CN112527310A - Multi-tenant data isolation method and device, computer equipment and storage medium - Google Patents
Multi-tenant data isolation method and device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN112527310A CN112527310A CN202011479037.9A CN202011479037A CN112527310A CN 112527310 A CN112527310 A CN 112527310A CN 202011479037 A CN202011479037 A CN 202011479037A CN 112527310 A CN112527310 A CN 112527310A
- Authority
- CN
- China
- Prior art keywords
- data
- tenant
- isolation
- database
- operation request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000002955 isolation Methods 0.000 title claims abstract description 129
- 238000000034 method Methods 0.000 claims description 36
- 238000004590 computer program Methods 0.000 claims description 15
- 238000005192 partition Methods 0.000 claims description 9
- 230000004044 response Effects 0.000 claims description 5
- 238000004458 analytical method Methods 0.000 claims description 4
- 238000011161 development Methods 0.000 description 11
- 230000006870 function Effects 0.000 description 11
- 238000012423 maintenance Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 230000008878 coupling Effects 0.000 description 4
- 238000010168 coupling process Methods 0.000 description 4
- 238000005859 coupling reaction Methods 0.000 description 4
- 238000007726 management method Methods 0.000 description 4
- 238000011084 recovery Methods 0.000 description 4
- 238000000638 solvent extraction Methods 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000000926 separation method Methods 0.000 description 3
- 230000010354 integration Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000007599 discharging Methods 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/41—Compilation
- G06F8/42—Syntactic analysis
- G06F8/427—Parsing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/27—Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/41—Compilation
- G06F8/43—Checking; Contextual analysis
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Databases & Information Systems (AREA)
- Computing Systems (AREA)
- Data Mining & Analysis (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention relates to the technical field of cloud deployment, and provides a multi-tenant data isolation method, a multi-tenant data isolation device, computer equipment and a storage medium, wherein the multi-tenant data isolation method comprises the following steps: deploying a single application instance at a backend of a cloud server; when the registration of the tenant is verified successfully, acquiring an identification code of the tenant and configuring an isolation database for the tenant through the single application instance according to the identification code; when an application operation request of the tenant is received, intercepting the application operation request through section-oriented programming, and analyzing the application operation request to obtain a data source; identifying a target isolated database corresponding to the data source; and operating the target isolation database according to the application operation request. The invention can realize data isolation for the multi-tenant configuration isolation region on the physical layer.
Description
Technical Field
The invention relates to the technical field of cloud deployment, in particular to a multi-tenant data isolation method and device, computer equipment and a storage medium.
Background
In the cloud computing era, applications are put to the cloud, and with the increase of customers and services, software operators need to create N Web servers and N databases for N tenants and deploy the same application programs for the N tenants N times under conventional conditions, so that the operation cost and maintenance complexity of the operators are increased, and products cannot be delivered to the tenants quickly.
Therefore, the single-tenant architecture can no longer satisfy the business scenario in which multiple tenants share applications and resources on the cloud.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a method, an apparatus, a computer device, and a storage medium for isolating multi-tenant data, which can implement data isolation by configuring an isolation region for the multi-tenant on a physical layer.
A first aspect of the present invention provides a method for isolating multi-tenant data, where the method includes:
deploying a single application instance at a backend of a cloud server;
when the registration of the tenant is verified successfully, acquiring an identification code of the tenant and configuring an isolation database for the tenant through the single application instance according to the identification code;
when an application operation request of the tenant is received, intercepting the application operation request through section-oriented programming, and analyzing the application operation request to obtain a data source;
identifying a target isolated database corresponding to the data source;
and operating the target isolation database according to the application operation request.
According to an optional embodiment of the present invention, the configuring the isolation database for the tenant according to the identification code comprises:
acquiring tenant identification and group information in the identification code;
configuring a data isolation area according to the tenant identification;
and creating a database in the data isolation area according to the group information.
According to an optional embodiment of the present invention, the parsing the application operation request to obtain a data source includes:
analyzing a data source required to be selected in the application operation request through section-oriented programming;
adding an annotation on a business method needing to select a data source, and specifying a data source identifier in the attribute of the annotation;
intercepting the business method with the annotation to execute the data source selection logic to obtain a thread context environment variable corresponding to the data source identification;
and selecting a data source corresponding to the business method according to the thread context environment variable through the business method.
According to an optional embodiment of the present invention, the operating the target isolated database according to the application operation request includes:
when the application operation request is a user data writing request, acquiring network service quality;
determining a slicing strategy corresponding to the network service quality;
slicing the data by adopting the slicing strategy to obtain a plurality of sliced data;
successively writing the plurality of slice data into the target isolated database.
According to an optional embodiment of the present invention, the operating the target isolated database according to the application operation request includes:
when the application operation request is a user data reading request, acquiring the operation authority of the user;
determining whether the user is allowed to read data according to the operation authority;
and when the user is determined to be allowed to read the data, reading the data from the target isolation database and returning the data to the user.
According to an alternative embodiment of the invention, the method further comprises:
acquiring data of a data source;
writing the non-reusable data in the data of the data source into a message queue;
and writing reusable data in the data of the data source into the isolated database.
