CN102413135B - Strong expansion network grid SaaS access control method - Google Patents
Strong expansion network grid SaaS access control method Download PDFInfo
- Publication number
- CN102413135B CN102413135B CN201110366284.2A CN201110366284A CN102413135B CN 102413135 B CN102413135 B CN 102413135B CN 201110366284 A CN201110366284 A CN 201110366284A CN 102413135 B CN102413135 B CN 102413135B
- Authority
- CN
- China
- Prior art keywords
- user
- grid
- tenant
- access control
- saas
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention discloses a strong expansion network grid SaaS (software as service) access control method. By utilizing a meta-data network grid disposed on an LDARP directory server, inlet authentication of a specific user to a specific tenant is realized, a single tenant utilizes a personalized customization service to complete a safety access strategy of a present database; when a plurality of tenants generate sharing resource, information is fed back to the meta-data network grid which completes new assembly of a sharing resource grid; then, to an invalid user, a method of grid shielding is employed to block access, and to tenant effective period operation, modes of grid cancellation and grid indication are employed to finish maintenance. The invention mainly is used for safety access control based on an SaaS interconnection software service platform and has the characteristics of high efficiency and low coupling, and security insurance is provided for a whole SaaS platform.
Description
Technical field
The invention belongs to internet works software service platform SaaS (namely software serve) field, be specifically related to a kind of strong expansion network grid SaaS access control method.
Background technology
Along with the Internet constantly develops, the network bandwidth can meet the needs of user gradually, multimedia, heap file transmission, reaching its maturity of the foundation of distributed data base technique, particularly nearest cloud computing technology, proposes new challenge and theory to traditional software producer.
Traditional software producer, is roughly divided into: exploitation, sells, and disposes, and general all by the Software deployment of oneself on specific server.And the new software notion SaaS proposed now (software as service), allow the product of a software producer rent and sale oneself, software application is deployed on SaaS cloud computing platform by the client renting its software, like this, the user of software is by logging in platform, and the software application that clicking needs is served.
Since software is no longer deployed on the server in specific place, and the maximum Consumer's Experience of SaaS platform is exactly personalized customization, and so, data store organisation nature and traditional software database create very big-difference.
Information stores and is mainly divided into metadata store (MetaData DB) and tenant (tenant) database purchase.Metadata store completes the mapping of the database that specific tenant uses to it, is convenient to the fast access of login user.Tenant database purchase be exactly corresponding business object, as product information, customer information etc.
From above brief introduction, the safe access control mechanism that under SaaS platform, searching one is suitable is necessary, mainly prevent the user of different tenant from not interfering with each other when finding corresponding database, prevent disabled user from arbitrarily entering in uncommitted tenant service, also comprise the safe access control mechanism to each tenant database simultaneously.
Since producing from computer and the Internet, access control technology is exactly the strategy that database security relies on.At present, along with the development of cloud computing, software market will change a lot, and traditional fixing deployment software will be transformed into taxi software, and be published on the platform of support SaaS, so, " software supermarket " this pattern produces at random.
So in the past traditional database security access strategy must make corresponding adjustment, for dealing with the complicated feature that " software supermarket " has.
Summary of the invention
In order to overcome the above-mentioned shortcoming of prior art, the invention provides a kind of strong expansion network grid SaaS access control method, utilize the metadata network grid be deployed on LDARP LIST SERVER to realize the portal authentication of specific user to specific tenant, then single tenant utilizes Personalized service to complete the secure access strategy of database; Further, when multiple tenant produces shared resource, by information feed back in metadata network grid, metadata network grid completes the newly assembled of shared resource grid.Then, the method adopting grid to shield for disabled user blocks its access, and the term of validity operation for tenant adopts grid to cancel the mode indicated with grid and completes maintenance.The present invention is mainly used in, based on the safe access control of the interconnected software service platform of SaaS, having high efficiency, the feature of low coupling, for whole SaaS platform provides safety guarantee.
The technical solution adopted for the present invention to solve the technical problems is: a kind of strong expansion network grid SaaS access control method, comprises the steps:
The first step, metadatabase safeguard a virtual network grid, for identifying the information of tenant and user;
Second step, when a tenant completes when the license of SaaS platform, the virtual network grid of metadatabase to this tenant carries out initialization;
3rd step, access SaaS platform as user, when finding corresponding service, network grid controls user access;
After 4th step, the license of user by metadatabase, when conducting interviews to the database of each tenant, the access control policy of main flow is adopted to supervise;
5th step, when user's accessing shared data resource time, directly start entrance network grid identifying sharing data resources and enter shared resource database.
