based collaboration spaces for enterprise networks | |
US6460028B1 (en) | System and method for data organization |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
TA01 | Transfer of patent application right |
Effective date of registration: 20200714 Address after: 510275 Xingang West Road, Guangdong, Guangzhou, No. 135, No. Applicant after: SUN YAT-SEN University Address before: 510006. National Supercomputing Center, No. 132, East Ring Road, University of Guangdong, Guangzhou, Guangzhou Applicant before: Mo Qian |
|
TA01 | Transfer of patent application right | ||
GR01 | Patent grant | ||
GR01 | Patent grant |