According to an alternative embodiment of the invention, the method further comprises:
removing the isolation database in the isolation partition in response to expiration of the tenant's services.
A second aspect of the present invention provides a multi-tenant data isolation apparatus, comprising:
the deployment module is used for deploying a single application instance at the back end of the cloud server;
the configuration module is used for acquiring the identification code of the tenant and configuring an isolation database for the tenant according to the identification code through the single application instance when the registration of the tenant is verified successfully;
the analysis module is used for intercepting the application operation request through section-oriented programming when the application operation request of the tenant is received, and analyzing the application operation request to obtain a data source;
the identification module is used for identifying a target isolation database corresponding to the data source;
and the operation module is used for operating the target isolation database according to the application operation request.
A third aspect of the present invention provides a computer apparatus comprising:
a memory for storing a computer program;
and the processor is used for realizing the multi-tenant data isolation method when executing the computer program.
A fourth aspect of the present invention provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the multi-tenant data isolation method.
In summary, according to the multi-tenant data isolation method, the multi-tenant data isolation device, the computer equipment and the storage medium, a single application instance is deployed at the rear end of the cloud server, an isolation database is configured for the tenant through the single application instance according to the identification codes of different tenants, when an application operation request of the tenant is received, the application operation request is intercepted through the section-oriented programming, and the application operation request is analyzed to obtain a data source; identifying a target isolated database corresponding to the data source; and operating the target isolation database according to the application operation request. The mode of front-end and back-end separation is adopted, so that the multiplexing of back-end services can be realized in a multi-tenant scene, the individual requirements of the multi-tenant can be fully met on the premise of ensuring lower development and maintenance cost, and the mutual influence of the services among the multi-tenant can be shielded by means of fault isolation.
Drawings
Fig. 1 is a flowchart of a multi-tenant data isolation method according to an embodiment of the present invention.
Fig. 2 is a schematic diagram of multi-tenant data isolation provided by an embodiment of the present invention.
Fig. 3 is a structural diagram of a multi-tenant data isolation apparatus according to a second embodiment of the present invention.
Fig. 4 is a schematic structural diagram of a computer device according to a third embodiment of the present invention.
Detailed Description
In order that the above objects, features and advantages of the present invention can be more clearly understood, a detailed description of the present invention will be given below with reference to the accompanying drawings and specific embodiments. It should be noted that the embodiments of the present invention and features of the embodiments may be combined with each other without conflict.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention.
Fig. 1 is a flowchart of a multi-tenant data isolation method according to an embodiment of the present invention. The multi-tenant data isolation method specifically comprises the following steps, and the sequence of the steps in the flowchart can be changed and some steps can be omitted according to different requirements.
S11, deploying a single application instance at the backend of the cloud server.
The software operator provides the cloud server platform or the development environment as a service to the tenants, and provides the service for the multiple tenants while running a single application instance on the background server, so that the application cost of the tenants is effectively reduced.
S12, when the registration of the tenant is verified successfully, the identification code of the tenant is obtained and an isolation database is configured for the tenant through the single application instance according to the identification code.
The isolation database refers to a database instance which is shared by a tenant, and the data of the tenant are not physically visible, so that backup and recovery are flexible.
When a tenant initiates a registration request, the tenant carries an identification code through the registration request, and the identification code comprises a tenant identification of the tenant and group information of the tenant.
In an optional embodiment, the configuring the isolation database for the tenant according to the identification code includes:
acquiring tenant identification and group information in the identification code;
configuring a data isolation area according to the tenant identification;
and creating a database in the data isolation area according to the group information.
In this alternative embodiment, the group information is used to indicate the number of users in the tenant, and the larger the number of users is, the larger the number of users in the tenant is, the smaller the number of users in the tenant is, and the smaller the number of users is.
Different data isolation regions are configured for different tenants, so that data isolation can be realized physically, and the data security is protected; according to the size of the user size, databases with different sizes are created, so that the requirements of tenants can be met, and the resources of the cloud server can be saved.
And S13, intercepting the application operation request by a facet-oriented program when receiving the application operation request of the tenant, and analyzing the application operation request to obtain a data source.
Wherein, the application operation request may include, but is not limited to: data read requests, data write requests.
The Aspect Oriented Programming (AOP) is a technology for realizing unified maintenance of program functions through a pre-compiling mode and a dynamic proxy during running, and each part of business logic can be isolated by using the AOP, so that the coupling degree between each part of the business logic is reduced, the reusability of a program is improved, and the development efficiency is improved.
In an optional embodiment, the parsing the application operation request to obtain a data source includes:
analyzing a data source required to be selected in the application operation request through section-oriented programming;
adding an annotation on a business method needing to select a data source, and specifying a data source identifier in the attribute of the annotation;
intercepting the business method with the annotation to execute the data source selection logic to obtain a thread context environment variable corresponding to the data source identification;
and selecting a data source corresponding to the business method according to the thread context environment variable through the business method.
Intercepting a business method with annotations through a section, and obtaining a thread context environment variable corresponding to a data source identifier by executing a data source selection logic in the section; and the business method selects a data source corresponding to the business method according to the thread context environment variable.
The implementation mode can reduce repeated data source selection logic codes, reduce intrusion to business codes, reduce the coupling degree of the data source selection codes and the business codes, flexibly configure dynamic data source selection, realize dynamic switching of uniformly managed data sources, determine the data sources according to specified strategies, meet basic management requirements, meet expansion requirements, reduce integration cost and improve development efficiency.
S14, identifying a target isolation database corresponding to the data source.
The corresponding relation between the data source and the isolation subarea is stored in the computer equipment in advance, and the isolation subarea can be known after the data source is determined, so that the target isolation database is determined.
And S15, operating the target isolation database according to the application operation request.
In an optional embodiment, the operating the target isolated database according to the application operation request includes:
when the application operation request is a user data writing request, acquiring network service quality;
determining a slicing strategy corresponding to the network service quality;
slicing the data by adopting the slicing strategy to obtain a plurality of sliced data;
successively writing the plurality of slice data into the target isolated database.
When the network service quality is better, the data can be sliced without or in a small quantity; when the network service quality is poor, the data is sliced for a plurality of times.
Data is sliced through the network service quality and then written into the database, so that network resources can be fully utilized, and the data can be written rapidly.
In an optional embodiment, the operating the target isolated database according to the application operation request includes:
when the application operation request is a user data reading request, acquiring the operation authority of the user;
determining whether the user is allowed to read data according to the operation authority;
and when the user is determined to be allowed to read the data, reading the data from the target isolation database and returning the data to the user.
Each tenant also comprises a plurality of users, and when the tenant registers, different operation authorities, such as read-write authorities, modification authorities and the like, can be configured for each user.
When the users in the tenants have the reading rights, the users can be allowed to read the data in the corresponding database, so that the safety of the data in the database is ensured.
In an optional embodiment, the method further comprises:
removing the isolation database in the isolation partition in response to expiration of the tenant's services.
In this alternative embodiment, each tenant may also subscribe to a service deadline, and the cloud server monitors the service deadline of the tenant, and when the service deadline expires, removes both the isolation partition associated with the tenant and the isolation database in the isolation partition, thereby freeing up more storage resources to better serve other tenants or serve a new tenant.
In an optional embodiment, the method further comprises:
acquiring data of a data source;
writing the non-reusable data in the data of the data source into a message queue;
and writing reusable data in the data of the data source into the isolated database.
In this optional embodiment, partitioning of the reusable data and the non-reusable data is achieved by dividing the data of the data source into reusable data and non-reusable data, writing the non-reusable data into the message queue, and writing the reusable data into the isolation database. And partitioning the data to facilitate the recovery of the data.
According to the embodiment of the invention, a single application instance is deployed at the rear end of a cloud server, an isolation database is configured for a tenant through the single application instance according to identification codes of different tenants, when an application operation request of the tenant is received, the application operation request is intercepted through section-oriented programming, and the application operation request is analyzed to obtain a data source; identifying a target isolated database corresponding to the data source; and operating the target isolation database according to the application operation request. The mode of front-end and back-end separation is adopted, so that the multiplexing of back-end services can be realized in a multi-tenant scene, the individual requirements of the multi-tenant can be fully met on the premise of ensuring lower development and maintenance cost, and the mutual influence of the services among the multi-tenant can be shielded by means of fault isolation.
The method can be applied to intelligent government affairs to promote the development of intelligent cities.
In order to more clearly understand the technical solution of the present invention, the following description is provided with reference to fig. 2:
assuming that there are three tenants, for example, company a, company B, and company C, applying for the operator of the lawyer application to use the services of the lawyer application and its resources for developing business needs, the operator of the lawyer application first deploys the lawyer application (single application instance) at the back end of the cloud server, and by deploying the lawyer application at the back end of the cloud server in a single application instance, avoids creating three Web servers for the three tenants. Each tenant needs to be registered first when using the lawyer application program for the first time, an identification code capable of indicating identity information is submitted during registration, and the lawyer application program configures an isolation database for the tenant according to the identification codes of different tenants. As shown in fig. 2, company a is configured with a data isolation region, company B is configured with a data isolation region, and company C is configured with a data isolation region, wherein company a data isolation region, company B data isolation region, and company C data isolation region are physically isolated. When an application operation request of any tenant, such as company A, is received, the data source selection logic is executed through the section-oriented programming, the company A data isolation area is determined as a target data source, and the database in the company A data isolation area is operated according to the application operation request.
Fig. 3 is a structural diagram of a multi-tenant data isolation apparatus according to a second embodiment of the present invention.
In some embodiments, the multi-tenant data isolation device 30 may include a plurality of functional modules made up of computer program segments. The computer programs of the various program segments in the multi-tenant data isolation apparatus 30 may be stored in a memory of a computer device and executed by at least one processor to perform the functions of multi-tenant data isolation (described in detail in fig. 1).
In this embodiment, the multi-tenant data isolation apparatus 30 may be divided into a plurality of functional modules according to the functions executed by the multi-tenant data isolation apparatus. The functional module may include: a deployment module 301, a configuration module 302, a parsing module 303, an identification module 304, an operation module 305, a removal module 306, an acquisition module 307, and a write module 308. The module referred to herein is a series of computer program segments capable of being executed by at least one processor and capable of performing a fixed function and is stored in memory. In the present embodiment, the functions of the modules will be described in detail in the following embodiments.
The deployment module 301 is configured to deploy a single application instance at a backend of a cloud server.
The software operator provides the cloud server platform or the development environment as a service to the tenants, and provides the service for the multiple tenants while running a single application instance on the background server, so that the application cost of the tenants is effectively reduced.
The configuration module 302 is configured to, when the tenant registration is verified to be successful, acquire an identification code of the tenant and configure an isolated database for the tenant according to the identification code through the single application instance.
The isolation database refers to a database instance which is shared by a tenant, and the data of the tenant are not physically visible, so that backup and recovery are flexible.
When a tenant initiates a registration request, the tenant carries an identification code through the registration request, and the identification code comprises a tenant identification of the tenant and group information of the tenant.
In an optional embodiment, the configuring module 302 configuring the isolation database for the tenant according to the identification code comprises:
acquiring tenant identification and group information in the identification code;
configuring a data isolation area according to the tenant identification;
and creating a database in the data isolation area according to the group information.
In this alternative embodiment, the group information is used to indicate the number of users in the tenant, and the larger the number of users is, the larger the number of users in the tenant is, the smaller the number of users in the tenant is, and the smaller the number of users is.
Different data isolation regions are configured for different tenants, so that data isolation can be realized physically, and the data security is protected; according to the size of the user size, databases with different sizes are created, so that the requirements of tenants can be met, and the resources of the cloud server can be saved.
The analysis module 303 is configured to intercept the application operation request by a profile-oriented program when receiving the application operation request of the tenant, and analyze the application operation request to obtain a data source.
Wherein, the application operation request may include, but is not limited to: data read requests, data write requests.
The Aspect Oriented Programming (AOP) is a technology for realizing unified maintenance of program functions through a pre-compiling mode and a dynamic proxy during running, and each part of business logic can be isolated by using the AOP, so that the coupling degree between each part of the business logic is reduced, the reusability of a program is improved, and the development efficiency is improved.
In an optional embodiment, the parsing module 303 parsing the application operation request to obtain a data source includes:
analyzing a data source required to be selected in the application operation request through section-oriented programming;
adding an annotation on a business method needing to select a data source, and specifying a data source identifier in the attribute of the annotation;
intercepting the business method with the annotation to execute the data source selection logic to obtain a thread context environment variable corresponding to the data source identification;
and selecting a data source corresponding to the business method according to the thread context environment variable through the business method.
Intercepting a business method with annotations through a section, and obtaining a thread context environment variable corresponding to a data source identifier by executing a data source selection logic in the section; and the business method selects a data source corresponding to the business method according to the thread context environment variable.
The implementation mode can reduce repeated data source selection logic codes, reduce intrusion to business codes, reduce the coupling degree of the data source selection codes and the business codes, flexibly configure dynamic data source selection, realize dynamic switching of uniformly managed data sources, determine the data sources according to specified strategies, meet basic management requirements, meet expansion requirements, reduce integration cost and improve development efficiency.
The identifying module 304 is configured to identify a target isolated database corresponding to the data source.
The corresponding relation between the data source and the isolation subarea is stored in the computer equipment in advance, and the isolation subarea can be known after the data source is determined, so that the target isolation database is determined.
The operation module 305 is configured to operate the target isolated database according to the application operation request.
In an optional embodiment, the operation module 305 performs an operation on the target isolated database according to the application operation request, including:
when the application operation request is a user data writing request, acquiring network service quality;
determining a slicing strategy corresponding to the network service quality;
slicing the data by adopting the slicing strategy to obtain a plurality of sliced data;
successively writing the plurality of slice data into the target isolated database.
When the network service quality is better, the data can be sliced without or in a small quantity; when the network service quality is poor, the data is sliced for a plurality of times.
Data is sliced through the network service quality and then written into the database, so that network resources can be fully utilized, and the data can be written rapidly.
In an optional embodiment, the operation module 305 performs an operation on the target isolated database according to the application operation request, including:
when the application operation request is a user data reading request, acquiring the operation authority of the user;
determining whether the user is allowed to read data according to the operation authority;
and when the user is determined to be allowed to read the data, reading the data from the target isolation database and returning the data to the user.
Each tenant also comprises a plurality of users, and when the tenant registers, different operation authorities, such as read-write authorities, modification authorities and the like, can be configured for each user.
When the users in the tenants have the reading rights, the users can be allowed to read the data in the corresponding database, so that the safety of the data in the database is ensured.
The removal module 306 is configured to remove the isolated database in the isolated partition in response to the service of the tenant expiring.
In this alternative embodiment, each tenant may also subscribe to a service deadline, and the cloud server monitors the service deadline of the tenant, and when the service deadline expires, removes both the isolation partition associated with the tenant and the isolation database in the isolation partition, thereby freeing up more storage resources to better serve other tenants or serve a new tenant.
The obtaining module 307 is configured to obtain data of a data source.
The writing module 308 is configured to write the non-reusable data in the data of the data source into a message queue; and writing reusable data in the data of the data source into the isolated database.
In this optional embodiment, partitioning of the reusable data and the non-reusable data is achieved by dividing the data of the data source into reusable data and non-reusable data, writing the non-reusable data into the message queue, and writing the reusable data into the isolation database. And partitioning the data to facilitate the recovery of the data.
According to the embodiment of the invention, a single application instance is deployed at the rear end of a cloud server, an isolation database is configured for a tenant through the single application instance according to identification codes of different tenants, when an application operation request of the tenant is received, the application operation request is intercepted through section-oriented programming, and the application operation request is analyzed to obtain a data source; identifying a target isolated database corresponding to the data source; and operating the target isolation database according to the application operation request. The mode of front-end and back-end separation is adopted, so that the multiplexing of back-end services can be realized in a multi-tenant scene, the individual requirements of the multi-tenant can be fully met on the premise of ensuring lower development and maintenance cost, and the mutual influence of the services among the multi-tenant can be shielded by means of fault isolation.
The method can be applied to intelligent government affairs to promote the development of intelligent cities.
In order to more clearly understand the technical solution of the present invention, the following description is provided with reference to fig. 2:
assuming that there are three tenants, for example, company a, company B, and company C, applying for the operator of the lawyer application to use the services of the lawyer application and its resources for developing business needs, the operator of the lawyer application first deploys the lawyer application (single application instance) at the back end of the cloud server, and by deploying the lawyer application at the back end of the cloud server in a single application instance, avoids creating three Web servers for the three tenants. Each tenant needs to be registered first when using the lawyer application program for the first time, an identification code capable of indicating identity information is submitted during registration, and the lawyer application program configures an isolation database for the tenant according to the identification codes of different tenants. As shown in fig. 2, company a is configured with a data isolation region, company B is configured with a data isolation region, and company C is configured with a data isolation region, wherein company a data isolation region, company B data isolation region, and company C data isolation region are physically isolated. When an application operation request of any tenant, such as company A, is received, the data source selection logic is executed through the section-oriented programming, the company A data isolation area is determined as a target data source, and the database in the company A data isolation area is operated according to the application operation request.
Fig. 4 is a schematic structural diagram of a computer device according to a third embodiment of the present invention. In the preferred embodiment of the present invention, the computer device 4 includes a memory 41, at least one processor 42, at least one communication bus 43, and a transceiver 44.
It will be appreciated by those skilled in the art that the configuration of the computer device shown in fig. 4 is not a limitation of the embodiments of the present invention, and may be a bus-type configuration or a star-type configuration, and that the computer device 4 may include more or less hardware or software than those shown, or a different arrangement of components.
In some embodiments, the computer device 4 is a computer device capable of automatically performing numerical calculation and/or information processing according to instructions set or stored in advance, and the hardware thereof includes but is not limited to a microprocessor, an application specific integrated circuit, a programmable gate array, a digital processor, an embedded device, and the like. The computer device 4 may also include a client device, which includes, but is not limited to, any electronic product capable of interacting with a client through a keyboard, a mouse, a remote controller, a touch pad, or a voice control device, for example, a personal computer, a tablet computer, a smart phone, a digital camera, etc.
It should be noted that the computer device 4 is only an example, and other electronic products that are currently available or may come into existence in the future, such as electronic products that can be adapted to the present invention, should also be included in the scope of the present invention, and are included herein by reference.
In some embodiments, the memory 41 has stored therein a computer program that, when executed by the at least one processor 42, implements all or part of the steps of the multi-tenant data isolation method as described. The Memory 41 includes a Read-Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), a One-time Programmable Read-Only Memory (OTPROM), an electronically Erasable rewritable Read-Only Memory (Electrically-Erasable Programmable Read-Only Memory (EEPROM)), an optical Read-Only disk (CD-ROM) or other optical disk Memory, a magnetic disk Memory, a tape Memory, or any other medium readable by a computer capable of carrying or storing data.
Further, the computer-readable storage medium may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created according to the use of the blockchain node, and the like.
The block chain is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism, an encryption algorithm and the like. A block chain (Blockchain), which is essentially a decentralized database, is a series of data blocks associated by using a cryptographic method, and each data block contains information of a batch of network transactions, so as to verify the validity (anti-counterfeiting) of the information and generate a next block. The blockchain may include a blockchain underlying platform, a platform product service layer, an application service layer, and the like.
In some embodiments, the at least one processor 42 is a Control Unit (Control Unit) of the computer device 4, connects various components of the entire computer device 4 by using various interfaces and lines, and executes various functions and processes data of the computer device 4 by running or executing programs or modules stored in the memory 41 and calling data stored in the memory 41. For example, the at least one processor 42, when executing the computer program stored in the memory, implements all or a portion of the steps of the multi-tenant data isolation method described in embodiments of the present invention; or implement all or part of the functionality of the multi-tenant data isolation device. The at least one processor 42 may be composed of an integrated circuit, for example, a single packaged integrated circuit, or may be composed of a plurality of integrated circuits packaged with the same or different functions, including one or more Central Processing Units (CPUs), microprocessors, digital Processing chips, graphics processors, and combinations of various control chips.
The present embodiment provides a storage medium, which stores thereon a computer program, and when the computer program is executed by a processor, the computer program implements the steps in the above-mentioned multi-tenant data isolation method embodiment, for example, S11-S15 shown in fig. 1:
s11, deploying a single application instance at the back end of the cloud server;
s12, when the registration of the tenant is verified successfully, acquiring the identification code of the tenant and configuring an isolation database for the tenant through the single application instance according to the identification code;
s13, intercepting the application operation request by a facet-oriented program when receiving the application operation request of the tenant, and analyzing the application operation request to obtain a data source;
s14, identifying a target isolation database corresponding to the data source;
and S15, operating the target isolation database according to the application operation request.
Alternatively, the computer program, when executed by the processor, implements the functions of the modules in the above device embodiments, such as the module 301 and 308 in fig. 3:
the deployment module 301 is configured to deploy a single application instance at a backend of a cloud server;
the configuration module 302 is configured to, when the tenant registration is verified successfully, acquire an identification code of the tenant and configure an isolated database for the tenant according to the identification code through the single application instance;
the analysis module 303 is configured to intercept the application operation request by a profile-oriented programming when receiving the application operation request of the tenant, and analyze the application operation request to obtain a data source;
the identifying module 304 is configured to identify a target isolated database corresponding to the data source;
the operation module 305 is configured to operate the target isolated database according to the application operation request;
the removal module 306, configured to remove the isolated database in the isolated partition in response to the service expiration of the tenant;
the obtaining module 307 is configured to obtain data of a data source.
The writing module 308 is configured to write the non-reusable data in the data of the data source into a message queue; and writing reusable data in the data of the data source into the isolated database.
In some embodiments, the at least one communication bus 43 is arranged to enable connection communication between the memory 41 and the at least one processor 42, etc.
Although not shown, the computer device 4 may further include a power source (such as a battery) for supplying power to the various components, and preferably, the power source may be logically connected to the at least one processor 42 through a power management device, so as to implement functions of managing charging, discharging, and power consumption through the power management device. The power supply may also include any component of one or more dc or ac power sources, recharging devices, power failure detection circuitry, power converters or inverters, power status indicators, and the like. The computer device 4 may further include various sensors, a bluetooth module, a Wi-Fi module, and the like, which are not described herein again.
The integrated unit implemented in the form of a software functional module may be stored in a computer-readable storage medium. The software functional module is stored in a storage medium and includes several instructions to enable a computer device (which may be a personal computer, a computer device, or a network device) or a processor (processor) to execute parts of the methods according to the embodiments of the present invention.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the modules is only one logical functional division, and other divisions may be realized in practice.
The modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.
In addition, functional modules in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional module.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned. Furthermore, it is obvious that the word "comprising" does not exclude other elements or that the singular does not exclude the plural. A plurality of units or means recited in the apparatus claims may also be implemented by one unit or means in software or hardware. The terms first, second, etc. are used to denote names, but not any particular order.
Finally, it should be noted that the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting, and although the present invention is described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications or equivalent substitutions may be made on the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention.
Claims (10)
1. A multi-tenant data isolation method, the method comprising:
deploying a single application instance at a backend of a cloud server;
when the registration of the tenant is verified successfully, acquiring an identification code of the tenant and configuring an isolation database for the tenant through the single application instance according to the identification code;
when an application operation request of the tenant is received, intercepting the application operation request through section-oriented programming, and analyzing the application operation request to obtain a data source;
identifying a target isolated database corresponding to the data source;
and operating the target isolation database according to the application operation request.
2. The multi-tenant data isolation method of claim 1, wherein the configuring an isolation database for the tenant in accordance with the identification code comprises:
acquiring tenant identification and group information in the identification code;
configuring a data isolation area according to the tenant identification;
and creating a database in the data isolation area according to the group information.
3. The multi-tenant data isolation method of claim 1, wherein parsing the application operation request into data sources comprises:
analyzing a data source required to be selected in the application operation request through section-oriented programming;
adding an annotation on a business method needing to select a data source, and specifying a data source identifier in the attribute of the annotation;
intercepting the business method with the annotation to execute the data source selection logic to obtain a thread context environment variable corresponding to the data source identification;
and selecting a data source corresponding to the business method according to the thread context environment variable through the business method.
4. The multi-tenant data isolation method of claim 1, wherein the operating the target isolation database in accordance with the application operation request comprises:
when the application operation request is a user data writing request, acquiring network service quality;
determining a slicing strategy corresponding to the network service quality;
slicing the data by adopting the slicing strategy to obtain a plurality of sliced data;
successively writing the plurality of slice data into the target isolated database.
5. The multi-tenant data isolation method of claim 1, wherein the operating the target isolation database in accordance with the application operation request comprises:
when the application operation request is a user data reading request, acquiring the operation authority of the user;
determining whether the user is allowed to read data according to the operation authority;
and when the user is determined to be allowed to read the data, reading the data from the target isolation database and returning the data to the user.
6. The multi-tenant data isolation method of claim 1, further comprising:
acquiring data of a data source;
writing the non-reusable data in the data of the data source into a message queue;
and writing reusable data in the data of the data source into the isolated database.
7. The multi-tenant data isolation method of any of claims 1 through 6, further comprising:
removing the isolation database in the isolation partition in response to expiration of the tenant's services.
8. A multi-tenant data isolation apparatus, the apparatus comprising:
the deployment module is used for deploying a single application instance at the back end of the cloud server;
the configuration module is used for acquiring the identification code of the tenant and configuring an isolation database for the tenant according to the identification code through the single application instance when the registration of the tenant is verified successfully;
the analysis module is used for intercepting the application operation request through section-oriented programming when the application operation request of the tenant is received, and analyzing the application operation request to obtain a data source;
the identification module is used for identifying a target isolation database corresponding to the data source;
and the operation module is used for operating the target isolation database according to the application operation request.
9. A computer device, characterized in that the computer device comprises:
a memory for storing a computer program;
a processor for implementing the multi-tenant data isolation method of any one of claims 1 through 7 when executing the computer program.
10. A computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the multi-tenant data isolation method of any of claims 1 through 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011479037.9A CN112527310A (en) | 2020-12-15 | 2020-12-15 | Multi-tenant data isolation method and device, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011479037.9A CN112527310A (en) | 2020-12-15 | 2020-12-15 | Multi-tenant data isolation method and device, computer equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112527310A true CN112527310A (en) | 2021-03-19 |
Family
ID=75000201
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011479037.9A Pending CN112527310A (en) | 2020-12-15 | 2020-12-15 | Multi-tenant data isolation method and device, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112527310A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112905708A (en) * | 2021-03-31 | 2021-06-04 | 浙江太美医疗科技股份有限公司 | Database operation method and system based on software as a service (SaaS) system |
| CN113343275A (en) * | 2021-06-30 | 2021-09-03 | 招商局金融科技有限公司 | Data access method and data management service system |
| CN113360476A (en) * | 2021-06-21 | 2021-09-07 | 上海上讯信息技术股份有限公司 | Method and device for virtual plugging of program database |
| CN113609105A (en) * | 2021-08-20 | 2021-11-05 | 南威软件股份有限公司 | Method for realizing physical isolation of collaboration system data |
| CN113839942A (en) * | 2021-09-22 | 2021-12-24 | 上海妙一生物科技有限公司 | User authority management method, device, equipment and storage medium |
| CN115994036A (en) * | 2023-03-22 | 2023-04-21 | 北京腾达泰源科技有限公司 | Cloud platform tenant isolation method, device, equipment and storage medium |
| CN116107547A (en) * | 2023-01-04 | 2023-05-12 | 三峡高科信息技术有限责任公司 | Unified service and multi-data source management method |
| CN116305288A (en) * | 2023-04-25 | 2023-06-23 | 北京轻松筹信息技术有限公司 | Method, device, equipment and storage medium for isolating database resources |
| CN116401231A (en) * | 2023-03-20 | 2023-07-07 | 一临云(深圳)科技有限公司 | Data source management method, device and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103455512A (en) * | 2012-05-31 | 2013-12-18 | 上海博腾信息科技有限公司 | Multi-tenant data management model for SAAS (software as a service) platform |
| WO2015034487A1 (en) * | 2013-09-04 | 2015-03-12 | Hewlett-Packard Development Company, L.P. | Selection of resource providers for multi-tenancy provision of building blocks |
| CN106547859A (en) * | 2016-10-21 | 2017-03-29 | 杭州朗和科技有限公司 | A kind of storage method and device of the data file under multi-tenant data storage system |
| CN108769805A (en) * | 2018-06-11 | 2018-11-06 | 广州酷狗计算机科技有限公司 | Data transmission method, device, computer equipment and storage medium |
| CN110765489A (en) * | 2019-10-30 | 2020-02-07 | 深圳前海环融联易信息科技服务有限公司 | Multi-tenant database isolation method and system, electronic device and computer storage medium |
| CN111861140A (en) * | 2020-06-28 | 2020-10-30 | 微民保险代理有限公司 | Service processing method, device, storage medium and electronic device |
-
2020
- 2020-12-15 CN CN202011479037.9A patent/CN112527310A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103455512A (en) * | 2012-05-31 | 2013-12-18 | 上海博腾信息科技有限公司 | Multi-tenant data management model for SAAS (software as a service) platform |
| WO2015034487A1 (en) * | 2013-09-04 | 2015-03-12 | Hewlett-Packard Development Company, L.P. | Selection of resource providers for multi-tenancy provision of building blocks |
| CN106547859A (en) * | 2016-10-21 | 2017-03-29 | 杭州朗和科技有限公司 | A kind of storage method and device of the data file under multi-tenant data storage system |
| CN108769805A (en) * | 2018-06-11 | 2018-11-06 | 广州酷狗计算机科技有限公司 | Data transmission method, device, computer equipment and storage medium |
| CN110765489A (en) * | 2019-10-30 | 2020-02-07 | 深圳前海环融联易信息科技服务有限公司 | Multi-tenant database isolation method and system, electronic device and computer storage medium |
| CN111861140A (en) * | 2020-06-28 | 2020-10-30 | 微民保险代理有限公司 | Service processing method, device, storage medium and electronic device |
Non-Patent Citations (2)
| Title |
|---|
| PILISIYANG: "一种spring boot 项目中多租户的实现", 《HTTPS://WWW.JIANSHU.COM/P/AF82A23F44C5》, pages 1 - 4 * |
| 董庆贺;何倩;江炳城;刘鹏;: "面向云数据库的多租户属性基安全隔离与数据保护方案", 信息网络安全, no. 07 * |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112905708A (en) * | 2021-03-31 | 2021-06-04 | 浙江太美医疗科技股份有限公司 | Database operation method and system based on software as a service (SaaS) system |
| CN113360476B (en) * | 2021-06-21 | 2023-11-21 | 上海上讯信息技术股份有限公司 | Method and equipment for program database virtualization plug |
| CN113360476A (en) * | 2021-06-21 | 2021-09-07 | 上海上讯信息技术股份有限公司 | Method and device for virtual plugging of program database |
| CN113343275A (en) * | 2021-06-30 | 2021-09-03 | 招商局金融科技有限公司 | Data access method and data management service system |
| CN113343275B (en) * | 2021-06-30 | 2024-03-19 | 招商局金融科技有限公司 | Data access method and data management service system |
| CN113609105A (en) * | 2021-08-20 | 2021-11-05 | 南威软件股份有限公司 | Method for realizing physical isolation of collaboration system data |
| CN113839942A (en) * | 2021-09-22 | 2021-12-24 | 上海妙一生物科技有限公司 | User authority management method, device, equipment and storage medium |
| CN116107547A (en) * | 2023-01-04 | 2023-05-12 | 三峡高科信息技术有限责任公司 | Unified service and multi-data source management method |
| CN116401231A (en) * | 2023-03-20 | 2023-07-07 | 一临云(深圳)科技有限公司 | Data source management method, device and storage medium |
| CN116401231B (en) * | 2023-03-20 | 2024-04-26 | 一临云(深圳)科技有限公司 | Data source management method, device and storage medium |
| CN115994036A (en) * | 2023-03-22 | 2023-04-21 | 北京腾达泰源科技有限公司 | Cloud platform tenant isolation method, device, equipment and storage medium |
| CN116305288B (en) * | 2023-04-25 | 2023-09-22 | 北京轻松筹信息技术有限公司 | Method, device, equipment and storage medium for isolating database resources |
| CN116305288A (en) * | 2023-04-25 | 2023-06-23 | 北京轻松筹信息技术有限公司 | Method, device, equipment and storage medium for isolating database resources |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112527310A (en) | Multi-tenant data isolation method and device, computer equipment and storage medium | |
| JP6658882B2 (en) | Control device, VNF placement destination selection method and program | |
| US20070156981A1 (en) | Method, apparatus and program product for managing memory in a virtual computing system | |
| US8112659B2 (en) | Reducing recovery time for business organizations in case of disasters | |
| US9438645B2 (en) | Correlating computing network events | |
| CN110825494A (en) | Physical machine scheduling method and device and computer storage medium | |
| US20150089505A1 (en) | Systems and methods for fault tolerant batch processing in a virtual environment | |
| CN104360878A (en) | Method and device for deploying application software | |
| CN110750592A (en) | Data synchronization method, device and terminal equipment | |
| CN113938321B (en) | Extensible operation and maintenance management system, method, electronic equipment and readable storage medium | |
| CN113064744A (en) | Task processing method and device, computer readable medium and electronic equipment | |
| CN113138882B (en) | MySQL cluster-based automatic deployment method and device and related equipment | |
| CN112000353A (en) | Application running method and device and storage medium | |
| CN111857951A (en) | Containerized deployment platform and deployment method | |
| CN113672240A (en) | Container-based multi-machine-room batch automatic deployment application method and system | |
| CN106850695B (en) | Remote heterogeneous virtualization management method, device and system in cloud computing environment | |
| CN112131196A (en) | Distributed log processing method and device, terminal equipment and storage medium | |
| CN114489954A (en) | Tenant creation method based on virtualization platform, tenant access method and equipment | |
| CN114565502A (en) | GPU resource management method, scheduling method, device, electronic equipment and storage medium | |
| CN116760705B (en) | Multi-tenant platform isolation management system and method based on comprehensive energy management system | |
| CN114675976B (en) | GPU (graphics processing Unit) sharing method, device, equipment and medium based on kubernets | |
| CN113918305A (en) | Node scheduling method and device, electronic equipment and readable storage medium | |
| CN114371962A (en) | Data acquisition method and device, electronic equipment and storage medium | |
| US10868717B2 (en) | Concurrent profile deployments | |
| CN111741097B (en) | Method for tenant to monopolize node, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |