JP2016144186A - Communication information controller, relay system, communication information control method, and communication information control program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a technology for notifying a server of a tenant ID without making a user recognize the tenant ID, while reducing an operation cost, machine cost, and search cost.SOLUTION: A communication information controller comprises: a communication information acquisition unit 11 for acquiring a request showing an authentication request; a tenant ID registration unit 12 that when an identification address of the request's transmission source is not included in a tenant ID correspondence table, identifies, by referring to management information on multi-tenant service, a tenant ID corresponding to user information extracted from the request and registers the identified tenant ID and the transmission source's identification address in association with each other into the tenant ID correspondence table; a tenant ID identification unit 13 that when the transmission source's identification address is included in the tenant ID correspondence table, identifies a tenant ID associated with the transmission source's identification address; and a communication information output unit 14 that inserts the identified tenant ID into the request and outputs it as a request with respect to the multi-tenant service.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a technique for controlling information transmitted and received between a server and a client that provide a multi-tenant service.

  In an information processing system, a multi-tenant service is provided that provides a service that can be customized for each customer (tenant). When using a multi-tenant service, authentication by a user ID and a tenant ID is often required. For the user, there is a problem in terms of convenience that the tenant ID must be input in addition to the user ID at the time of service request. Therefore, it is desirable that the tenant ID need not be specified at the time of service request. Therefore, as a method for notifying the user of the tenant ID from the client without making the user aware of it, a method of dividing a login URL (Uniform Resource Locator) for each tenant is known. In this case, the user of each tenant makes an authentication request by accessing each tenant login URL. However, in this method, the login URL of another tenant may be inferred from the character string of the login URL of a certain tenant. In this case, there is a problem that an unexpected access may be received to the login URL of another tenant.

  As another method for notifying the user of the tenant ID from the client to the server without making the user aware of it, a method of dividing the identification address and port number for each tenant is known. In this case, the user of each tenant accesses the identification address and port number corresponding to each tenant. However, the number of identification addresses that can be provided by one information processing system is limited. Therefore, this method has a problem that it is difficult to cope with the increase in the number of tenants. In some cases, communication from the client side to the external network is restricted. In such a case, there is a problem that special setting work may be required to allow communication on ports other than the well-known port on the client side.

  A technique related to these problems is described in Patent Document 1. In this related technology, a relay device is provided between a server and a client that provide a multi-tenant service. The relay device stores in advance the correspondence between information specifying the client-side interface of the relay device and the tenant ID. Thus, when the relay apparatus receives a request for the server, the relay apparatus identifies the tenant ID of the request based on the received information specifying the client side interface. Then, the relay device generates a connection specifying the tenant ID with the server, and transmits a request to the server using the connection.

  Another technique related to such a problem is described in Patent Document 2. In this related technology, the web server stores the user ID or client information and the tenant ID in association with each other. And a web server calculates | requires tenant ID based on the user ID or client information linked | related with the process request received from the client. Then, the web server requests the database server to process the data area corresponding to the obtained tenant ID.

JP 2010-219845 A Patent No. 5200721

  However, the related art described above has the following problems.

  The related technology described in Patent Document 1 needs to store in advance the correspondence between the client-side interface of the relay device and the tenant ID. Moreover, the related technique described in Patent Document 2 needs to store in advance the correspondence between client information or user ID and tenant ID. For this reason, these related technologies have a problem that it is necessary to update the table storing the correspondence relationship with the tenant ID when a usage application for a new tenant is applied or when a usage environment is changed in an existing tenant. .

  Furthermore, in the related technology described in Patent Document 2, when the client information and the tenant ID are associated with each other, it is necessary to grasp in advance all the client terminals assumed to be used and store the correspondence relationship. Prior work costs are required. In addition, when the number of client terminals increases or decreases, it is necessary to update the correspondence table each time, which increases the work cost. Further, when the user ID and the tenant ID are associated with each other, the table capacity increases as the number of users increases, and there is a problem that the machine cost for storing the table and the search cost at the time of table search increase. .

  The present invention has been made to solve the above-described problems. That is, an object of the present invention is to provide a technology for notifying a user of a tenant ID without making the user aware of it while reducing operational costs, machine costs, and search costs.

  The communication information control apparatus of the present invention is a communication information control apparatus that controls information transmitted and received between a server that provides a multi-tenant service to users registered for each tenant and a client that uses the multi-tenant service. When a communication information acquisition unit that acquires a request representing an authentication request for the multi-tenant service transmitted from the client to the server and an identification address of the transmission source of the request are not included in the tenant ID correspondence table, The tenant ID corresponding to the user information extracted from the request is identified by referring to the management information of the multi-tenant service in the server, and the identified tenant ID and the identification address of the transmission source are associated with each other. Register in the tenant ID correspondence table A tenant ID registration unit that identifies a tenant ID associated with the identification address of the transmission source in the tenant ID correspondence table when the identification address of the transmission source is included in the tenant ID correspondence table; A communication information output unit that includes the tenant ID specified by the tenant ID registration unit or the tenant ID specifying unit in the request and outputs the request as a request for the multi-tenant service.

  When the relay system of the present invention receives a request representing an authentication request for the multi-tenant service from the communication information control device and the client, the relay system transfers the request to the communication information control device. A communication path control system that receives a request including the tenant ID from an information control device and transmits the received request to the server.

  The communication information control method of the present invention is a communication information control for controlling information transmitted and received between a server that provides a multi-tenant service to a user registered for each tenant and a client that uses the multi-tenant service. When a request representing an authentication request for the multi-tenant service transmitted from the client to the server is acquired and the identification address of the transmission source of the request is not included in the tenant ID correspondence table, The tenant ID corresponding to the user information extracted from the request is identified by referring to the management information of the multi-tenant service, and the identified tenant ID and the identification address of the transmission source are associated to correspond to the tenant ID Register in the table and send Is included in the tenant ID correspondence table, the tenant ID associated with the identification address of the transmission source is identified in the tenant ID correspondence table, the identified tenant ID is included in the request, and the multiple Output as a request for tenant service.

  The communication information control program of the present invention is a communication information control that controls information transmitted and received between a server that provides a multi-tenant service to a user registered for each tenant and a client that uses the multi-tenant service. When a communication information acquisition step for acquiring a request representing an authentication request for the multi-tenant service transmitted from the client to the server is not included in the device, and the identification address of the transmission source of the request is not included in the tenant ID correspondence table, The tenant ID corresponding to the user information extracted from the request is identified by referring to the management information of the multi-tenant service in the server, and the identified tenant ID and the identification address of the transmission source are associated with each other. Tenant ID compatible table And a tenant ID registration step for registering a tenant ID associated with the identification address of the transmission source in the tenant ID correspondence table when the identification address of the transmission source is included in the tenant ID correspondence table A specifying step and a communication information output step of including the tenant ID specified in the tenant ID registration step or the tenant ID specifying step in the request and outputting the request as a request for the multi-tenant service are executed.

  The present invention can provide a technology for notifying the server of the tenant ID without making the user conscious while reducing the operation cost, the machine cost, and the search cost.

It is a functional block diagram of the communication information control apparatus as the first embodiment of the present invention. It is a figure which shows an example of the hardware constitutions of the communication information control apparatus as the 1st Embodiment of this invention. It is a flowchart explaining operation | movement of the communication information control apparatus as the 1st Embodiment of this invention. It is a block diagram which shows the structure of the relay system as the 2nd Embodiment of this invention. It is a figure which shows an example of the management information of the multi-tenant service in the 2nd Embodiment of this invention. It is a functional block diagram of the relay system as the 2nd Embodiment of this invention. It is a figure which shows an example of the information stored in the tenant ID corresponding | compatible table in the 2nd Embodiment of this invention. It is a figure which shows an example of the information stored in the failure frequency recording table in the 2nd Embodiment of this invention. It is an activity diagram explaining the outline of operation | movement of the relay system as the 2nd Embodiment of this invention. It is a flowchart explaining the outline of operation | movement of the communication information control apparatus as the 2nd Embodiment of this invention. It is a flowchart explaining the tenant ID registration operation | movement of the communication information control apparatus as the 2nd Embodiment of this invention.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

(First embodiment)
FIG. 1 shows a functional block configuration of the communication information control apparatus 10 as the first embodiment of the present invention. In FIG. 1, the communication information control apparatus 10 includes a communication information acquisition unit 11, a tenant ID registration unit 12, a tenant ID specifying unit 13, and a communication information output unit 14.

  The communication information control device 10 is a device that controls information transmitted and received between the server 80 and the client 90.

  The server 80 is a device that provides a multi-tenant service. The multi-tenant service is a service provided to a user registered for each tenant. Also, in order to use the multi-tenant service provided by the server 80, it is assumed that authentication based on user information and a tenant ID is required. User information is information representing a registered user. For example, the user information includes a user ID that identifies the user. Further, the user information may include a password registered in association with the user ID. The tenant ID is information for identifying the tenant to which the user belongs. The server 80 stores user information registered for each tenant ID as management information. It is assumed that the server 80 is operated so that the same user information is not registered even in different tenants.

  The client 90 is a device that uses a multi-tenant service provided by the server 80. The client 90 transmits a request representing an authentication request for the multi-tenant service to the server 80. The request transmitted from the client 90 includes user information indicating a registered user, but does not include a tenant ID.

  Here, the communication information control apparatus 10 can be configured by hardware elements as shown in FIG. In FIG. 2, the communication information control device 10 includes a CPU (Central Processing Unit) 1001, a memory 1002, an output device 1003, an input device 1004, and a network interface 1005. The memory 1002 includes a RAM (Random Access Memory), a ROM (Read Only Memory), an auxiliary storage device (such as a hard disk), and the like. The output device 1003 is configured by a device that outputs information, such as a display device or a printer. The input device 1004 is configured by a device that receives an input of a user operation, such as a keyboard or a mouse. The network interface 1005 is an interface connected to a network constituted by the Internet, a LAN (Local Area Network), a public line network, a wireless communication network, or a combination thereof. In this case, each functional block of the communication information control apparatus 10 is configured by a CPU 1001 that reads and executes a computer program stored in the memory 1002 and controls each unit. Note that the hardware configuration of the communication information control apparatus 10 and each functional block thereof is not limited to the above-described configuration.

  The communication information acquisition unit 11 acquires a request transmitted from the client 90 to the server 80. Moreover, the communication information acquisition part 11 specifies the identification address of the transmission source from the acquired request. Moreover, the communication information acquisition part 11 extracts user information from the acquired request. These pieces of information extracted from the request are used by the tenant ID registration unit 12 or the tenant ID specifying unit 13 described later. For example, assume that the request is an IP (Internet Protocol) packet. In this case, the source IP address included in the IP packet is applied as the source identification address. User information is included in the data portion of the IP packet.

  The tenant ID registration unit 12 is configured to function when the identification address of the request transmission source is not included in the tenant ID correspondence table. In this case, the tenant ID registration unit 12 registers the transmission source identification address and the tenant ID corresponding to the user information in the tenant ID correspondence table in association with each other.

  Specifically, the tenant ID registration unit 12 specifies the tenant ID corresponding to the user information extracted from the request by referring to the management information of the multi-tenant service in the server 80. For example, the tenant ID registration unit 12 may be able to refer to the management information by accessing the multi-tenant service using a privileged account. Then, the tenant ID registration unit 12 may register the identified tenant ID and the transmission source identification address in the tenant ID correspondence table in association with each other.

  The tenant ID specifying unit 13 is configured to function when the identification address of the transmission source is included in the tenant ID correspondence table. In this case, the tenant ID specifying unit 13 specifies the tenant ID associated with the identification address of the transmission source in the tenant ID correspondence table.

  The communication information output unit 14 includes the tenant ID specified by the tenant ID registration unit 12 or the tenant ID specifying unit 13 in the request and outputs the request as a request for the multi-tenant service.

  The operation of the communication information control apparatus 10 configured as described above will be described with reference to FIG.

  First, the communication information acquisition unit 11 acquires a request transmitted from the client 90 to the server 80 and representing an authentication request for the multi-tenant service (step S1).

  Next, the communication information acquisition unit 11 extracts the identification address and user information of the transmission source from the acquired request (step S2).

  Next, the tenant ID registration unit 12 determines whether or not the identification address of the transmission source of the request is included in the tenant ID correspondence table (step S3).

  Here, when the identification address of the transmission source is not included in the tenant ID correspondence table, the tenant ID registration unit 12 refers to the management information of the multi-tenant service in the server 80 to obtain the tenant ID corresponding to the user information. Specify (step S4).

  Then, the tenant ID registration unit 12 associates the identification address of the transmission source with the identified tenant ID and registers them in the tenant ID correspondence table (step S5).

  On the other hand, when the identification address of the transmission source is included in the tenant ID correspondence table, the tenant ID identification unit 13 identifies the tenant ID associated with the identification address of the transmission source in the tenant ID correspondence table (step S6).

  Next, the communication information output unit 14 includes the tenant ID specified in step S4 or S6 in the request and outputs the request as a request for the multi-tenant service (step S7).

  Thus, the communication information control apparatus 10 ends the operation.

  Next, effects of the first exemplary embodiment of the present invention will be described.

  The communication information control apparatus as the first exemplary embodiment of the present invention can notify the server of the tenant ID without making the user aware of it while reducing the operation cost, the machine cost, and the search cost.

  The reason will be described. In the present embodiment, the communication information acquisition unit acquires a request representing an authentication request for a multi-tenant service transmitted from a client to a server. The request includes user information and does not include a tenant ID. If the identification address of the request source is not included in the tenant ID correspondence table, the tenant ID registration unit accesses the management information of the multi-tenant service for the tenant ID corresponding to the user information included in the request. Specified. Then, the tenant ID registration unit registers the identified tenant ID in the tenant ID correspondence table in association with the identification address of the transmission source. In addition, when the identification address of the transmission source of the request is included in the tenant ID correspondence table, the tenant ID identification unit identifies the tenant ID associated with the identification address of the transmission source in the tenant ID correspondence table. This is because the communication information output unit outputs the tenant ID specified in this way in a request.

  As described above, in the present embodiment, when relaying a request transmitted from the client to the server, the tenant ID is specified and included in the request. As a result, this embodiment can transmit a request including user information and not including a tenant ID, including an appropriate tenant ID, to the server when sent from the client. As a result, in the client, the user need only input user information to be included in the request, and does not need to input a tenant ID. Therefore, the user can use the multi-tenant service without being aware of the tenant ID.

  In this way, in this embodiment, the tenant ID correspondence table can be automatically generated by specifying an appropriate tenant ID for the identification address of the request transmission source. For this reason, in this embodiment, it is not necessary to create a tenant ID correspondence table in advance, and the operation cost can be suppressed.

  In general, it is assumed that an identification address of a transmission source of a request from a user belonging to the same tenant is an address such as a gateway. In this case, the tenant ID correspondence table in the present embodiment may store the tenant ID for each identification address such as a gateway used by the tenant. For this reason, the tenant ID correspondence table has a smaller capacity than the case where the tenant ID is stored for each user information. For this reason, this embodiment does not require a large amount of area for storing the tenant ID correspondence table, and can reduce the machine cost. Further, according to the present embodiment, the tenant ID correspondence table for searching for the identification address of the transmission source has a smaller capacity, so that the search cost can be suppressed.

(Second Embodiment)
Next, a second embodiment of the present invention will be described in detail with reference to the drawings. Note that, in each drawing referred to in the description of the present embodiment, the same reference numerals are given to the same configuration and steps that operate in the same manner as in the first embodiment of the present invention, and the detailed description in the present embodiment. Description is omitted.

  First, FIG. 4 shows the configuration of the relay system 2 as the second embodiment of the present invention. In FIG. 4, the relay system 2 includes a communication information control device 20 and a communication path control system 30. The relay system 2 is a system that relays information transmitted and received between the server 81 and the client 91.

  The server 81 is a device that provides a multi-tenant type directory service as a multi-tenant service. For example, the directory service may be a Lightweight Directory Access Protocol (LDAP) directory service. Hereinafter, in this embodiment, the server 81 is described as providing a multi-tenant type LDAP directory service. In the LDAP directory service, a user ID and a password are registered as user information for each tenant ID. Further, it is assumed that authentication using a user ID, a password, and a tenant ID is necessary to use the LDAP directory service. Hereinafter, information representing an authentication request for the LDAP directory service is also referred to as an LDAP request. In the present embodiment, it is assumed that the LDAP directory service is operated so that user information having the same combination of user ID and password is not registered even in different tenants.

  The server 81 manages the LDAP directory tree separately for each tenant. An example of the LDAP directory tree is shown in FIG. For example, in FIG. 5, tanaka, sato, and suzuki are registered as user IDs for the tenant having the tenant ID “C”. As described above, the LDAP directory tree includes user information for each tenant. Further, a password (not shown) corresponding to the user ID can be referred to by accessing such an LDAP directory tree with a privileged account. The LDAP directory tree corresponds to an embodiment of management information of the present invention.

  The client 91 is a device that uses the LDAP directory service of the server 81. The client 91 transmits an LDAP request to the server 81. The LDAP request transmitted from the client 91 includes the user ID and password, but does not include the tenant ID.

  The communication path control system 30 is a system that controls a communication path between the server 81 and the client 91. When receiving the LDAP request from the client 91, the communication path control system 30 transfers the LDAP request to the communication information control device 20. Then, the communication path control system 30 receives the LDAP request to which the tenant ID is added from the communication information control apparatus 20 and transmits the received request to the server 81.

  For example, the communication path control system 30 may be configured by an SDN (Software-Defined Network). SDN is a technology that separates the control function and data transfer function of a communication device and changes the configuration and settings of a network by software. In this case, the communication path control system 30 can be configured to include an SDN controller 31, a first SDN switch 32, and a second SDN switch 33, for example, as shown in FIG. Each of these devices can be configured by a computer device having a CPU, a memory, and a network interface, for example. In this case, a computer program that causes each device to function as the SDN controller or SDN switch of the present invention is stored in the memory of each device. The CPU of each device functions by executing a computer program stored in the memory and controlling each unit. The configuration of the communication path control system 30 is not limited to the configuration shown in FIG.

  When receiving the communication packet, the first SDN switch 32 transfers the communication packet based on the flow entry set in the own device. Specifically, if the communication packet is an LDAP request, the first SDN switch 32 transfers the communication packet to the SDN controller 31. If the communication packet is authentication failure information, the first SDN switch 32 returns the communication packet to the client 91. In addition, when the communication packet is not an LDAP request or authentication failure information, the first SDN switch 32 performs other processing determined by the flow entry or normal processing as a switch in the SDN.

  The SDN controller 31 calculates the route of the transferred communication packet and transmits it to an appropriate route. Specifically, if the communication packet is an LDAP request, the SDN controller 31 transfers the communication packet to the communication information control apparatus 20. This LDAP request includes the user ID and password, but does not include the tenant ID. Further, when the communication packet is not an LDAP request, the SDN controller 31 performs other processing as a controller in the SDN.

  In addition, when the LDAP request is returned from the communication information control device 20, the SDN controller 31 transfers the returned LDAP request to the second SDN switch 33. This LDAP request includes a tenant ID in addition to the user ID and password. When the authentication failure information is returned from the communication information control device 20, the SDN controller 31 returns the authentication failure information to the first SDN switch 32.

  When the second SDN switch 33 receives the communication packet, the second SDN switch 33 transfers the communication packet based on the flow entry set in the own device. Specifically, if the communication packet is an LDAP request, the second SDN switch 33 transfers the communication packet to the server 81. Further, when the communication packet is not an LDAP request, the second SDN switch 33 performs other processing determined by the flow entry and normal processing as a switch in the SDN.

  Next, functions of the communication information control device 20 will be described. When the LDAP request is transferred from the communication path control system 30, the communication information control device 20 includes the tenant ID in the transferred LDAP request and returns it to the communication path control system 30. Alternatively, the communication information control apparatus 20 may return authentication failure information to the communication path control system 30.

  Here, in FIG. 6, the communication information control apparatus 20 includes a communication information acquisition unit 21, a tenant ID registration unit 22, a tenant ID specifying unit 23, and a communication information output unit 24. Note that the communication information control device 20 and each functional block thereof can be configured by the same hardware elements as those of the first embodiment of the present invention described with reference to FIG. However, the hardware configuration of the communication information control apparatus 20 and its functional blocks is not limited to the above-described configuration.

  The communication information acquisition unit 21 receives an LDAP request from the communication path control system 30. The LDAP request is transferred from, for example, the first SDN switch 32. This LDAP request represents an authentication request for the LDAP directory service from the client 91 to the server 81 as described above.

  Further, the communication information acquisition unit 21 specifies the transmission source IP address of the LDAP request. Further, the communication information acquisition unit 21 extracts a user ID and a password from the LDAP request.

  The tenant ID registration unit 22 is configured to function when the tenant ID correspondence table does not include the IP address of the transmission source of the LDAP request. In this case, specifically, the tenant ID registration unit 22 accesses the LDAP directory service of the server 81 with a privileged account. As a result, the tenant ID registration unit 22 searches the LDAP directory tree for the tenant ID corresponding to the corresponding user ID and password. As a result of searching the LDAP directory tree, when the corresponding tenant ID can be identified, the tenant ID registration unit 22 associates the transmission source IP address of the LDAP request with the identified tenant ID, and newly adds them to the tenant ID correspondence table. Register as an entry.

  An example of the tenant ID correspondence table is shown in FIG. For example, the first line in FIG. 7 indicates that the tenant ID “A” is associated with the transmission source IP address “address 1”.

  In addition, the tenant ID registration unit 22 is configured to function even when the number of failures described later satisfies a predetermined condition. Also in this case, the tenant ID registration unit 22 searches the tenant ID corresponding to the corresponding user ID and password by accessing the LDAP directory service with a privileged account. When the corresponding tenant ID can be identified, the tenant ID registration unit 22 updates the tenant ID correspondence table using the tenant ID identified this time. Specifically, the tenant ID registration unit 22 may update the tenant ID already associated with the transmission source IP address registered in the tenant ID correspondence table to the tenant ID specified this time. Then, the tenant ID registration unit 22 notifies the communication information output unit 24 of the tenant ID specified this time.

  If the corresponding tenant ID cannot be identified even after searching the LDAP directory tree, the tenant ID registration unit 22 notifies the communication information output unit 24 that the tenant ID cannot be determined.

  The tenant ID specifying unit 23 is configured to function when the tenant ID correspondence table includes the IP address of the transmission source of the LDAP request. In this case, specifically, the tenant ID specifying unit 23 acquires a tenant ID associated with the transmission source IP address included in the tenant ID correspondence table. For example, when the IP address of the transmission source is “address 1”, the tenant ID “A” is acquired according to the tenant ID correspondence table shown in FIG.

  Here, in the first embodiment of the present invention, the tenant ID acquired from the tenant ID correspondence table in this way is specified as the tenant ID corresponding to the LDAP request. In the present embodiment, when the tenant ID acquired from the tenant ID correspondence table further satisfies the following conditions, the tenant ID is specified as the tenant ID corresponding to the LDAP request.

  Specifically, the tenant ID specifying unit 23 determines whether or not the correspondence between the tenant ID acquired from the tenant ID correspondence table and the user information extracted from the LDAP request is correct. This determination process is performed by accessing the LDAP directory service of the server 81 with a privileged account. That is, the tenant ID specifying unit 23 may check whether or not the corresponding user information is registered under the corresponding tenant ID by accessing the LDAP directory service with a privileged account. At this time, if a corresponding user ID exists under the corresponding tenant ID, the tenant ID specifying unit 23 determines that the correspondence between the tenant ID and the user information is correct without verifying the password. May be. In this case, password authentication is performed by the LDAP directory service. When the tenant ID specifying unit 23 determines that the correspondence relationship is correct, the tenant ID specifying unit 23 notifies the communication information output unit 24 of the tenant ID.

  For example, when the transmission source IP address is “address 2”, “C” is acquired from the tenant ID shown in FIG. Further, it is assumed that the user ID “sato” and the password “satopw” are extracted from the LDAP request. In this case, the tenant ID specifying unit 23 accesses the LDAP directory service with a privileged account, and refers to the management information shown in FIG. And since tenant ID specific | specification part 23 has user ID "sato" under tenant ID "C", since the correspondence of this tenant ID and user information is correct, tenant ID "c" is communication information output part. 24 may be notified.

  If the tenant ID specifying unit 23 determines that the correspondence relationship is not correct, the tenant ID specifying unit 23 notifies the communication information output unit 24 that the tenant ID cannot be determined. At this time, the tenant ID specifying unit 23 may count the number of times that the correspondence relationship is determined to be incorrect (number of failures) for each combination of the corresponding tenant ID and user information. For example, the tenant ID specifying unit 23 may record the number of failures for each combination of tenant ID and user information in the failure number recording table. And when the frequency | count of failure satisfy | fills predetermined conditions, the tenant ID specific | specification part 23 calls the above-mentioned tenant ID registration part 22. FIG. The predetermined condition may be exceeding a threshold value. When the number of failures satisfies a predetermined condition, the tenant ID specifying unit 23 resets the number of failures for the combination of the tenant ID and user information to zero.

  However, the tenant ID specifying unit 23 may count the number of failures described above in the following case. Specifically, when the tenant ID specifying unit 23 determines that the correspondence relationship between the tenant ID acquired from the tenant ID correspondence table and the user information is not correct, the correspondence relationship with the user information is further determined. It is determined whether there is another correct tenant ID. This determination process is performed by accessing the LDAP directory service of the server 81 with a privileged account. Then, when it is determined that there is such another tenant ID, the tenant ID specifying unit 23 may count up the number of failures. The number of failures in this case is recorded for a combination of tenant ID and user information acquired from the tenant ID correspondence table.

  For example, when the IP address of the transmission source is “address 2”, “C” is acquired from the tenant ID shown in FIG. Further, it is assumed that the user ID “yamada” and the password “yamadapw” are extracted from the LDAP request. In this case, the tenant ID specifying unit 23 accesses the LDAP directory service with a privileged account and searches the LDAP directory tree shown in FIG. Then, the tenant ID specifying unit 23 determines that the correspondence between the tenant ID and the user information is not correct because there is no user ID “yamada” under the tenant ID “C”. In this case, the tenant ID specifying unit 23 determines whether there is another tenant ID under the user ID “yamada” and the password “yamadapw” by searching the LDAP directory tree. According to the LDAP directory of FIG. 7, the user ID “yamada” is under the tenant ID “A”. Also assume that the password is “yamadapw”. That is, another tenant ID “A” having a correct correspondence relationship between the user ID and the password exists. Therefore, the tenant ID specifying unit 23 adds 1 to the failure count recorded in the failure count recording table for the combination of the tenant ID “C” and the user ID “yamada” acquired from the tenant ID correspondence table. Update it. An example of the failure count recording table is shown in FIG. For example, the second line in FIG. 8 records 1 as the number of failures for the combination of the tenant ID “C” and the user ID “yamada”.

  When the tenant ID is notified from the tenant ID registration unit 22 or the tenant ID specifying unit 23, the communication information output unit 24 includes the tenant ID in the LDAP packet and returns it to the communication path control system 30. Specifically, the communication information output unit 24 may return the LDAP packet including the tenant ID to the SDN controller 31 described above.

  Further, when notified from the tenant ID registration unit 22 or the tenant ID specifying unit 23 that the tenant ID cannot be specified, the communication information output unit 24 generates authentication failure information and returns it to the communication path control system 30. Specifically, the communication information output unit 24 may return authentication failure information to the SDN controller 31 described above.

  The operation of the relay system 2 configured as described above will be described with reference to the drawings.

  First, an outline of the operation of the relay system 2 is shown in FIG.

  In FIG. 9, first, the first SDN switch 32 determines whether or not the received communication packet is an LDAP request from the client 91 (step A1).

  If the request is not an LDAP request, the first SDN switch 32 performs other processing in accordance with the flow entry defined for itself (step A2).

  On the other hand, if the request is an LDAP request, the first SDN switch 32 transfers this communication packet to the SDN controller 31 (step A3).

  Next, the SDN controller 31 determines whether or not the transferred communication packet is an LDAP request (step B1).

  If the request is not an LDAP request, the SDN controller 31 performs other processing determined as the SDN controller (step B2).

  On the other hand, if the request is an LDAP request, the SDN controller 31 transfers this communication packet to the communication information control apparatus 20 (step B3).

  Next, when the LDAP request is transferred, the communication information control device 20 performs a process of including the tenant ID in the transferred LDAP request (step D1). As a result, the communication information control device 20 returns an LDAP request including the tenant ID or authentication failure information to the SDN controller 31. Details of this step will be described later.

  Next, the SDN controller 31 determines whether the returned communication packet is an LDAP request or authentication failure information (step B4).

  If the returned communication packet is an LDAP request, the SDN controller 31 transfers this communication packet to the second SDN switch 33 (step B5).

  Then, the second SDN switch 33 transmits the transferred LDAP request to the server 81 (step C1).

  On the other hand, when the returned communication packet is authentication failure information in step B4, the SDN controller 31 returns this communication packet to the first SDN switch 32 (step B6).

  Next, the first SDN switch 32 transmits the returned authentication failure information to the client 91 (step A4).

  Above, description of the outline | summary of operation | movement of the relay system 2 is complete | finished.

  Next, details of the processing of the communication information control apparatus 20 in step D1 are shown in FIGS.

  In FIG. 10, the communication information acquisition unit 21 first receives an LDAP request from the SDN controller 31 (step D11).

  Next, the communication information acquisition unit 21 specifies the transmission source IP address of the LDAP request. The communication information acquisition unit 21 extracts the user ID and password from the LDAP request (step D12).

  Next, the tenant ID registration unit 22 determines whether or not the transmission source IP address of the LDAP request is included in the tenant ID correspondence table (step D13).

  If the source IP address is not included in the tenant ID correspondence table, the tenant ID registration unit 22 performs tenant ID registration processing (step D22). Details of this step will be described later.

  On the other hand, when the transmission source IP address is included in the tenant ID correspondence table, the tenant ID specifying unit 23 acquires the tenant ID associated with the transmission source IP address in the tenant ID correspondence table (step D14).

  Next, the tenant ID specifying unit 23 accesses the LDAP directory service with a privileged account. Then, the tenant ID specifying unit 23 determines whether or not the correspondence relationship between the tenant ID acquired in step D14 and the user information extracted in step D12 is correct (step D15).

  Specifically, as described above, the tenant ID specifying unit 23 includes the user ID extracted in step D12 under the directory in which the tenant ID acquired in step D14 is managed in the LDAP directory tree. What is necessary is just to search whether to do.

  Here, when the correspondence between the target tenant ID and the user information is correct, the tenant ID specifying unit 23 notifies the communication information output unit 24 of the target tenant ID. Then, the communication information output unit 24 includes the notified tenant ID in the LDAP request received in step D11 and returns it to the SDN controller 31 (step D16).

  On the other hand, when the correspondence between the target tenant ID and the user information is not correct, the tenant ID specifying unit 23 determines whether there is another tenant ID corresponding to the user information extracted in step D12 ( Step D17).

  Specifically, as described above, the tenant ID specifying unit 23 accesses the LDAP directory service with a privileged account. Then, the tenant ID specifying unit 23 may search for a tenant ID having information under the corresponding user ID and password in the LDAP directory tree.

  If there is no such other tenant ID, the tenant ID specifying unit 23 notifies the communication information output unit 24 that the tenant ID cannot be specified. Then, the communication information output unit 24 generates authentication failure information and returns it to the SDN controller 31 (step D18).

  On the other hand, when such other tenant ID exists, the tenant ID specifying unit 23 determines whether or not the number of failures recorded for the combination of the target tenant ID and user information satisfies a predetermined condition. (Step D19).

  Specifically, as described above, the tenant ID specifying unit 23 may refer to the failure count recording table and determine whether or not the corresponding failure count exceeds the threshold.

  Here, if the number of failures does not satisfy the predetermined condition, the tenant ID specifying unit 23 adds the number of failures for the combination of the target tenant ID and user information (step D20).

  Specifically, as described above, the tenant ID specifying unit 23 may update by adding 1 to the number of failures recorded for the combination of the target tenant ID and the user in the failure number recording table.

  Then, the tenant ID specifying unit 23 and the communication information output unit 24 execute Step D18 and return authentication failure information to the SDN controller 31.

  On the other hand, if the number of failures satisfies a predetermined condition in step D19, the tenant ID specifying unit 23 resets the number of failures recorded for the combination of the target tenant ID and user information to 0 (step D21).

  Then, the tenant ID specifying unit 23 executes a tenant ID registration process (step D22).

  Next, FIG. 11 shows details of the tenant ID registration process in step D22.

  In FIG. 11, first, the tenant ID registration unit 22 specifies a corresponding tenant ID for the user ID and password extracted from the LDAP request in step D12 (step D31).

  Specifically, as described above, the tenant ID registration unit 22 accesses the LDAP directory service of the server 81 with a privileged account. Then, the tenant ID registration unit 22 may search for a tenant ID having the corresponding user ID and password.

  Here, the case where the tenant ID corresponding to the target user ID and password cannot be specified as a result of the search will be described (No in step D32).

  In this case, the tenant ID registration unit 22 notifies the communication information output unit 24 that the tenant ID cannot be specified. Then, the communication information output unit 24 generates authentication failure information and returns it to the SDN controller 31 (step D33).

  On the other hand, a case where the tenant ID corresponding to the target user ID and password can be specified as a result of the search will be described (Yes in step D32).

  In this case, the tenant ID registration unit 22 associates the transmission source IP address with the identified tenant ID and registers them in the tenant ID correspondence table (step D34).

  At this time, if it is a tenant ID registration process that is called as No in step D13, the tenant ID registration unit 22 registers the corresponding transmission source IP address and tenant ID as a new entry in the tenant ID correspondence table. That's fine. If it is the tenant ID registration process that is called in step D19 because it is determined as Yes, the tenant ID registration unit 22 determines the tenant ID associated with the registered transmission source IP address as the tenant ID identified this time. Update to.

  Next, the tenant ID registration unit 22 notifies the communication information output unit 24 of the identified tenant ID. Then, the communication information output unit 24 includes the tenant ID in the LDAP request and returns it to the SDN controller 31 (step D35).

  Thus, the communication information control apparatus 20 ends the tenant ID registration operation.

  Next, the effect of the second exemplary embodiment of the present invention will be described.

  The relay system according to the second embodiment of the present invention can notify the server of a more appropriate tenant ID without making the user aware of it while reducing the operation cost, machine cost, and search cost.

  The reason will be described. In the present embodiment, when the request is acquired by the communication information acquisition unit, the tenant ID registration unit specifies the tenant ID corresponding to the user information extracted from the request. The tenant ID specifying process is performed by accessing the management information of the multi-tenant service with a privileged account. Then, the tenant ID registration unit registers the correspondence relationship between the transmission source IP address and the tenant ID in the tenant ID correspondence table. Then, when the source IP address of the request is included in the tenant ID correspondence table, the tenant ID specifying unit associates the tenant ID associated with the source IP address and the user information extracted from the request. Check if is correct. This confirmation process is performed by accessing the management information of the multi-tenant service with a privileged account. Then, when it is confirmed that the correspondence relationship is correct, the communication information output unit returns the tenant ID included in the request.

  Furthermore, in the present embodiment, when the correspondence between the tenant ID associated with the transmission source IP address included in the tenant ID correspondence table and the user information extracted from the request is not correct, Configured to work. In other words, the tenant ID specifying unit checks whether there is another tenant ID corresponding to the user information. This confirmation process is performed by accessing the management information of the multi-tenant service with a privileged account. If there is another tenant ID, the tenant ID specifying unit records the number of failures in association with the combination of the tenant ID and user information associated with the transmission source IP address. Then, when the number of failures satisfies a predetermined condition, the tenant ID registration unit specifies again the tenant ID corresponding to the user information extracted from the request. This is because the tenant ID registration unit updates the information associated with the transmission source IP address in the tenant ID correspondence table using the tenant ID newly specified. The process of specifying the tenant ID again is performed by accessing the management information of the multi-tenant service with a privileged account. When there is no such other tenant ID or when the number of failures does not satisfy a predetermined condition, the communication information output unit returns authentication failure information to the SDN controller.

  Thereby, this Embodiment can distinguish the following two cases and can specify more suitable tenant ID.

  The first case is a case where the user of the target tenant ID has mistakenly input the user information included in the request. In other words, this embodiment regards this as the first case when there is no other tenant ID or the number of failures does not satisfy the predetermined condition (does not exceed the threshold). In this case, the present embodiment prompts the user to input correct user information by returning the authentication failure information. As a result, this embodiment determines that the correspondence between the tenant ID and the user information associated with the transmission source IP address is correct for the next request, and is appropriate for the request including the correct user information. Increase the possibility of sending to the server including the tenant ID.

  In the second case, due to a change in the user environment or the like, a certain source IP address was a source of a request from a user of tenant A before, but a tenant B user This is the case when the request source is changed. In this case, the user information extracted from the request corresponds to a tenant ID different from the tenant ID associated with the request source IP address in the tenant ID correspondence table. In other words, in the present embodiment, when there are other tenant IDs and the number of failures satisfies a predetermined condition, the user of the other tenant ID inputs correct user information from the changed transmission source many times. The request is likely to be sent. In this case, in this embodiment, the tenant ID registration process is performed, and the tenant ID corresponding to the transmission source IP address can be updated to a new tenant ID corresponding to the change in the user environment.

  In this way, the present embodiment can allow the user to use the multi-tenant service without making the user aware of the tenant ID. In addition, since the present embodiment is configured to identify the tenant ID based on the identification address of the transmission source, it can cope with an authentication request from outside the gateway of the organization to which each tenant belongs. As a result, the user can use the multi-tenant service without being aware of the tenant ID even when the mobile terminal is used from outside the gateway of the own tenant.

  Further, according to the present embodiment, the tenant ID correspondence table is updated according to changes in the usage environment of the client. For this reason, the present embodiment eliminates the need to apply for usage change to the multi-tenant service provider due to changes in the usage environment of the client, and reduces operational costs.

  In addition, in the present embodiment, it is not necessary for the multi-tenant service provider side to separately manage the customer usage environment. In many cases, the source address on the client side is the address of the customer's gateway. For this reason, in this embodiment, even if the number of users increases, the amount of memory for storing the tenant ID correspondence table does not increase. Therefore, the present embodiment can be realized with low resources without being affected by the increase in the number of users, and does not increase the machine cost. Further, the present embodiment does not increase the search cost for the tenant ID correspondence table without being affected by the increase in the number of users.

  In the present embodiment, the communication information control apparatus may be realized as a function of the SDN controller.

  Further, in the present embodiment, the tenant ID specifying unit performs processing for checking whether or not the correspondence relationship between the tenant ID acquired from the tenant ID correspondence table and the user information extracted from the request is correct as illustrated in FIGS. The example of performing the process shown in FIG. 11 has been described. Not limited to this, the tenant ID specifying unit may confirm whether the correspondence between the tenant ID and the user information extracted from the request is correct by using other methods.

  In the present embodiment, the tenant ID specifying unit is configured so that when the user inputs incorrect user information and when the user of another tenant ID whose user environment has been changed is correct user information. An example in which the number of failures is recorded in order to discriminate from the case where the user is input has been described. Not limited to this, the tenant ID specifying unit may determine these cases using other determination criteria.

  In the present embodiment, a multi-tenant type LDAP directory service has been described as an example of the multi-tenant service. The present embodiment is not limited to this, and can be applied to other multi-tenant services. For example, the present embodiment can be implemented when a multi-tenant application service using a general DBMS (Database Management System) is applied as the multi-tenant service.

  Moreover, in this Embodiment, the communication path control system demonstrated the example comprised by SDN. However, the configuration of the communication path control system is not limited to this. The communication path control system is a system that controls a communication path so that a request from a client representing an authentication request for a multi-tenant service is transferred to a communication information control apparatus, and a request output from the communication information control apparatus is transferred to a server. That's fine.

  In this embodiment, when the tenant ID registration unit operates when the number of failures satisfies a predetermined condition, the tenant ID registration unit assigns the tenant ID associated with the transmission source IP address in the tenant ID correspondence table to the new tenant ID. An example of updating with an ID has been mainly described. Not limited to this, in the present embodiment, when the tenant ID registration unit operates when the number of failures satisfies a predetermined condition, the transmission source IP address and the newly specified tenant ID are displayed in the tenant ID correspondence table. You may add the information which matched. In this case, the tenant ID specifying unit may obtain a plurality of tenant IDs corresponding to the transmission source IP address from the tenant ID correspondence table. In such a case, the tenant ID specifying unit may specify a tenant ID having user information extracted from the request.

  Further, in each of the above-described embodiments of the present invention, the multi-tenant service has been described as operating so that the same user information is not registered even in different tenants. However, the present invention is not limited to this, and each embodiment can cope with the case where the same user information is registered as long as the tenants are different. In this case, the communication information output unit may return information for inquiring the client about the tenant ID.

  Each of the embodiments of the present invention described above can also be applied to a case where user information is encrypted with a predetermined algorithm in the management information of the multi-tenant service. In this case, the tenant ID registration unit and the tenant ID specifying unit may search the management information after encrypting the user information extracted from the request with the same algorithm.

  Further, in each of the above-described embodiments of the present invention, the description has focused on an example in which each functional block of the communication information control device is realized by a CPU that executes a computer program stored in a storage device or ROM. However, the present invention is not limited to this, and some, all, or a combination of each functional block may be realized by dedicated hardware.

  Further, in each of the embodiments of the present invention described above, the functional blocks of the communication information control apparatus may be realized by being distributed among a plurality of apparatuses.

  In each embodiment of the present invention described above, the operation of the communication information control apparatus described with reference to each flowchart is stored in a storage device (storage medium) of a computer as a computer program of the present invention. Then, the computer program may be read and executed by the CPU. In such a case, the present invention is constituted by the code of the computer program or a storage medium.

  Moreover, each embodiment mentioned above can be implemented in combination as appropriate.

  The present invention is not limited to the above-described embodiments, and can be implemented in various modes.

DESCRIPTION OF SYMBOLS 10, 20 Communication information control apparatus 11, 21 Communication information acquisition part 12, 22 Tenant ID registration part 13, 23 Tenant ID specific part 14, 24 Communication information output part 2 Relay system 30 Communication path control system 31 SDN controller 32 1st SDN switch 33 Second SDN switch 80, 81 Server 90, 91 Client 1001 CPU
1002 Memory 1003 Output device 1004 Input device 1005 Network interface

Claims (9)

A communication information control apparatus that controls information transmitted and received between a server that provides a multi-tenant service to users registered for each tenant and a client that uses the multi-tenant service,
A communication information acquisition unit for acquiring a request representing an authentication request for the multi-tenant service transmitted from the client to the server;
When the identification address of the transmission source of the request is not included in the tenant ID correspondence table, the tenant ID corresponding to the user information extracted from the request is obtained by referring to the management information of the multi-tenant service in the server. A tenant ID registration unit that identifies and registers the identified tenant ID and the identification address of the transmission source in association with the tenant ID correspondence table;
When the transmission source identification address is included in the tenant ID correspondence table, a tenant ID identification unit that identifies a tenant ID associated with the transmission source identification address in the tenant ID correspondence table;
A communication information output unit that includes the tenant ID specified by the tenant ID registration unit or the tenant ID specifying unit in the request and outputs the request as a request for the multi-tenant service;
A communication information control apparatus comprising:   When the transmission source identification address is included in the tenant ID correspondence table, the tenant ID specifying unit, between the tenant ID associated with the transmission source identification address and the user information in the tenant ID correspondence table The communication information control apparatus according to claim 1, wherein whether or not the correspondence relationship is correct is determined by referring to the management information, and when it is determined that the correspondence is correct, the tenant ID is specified.   When the tenant ID specifying unit determines that the correspondence between the tenant ID associated with the identification address of the transmission source in the tenant ID correspondence table and the user information is not correct, the communication information output unit 3. The communication information control apparatus according to claim 2, wherein authentication failure information for return to the transmission source is output.   When the tenant ID specifying unit determines that the correspondence between the tenant ID associated with the identification address of the transmission source in the tenant ID correspondence table and the user information is not correct, the tenant ID registration unit 4. The tenant ID corresponding to the user information is identified by referring to the management information, and the tenant ID correspondence table is updated using the identified tenant ID. The communication information control device described in 1. The tenant ID specifying unit determines the number of failures determined that the correspondence between the tenant ID associated with the identification address of the transmission source and the user information in the tenant ID correspondence table is incorrect and the tenant ID and the tenant ID Record for each combination of user information,
The tenant ID registration unit identifies a tenant ID corresponding to the user information by referring to the management information when the number of failures satisfies a predetermined condition, and uses the identified tenant ID to identify the tenant ID 5. The communication information control apparatus according to claim 4, wherein the correspondence table is updated.   When the tenant ID specifying unit determines that the correspondence between the tenant ID associated with the identification address of the transmission source in the tenant ID correspondence table and the user information is not correct, It is determined by referring to the management information whether there is another tenant ID whose correspondence is correct, and when it is determined that there is another tenant ID, the number of failures is recorded. Item 6. The communication information control device according to Item 5. The communication information control device according to any one of claims 1 to 6,
When a request representing an authentication request for the multi-tenant service is received from the client, the request including the tenant ID is received from the communication information control device by transferring the request to the communication information control device. A communication path control system for transmitting to the server;
A relay system with A communication information control method for controlling information transmitted and received between a server that provides a multi-tenant service to a registered user for each tenant and a client that uses the multi-tenant service,
When obtaining a request representing an authentication request for the multi-tenant service transmitted from the client to the server,
When the identification address of the transmission source of the request is not included in the tenant ID correspondence table, the tenant ID corresponding to the user information extracted from the request is obtained by referring to the management information of the multi-tenant service in the server. Identify and register the identified tenant ID and the identification address of the transmission source in association with the tenant ID correspondence table,
When the identification address of the transmission source is included in the tenant ID correspondence table, the tenant ID associated with the identification address of the transmission source in the tenant ID correspondence table is specified,
A communication information control method for including a specified tenant ID in the request and outputting the request as a request for the multi-tenant service. To a communication information control device that controls information transmitted and received between a server that provides a multi-tenant service to users registered for each tenant and a client that uses the multi-tenant service,
A communication information acquisition step of acquiring a request representing an authentication request for the multi-tenant service transmitted from the client to the server;
When the identification address of the transmission source of the request is not included in the tenant ID correspondence table, the tenant ID corresponding to the user information extracted from the request is obtained by referring to the management information of the multi-tenant service in the server. A tenant ID registration step for identifying and registering the identified tenant ID and the identification address of the transmission source in association with the tenant ID correspondence table;
If the transmission source identification address is included in the tenant ID correspondence table, a tenant ID identification step of identifying a tenant ID associated with the transmission source identification address in the tenant ID correspondence table;
A communication information output step of including the tenant ID specified in the tenant ID registration step or the tenant ID specifying step in the request and outputting the request as a request for the multi-tenant service;
Communication information control program for executing

Images