Described virtual network grid adopts the form of two dimensional surface grid, keep a record by the numeral of four quadrants, detailed process is: mark GridT.A corresponding to the first tenant tennatA is on the first quartile of two dimensional surface, one of them summit is initial point, the length of side is unit 1, reference numbers is (0.5,0.5); The mark GridT.B that second tenant tenantB is corresponding expands to X-axis positive direction, and the length of side is also unit 1, and reference numbers is (1.5,0.5), the like.
Initialization described in second step comprises two stages, and the first stage is the one-level grid initialization to tenant, identifies the network grid corresponding to tenant database with GridT, and tenant issues the first identifier and the second identifier to user; Second stage is the secondary grid initialization to user.
Described in 3rd step, access control process is: first, metadatabase obtains the first identifier from user login information, if information is correct, so corresponding network trellis states could corresponding to tenant database is converted into unlatching, allows user to access this tenant database entrance; Then, network grid utilizes secondary grid to carry out next step comparison, if the second identifier is correct, so secondary grid is user's unlatching, and user starts the database of accessing this tenant.
The access control policy of described main flow comprises: self contained navigation, forced symmetric centralization and role-base access control.
Metadatabase adopts GridT.sign. (a, b) entrance of sharing data resources is identified, if simultaneously with MarkUser.A and MarkUser.B in user profile, so GridT.sign. (a, b) for user opens, user can direct accessing shared data storehouse DataSpace (A, B).
Compared with prior art, good effect of the present invention is: by the access structure of meta data server+Tenant database, allow the user of each tennat can find the data resource of oneself correspondence very soon, thus, meta data server sets virtual network grid, is convenient to control the access of numerous user to tenant database; Also meet the control to shared resource while there is strong autgmentability, and the pot life is long, safeguards simple.The present invention when low take network and hardware resource, low maintenance complete the safe access control of metadata and tenant database under for SaaS platform, can be deployed on the SaaS platform on current network, become the safe access control pattern under new software commercial trends.
Accompanying drawing explanation
Examples of the present invention will be described by way of reference to the accompanying drawings, wherein:
Fig. 1 is metadata network lattice structure schematic diagram;
Fig. 2 is tenant level grid and secondary lattice structure schematic diagram;
Fig. 3 is for sharing Data expansion lattice structure schematic diagram.
Embodiment
A kind of strong expansion network grid SaaS access control method, comprises the steps:
The first step, metadatabase safeguard a virtual network grid, for identifying the information of tenant, and the information of user (user):
In the LDARP server of storing metadata, maintain a virtual network grid graph array, represent with character matrix.Each grid represents the unique information of tenant (tenant) database, a dummy entry of tenant can be regarded as, be expressed as: GridT, for in each GridT, the secondary grid of the user (user) belonging to this tenant can be identified again by the form of grid, be expressed as: GridUser, concrete structure as shown in Figure 1.
The virtual network grid safeguarded in metadatabase, adopts the form of two dimensional surface grid, keeps a record by the numeral of four quadrants.Detailed process is: GridT.A corresponding to first tennatA is on the first quartile of two dimensional surface, and one of them summit is initial point, and the length of side is unit 1, and reference numbers is (0.5,0.5), i.e. square center point coordinates.GridT.B corresponding to second tenantB is to the expansion of X-axis positive direction, and the length of side is still unit 1, and reference numbers is (1.5,0.5), the like.Design so, can allow network grid be stored in calculator memory, and can locate.In addition, so design has autgmentability by force, in order to meet the development of SaaS software supermarket.
Second step, when a tenant completes when the license of SaaS platform, the virtual network grid of metadatabase to this tenant carries out initialization:
The initialization of network grid comprises two stages, and the first stage is the one-level grid initialization to tenant, and second stage is the grid initialization to user.Wherein:
In the first stage, for tenant tenantA, when he obtains rights of using on SaaS platform time, on meta data server, in virtual network grid, just with one piece of idle grid, identify: GridT.A.When user User.no.a has achieved the power logging in SaaS platform, and after being under the jurisdiction of tenantA, the software service selecting oneself to wish to obtain can be gone, in this time, user User.no.a can obtain two identifiers that tenantA issues: the first identifier MarkUser.A and the second identifier NoteUser.a.
In second stage, GridT.A is secondary grid for user sets up, and is designated SubGrid.User.a, in the secondary grid of GridT.A, with an idle grid identifier user User.no.a.The effect of this identifier ensures that this user is under the jurisdiction of tenantA.
According to step like this, set up one piece of grid to each tenant Tenant of virtual network grid, each grid sets up secondary grid again, and a very large honeycomb grid will be based upon in meta data server, as shown in Figure 2.
3rd step, user user access SaaS platform, and when the service that the tenant finding correspondence provides, network grid controls user access:
After user logs in SaaS platform, accesses meta-data server, meta data server recalls network raster data, is used for comparing with user profile.
When meta data server maintaining network grid, network grid is located three kinds of states: do not open (unopened), open (open), no thoroughfare (ban).
The metadatabase access of virtual network grid to user of having set up controls.First, metadatabase obtains the first identifier MarkUser.A from user login information, if information is correct, so GridT.A state is converted into open from unopened and is converted into unlatching, allows user to access the database entry of TenantA; If be: MarkUser.B, will be so GridT.B by what open for it in the log-on message of user.Strategy so just prevents the intersection unauthorized access of user between many tenant.Then, network grid utilizes secondary grid to carry out next step comparison, if the second identifier NoteUser.a (user profile) is correct, so secondary grid SubGrid.User.a is user's unlatching, and user starts the database of accessing TenantA.
Secondly, it is no matter the security control of metadata level, or the security control of tenant level, when there is disabled user, grid will identify into forbids (ban) state, like this, after relative program is checked through the state of grid, the closedown of database entry can be transferred, prevent the access of disabled user.When certain tenant is not resident on this SaaS platform, the grid G ridT of its correspondence also will cancel, and get back to no initializtion state, for use in the tenant that other are newly-increased.
After 4th step, the license of user by metadatabase, when conducting interviews to the database of each tenant, the access control policy of main flow is adopted to supervise:
First, we are from the feature of SaaS, this platform can be interpreted as: software supermarket.So, the classification of software, all can there is huge difference in range of application.What we paid close attention to is the different application software requirement rank for data security.Such as, the database security grade of the software needs of amusement compares the requirement of financial process class software, just much lower.If we adopt same data security grade to each tenant, so the expense of whole system will be very huge.
Therefore, management each tenant database in, we can adopt following three kinds flexibly visiting mechanism to realize access control:
The means that the corresponding relation of self contained navigation (Discretionnary Access Control): this kind of access control is based on user identity---working group has come, level of security is lower.
Forced symmetric centralization (Mandatory Access Control): this kind of access control wants classification to each access subject and object, and specify level of trust, then adopt " upwards writing rule ", " reading rule downwards " has come.Level of security is higher, but underaction.
Role-base access control (Role-Based Access Control): this kind of access control gives user ID to each user, Operation system setting several " role ", divides according to role the operating right of data.User is assigned with, and is exactly " role ", and like this, the access control right of user has just been set.
5th step, when user's accessing shared data resource time, the entrance direct startup network grid identifying sharing data resources enters shared resource database: metadatabase is that the sharing data resources between Tenant sets up special mark grid G ridT.sign. (a, b), if simultaneously with MarkUser.A in user profile, MarkUser.B, so GridT.sign. (a, b) for user opens, user can direct accessing shared data storehouse DataSpace (A, B).
From the description of network grid, we can know, in meta data server, dummy grid chart completes the strict in-let dimple for each tenant.But we, as can be seen from the technical background of SaaS, may exist a kind of situation completely: tenantA and tenantB shares some resource, so in order to the thrifty property of database design, it is necessary for maintaining some shared data banks.So for the ease of user operation, need not allow after user enters the database of tennatA, find shared resource, and then exited the database of tenantA, entered shared data bank.This flow process is too loaded down with trivial details, is not easy to management, also wastes resource.
So we just need the Design Mode using extended network grid.Concrete structure is as shown in Figure 3: GridT.A has indications sign.a, GridT.B has indications sign.b, when tenantA and tenantB has shared resource, shared resource is stored in shared data bank tenant (A certainly, B) inner, and the space opening up to this part shared resource in shared data bank is: DataSpace (A, B), then utilize on virtual network grid and do not identify grid to identify DataSpace (A, B) entrance, be designated: sign. (a, b).
On SaaS platform, after user logs in, if the service that will use relates to the sharing data resources of tenantA and tenantB, on the virtual network grid that meta data server is safeguarded, the grid identifier of user profile and tenantA and tenantB will be compared, if met, so user directly jumps to grid sign. (a, b), DataSpace (A, B) is then accessed.
Claims (6)
1. a strong expansion network grid SaaS access control method, is characterized in that: comprise the steps:
The first step, metadatabase safeguard a virtual network grid, for identifying the information of tenant and user;
Second step, when a tenant completes when the license of SaaS platform, the virtual network grid of metadatabase to this tenant carries out initialization;
3rd step, access SaaS platform as user, when finding the service that corresponding tenant provides, network grid controls user access;
After 4th step, the license of user by metadatabase, when conducting interviews to the database of each tenant, the access control policy of main flow is adopted to supervise;
5th step, when user's accessing shared data resource time, directly start entrance network grid identifying sharing data resources and enter shared resource database.
2. strong expansion network grid SaaS access control method according to claim 1, it is characterized in that: described virtual network grid adopts the form of two dimensional surface grid, keep a record by the numeral of four quadrants, detailed process is: mark GridT.A corresponding to the first tenant is on the first quartile of two dimensional surface, one of them summit is initial point, the length of side is unit 1, and reference numbers is (0.5,0.5); Mark GridT.B corresponding to the second tenant is to the expansion of X-axis positive direction, and the length of side is also unit 1, and reference numbers is (1.5,0.5), the like.
3. strong expansion network grid SaaS access control method according to claim 1, it is characterized in that: the initialization described in second step comprises two stages, first stage is the one-level grid initialization to tenant, identify the network grid corresponding to tenant database with GridT, and tenant issues the first identifier and the second identifier to user; Second stage is the secondary grid initialization to user.
4. strong expansion network grid SaaS access control method according to claim 1, it is characterized in that: described in the 3rd step, access control process is: first, metadatabase obtains the first identifier from user login information, if information is correct, so corresponding network trellis states could corresponding to tenant database is converted into unlatching, allows user to access this tenant database entrance; Then, network grid utilizes secondary grid to carry out next step comparison, if the second identifier is correct, so secondary grid is user's unlatching, and user starts the database of accessing this tenant; Secondly, be no matter the security control of metadata level, or the security control of tenant's level, when there is disabled user, grid will identify into illegal state, like this, after relative program is checked through the state of grid, the closedown of database entry can be transferred, prevent the access of disabled user; When certain tenant is not resident on this SaaS platform, the grid of its correspondence also will be cancelled, and get back to no initializtion state, for use in the tenant that other are newly-increased.
5. strong expansion network grid SaaS access control method according to claim 1, is characterized in that: the access control policy of described main flow comprises: self contained navigation, forced symmetric centralization and role-base access control.
6. strong expansion network grid SaaS access control method according to claim 1, it is characterized in that: metadatabase adopts GridT.sign. (a, b) entrance of sharing data resources is identified, if simultaneously with MarkUser.A and MarkUser.B in user profile, so GridT.sign. (a, b) for user opens, user can direct accessing shared data storehouse DataSpace (A, B);
Wherein, the implication of GridT.sign. (a, b) is: metadatabase is that the sharing data resources between Tenant sets up special mark grid, is the entrance that metadatabase is used for identifying sharing data resources;
MarkUser.A and MarkUser.B is for being intermediate variable, wherein, MarkUser.A concrete meaning is: when user User.no.a has achieved the power logging in SaaS platform, and after being under the jurisdiction of tenantA, the software service selecting oneself to wish to obtain can be gone, in this time, user User.no.a can obtain two identifiers that tenantA issues: the first identifier MarkUser.A and the second identifier NoteUser.a;
The implication of DataSpace (A, B) is shared data bank, if simultaneously with MarkUser.A and MarkUser.B in user profile, so GridT.sign. (a, b) for user opens, user can direct accessing shared data storehouse DataSpace (A, B).
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110366284.2A CN102413135B (en) | 2011-11-17 | 2011-11-17 | Strong expansion network grid SaaS access control method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110366284.2A CN102413135B (en) | 2011-11-17 | 2011-11-17 | Strong expansion network grid SaaS access control method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102413135A CN102413135A (en) | 2012-04-11 |
| CN102413135B true CN102413135B (en) | 2015-01-21 |
Family
ID=45914985
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110366284.2A Active CN102413135B (en) | 2011-11-17 | 2011-11-17 | Strong expansion network grid SaaS access control method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102413135B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103414705B (en) * | 2013-07-30 | 2016-03-02 | 电子科技大学 | A kind of mobile internet heterogeneous database exchange method based on SAAS pattern |
| CN112311804B (en) * | 2020-11-06 | 2021-08-24 | 东北大学 | Multi-tenant service resource dynamic access authorization and authentication system and method |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101639770A (en) * | 2008-07-30 | 2010-02-03 | 国际商业机器公司 | System and method for supporting multi-tenant separation/multi-tenant customization in JVM |
| CN101777047A (en) * | 2009-01-08 | 2010-07-14 | 国际商业机器公司 | System, equipment and method for accessing database under multiple-tenant environment |
| CN101996214A (en) * | 2009-08-27 | 2011-03-30 | 国际商业机器公司 | Method and device for processing database operation request |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10007767B1 (en) * | 2007-12-21 | 2018-06-26 | EMC IP Holding Company LLC | System and method for securing tenant data on a local appliance prior to delivery to a SaaS data center hosted application service |
-
2011
- 2011-11-17 CN CN201110366284.2A patent/CN102413135B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101639770A (en) * | 2008-07-30 | 2010-02-03 | 国际商业机器公司 | System and method for supporting multi-tenant separation/multi-tenant customization in JVM |
| CN101777047A (en) * | 2009-01-08 | 2010-07-14 | 国际商业机器公司 | System, equipment and method for accessing database under multiple-tenant environment |
| CN101996214A (en) * | 2009-08-27 | 2011-03-30 | 国际商业机器公司 | Method and device for processing database operation request |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102413135A (en) | 2012-04-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109643242B (en) | Security design and architecture for multi-tenant HADOOP clusters | |
| US20080307498A1 (en) | Access control for server-based geographic information system | |
| CN105574657A (en) | Intelligent police actual combat comprehensive application platform | |
| CN104063756A (en) | Electric power utilization information remote control system | |
| CN106033461A (en) | Sensitive information query method and apparatus | |
| CN105303455A (en) | Power enterprise user data storage and analysis system | |
| Creemers | Disrupting the Chinese state: New actors and new factors | |
| Chen et al. | Metadata-based information resource integration for research management | |
| CN102495730A (en) | Dynamic and extendable web interface method | |
| CN102413135B (en) | Strong expansion network grid SaaS access control method | |
| CN110765192A (en) | GIS data management and processing method based on cloud platform | |
| Yeh et al. | Analysis of E-government service platform based on cloud computing | |
| Chen et al. | Policy-based access control system for delta lake | |
| Jo et al. | Constructing national geospatial big data platform: current status and future direction | |
| Li et al. | Optimization of university archives management under the application of blockchain technology in the digital age | |
| Geddes | The Large Hadron Collider and Grid computing | |
| CN115248799A (en) | Large data warehouse multi-tenant management system and method | |
| KR101304452B1 (en) | A cloud system for document management using location | |
| Hu et al. | Research on the architecture of road traffic accident analysis platform based on big data | |
| Alon | A note on degenerate and spectrally degenerate graphs | |
| Chapman et al. | Scholarly Data Share 2.0: Granular Access to Research Data | |
| Cesini et al. | Advancements in data management services for distributed e-infrastructures: the eXtreme-DataCloud project | |
| Yun et al. | Research on security defense based on randomization in cloud computing environment | |
| Solovykh et al. | Digital Economy: Constraints and Risks in Russia | |
| Feng et al. | Research on the architecture of fully automatic yard section train inspection operation management system based on digital twin |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C53 | Correction of patent for invention or patent application | ||
| CB02 | Change of applicant information |
Address after: 610054 information industry building, 159 East Ring Road, Chengdu, Chenghua District, Sichuan Applicant after: Chengdu Comsys Information Technology Co., Ltd. Address before: 610054 information industry building, 159 East Ring Road, Chengdu, Chenghua District, Sichuan Applicant before: Uestc Comsys Information Co., Ltd. |
|
| CB03 | Change of inventor or designer information |
Inventor after: Tang Xuefei Inventor after: Chen Ke Inventor after: Guo Yiqi Inventor after: Hu Maoqiu Inventor before: Tang Xuefei Inventor before: Chen Ke Inventor before: Guo Yiqi |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: INVENTOR; FROM: TANG XUEFEI CHEN KE GUO YI TO: TANG XUEFEI CHEN KE GUO YI HU MAOQIU Free format text: CORRECT: APPLICANT; FROM: CHENGDU KANGSAI INFORMATION TECHNOLOGY CO., LTD. OF UESTC TO: CHENGDU COMSYS INFORMATION TECHNOLOGY CO., LTD. |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |