A kind of data permission control method and system towards cloud computing multi-tenant pattern
Technical field
The invention belongs to cloud computing multi-tenant technical field, and in particular to a kind of data towards cloud computing multi-tenant pattern
Authority control method and system.
Background technology
Cloud computing multi-tenant technology (multi-tenancy) is a kind of new software architecture technology, and it is to inquire into and reality
Now how identical system or program assembly are shared in the environment of multi-tenant, the isolation of data is same between each user is ensured
When, meet the needs of each tenant is personalized.
The one of key of multi-tenant technology is how to handle the individual demand of different tenants, wherein of rights management
Property technology is particularly important.
In traditional enterprise information system, rights management is a basis and crucial part.Authority can include two
Part:
1) function privilege;2) data permission.Function privilege is and the data to the control that can some functions use in system
Authority be to the various data in system whether the control that can be accessed and operate.System once develops completion, and function determines that
, so the control of function privilege is clear and definite and fixed.But data permission is different, fortune of the system after the completion of exploitation
In row, substantial amounts of data can be produced, these data are needed to be controlled, therefore data permission is dynamic, is had very high
Complexity.
In enterprise information system, the management of data permission typically has two ways:
The first normal method is to be fixed the judgement of authority using code.
Such as the expense report of generation can the defending party to the application and financial executive check, then judge that can expense report be checked
Logic false code it is as follows:
Another is the mode for employing accesses control list (Action Control List, ACL), by system
The relation of authority binding is established with control main body (such as user) per a data so that judging whether certain data can be by
During access, corresponding authority can be inquired from authority binding information, so as to control the access of the data.
For example data permission is carried out to expense report using ACL in upper example and controls and will produce following authority binding relationship:
Control object |
Control main body |
Authority |
The expense report of Zhang San |
Zhang San |
It can check |
The expense report of Zhang San |
Financial executive |
It can check, can delete, can manage |
The expense report of Li Si |
Li Si |
It can check |
The expense report of Li Si |
Financial executive |
It can check, can delete, can manage |
When judge Zhang San expense report who can read when, Zhang San and financial executive two can be inquired by the relation
Individual main body can check.When judge Zhang San expense report who can delete when, only wealth can be inquired by the relation
Business supervisor can delete.
Wherein, first way is frequently used in the enterprise information management system, but this kind of mode
It can not support under multi-tenant pattern, individual demand of the different tenants to rights management.Such as:
Tenant A is using authority " expense report of generation can the defending party to the application and financial executive check ", and tenant B uses authority
" expense report of generation can the defending party to the application and financial attache check ", then tenant A control of authority code is as follows:
And tenant B control of authority code is as follows:
If tenant A and tenant B personalized rights management demand is uniformly handled, then control of authority code is such as
Under:
If in the way of more than, then with the increase of tenant's quantity, then corresponding rights management code will
Modify, so this way is infeasible.Because this method often increases a tenant, it is necessary to adds one section accordingly
Code, the quantity of tenant is dynamic change, if change one tenant will change code, this cannot receive.
Second of ACL mode Control granularity is thinner, any type of business datum can be controlled, can also propped up
Cloud computing multi-tenant pattern is held, but this kind of mode has a disadvantage that in itself, is once occurring changing or deleting, then power
Limit binding relationship just must modify or delete.For example forms data is submitted an expense account, if 10,000 datas in system be present, then one
Denier financial executive substitutes, then needs to be updated authority binding relationship corresponding to this 10,000 data, this will cause data to update
The problem of efficiency is low.
At the same time, very complicated authority situation in the enterprise information management system also be present, be difficult to locate by the way of ACL
Reason.Such as authority " line manager can check the expense report of member and the member under all subdivisions ", then using ACL side
Formula, then once generating a new expense report, then following authority binding relationship list will be produced:
Understand above, this authority causes needs according to organizational structure to generate authority binding relationship.One reimbursement of addition
Forms data, it will generation N bar authority binding relationships, while also with the presence of modification or delete the problem of.Once the reimbursement of Zhang San
It is single to delete, then will to be all deleted with the authority binding relationship of the reimbursement simple correlation of Zhang San, this will also result in very big data more
The difficulty newly operated.
The content of the invention
It is an object of the invention to provide a kind of data permission control method and system towards cloud computing multi-tenant pattern,
Cloud computing multi-tenant pattern can not only be supported, additionally it is possible to solve the huge and complicated power of prior art database operating time consuming
Limit manages reluctant problem.
In order to realize foregoing invention purpose, the technical solution adopted by the present invention is as follows:
A kind of data permission control method towards cloud computing multi-tenant pattern, including:
Tenant's identity information, data type information and control of authority policy service class are bound corresponding to will be mutual,
So that can be in control of authority plan by tenant's identity information, the subscriber identity information of the tenant subordinate and data type information
Slightly service in class and obtain manipulation authority of the user of the tenant subordinate for the data type;
The data type information of the corresponding manipulation of user is obtained, with reference to tenant's body belonging to its subscriber identity information, the user
Control of authority policy service class corresponding to part information searching;
According to the above-mentioned control of authority policy service class found out, manipulation power of the user for the data type is obtained
Limit.
Further, it is described to take mutually corresponding tenant's identity information, data type information and control of authority strategy
Business class is bound, and embodies the binding relationship of three particular by one type privilege binding information of generation.
Further, it is described to take mutually corresponding tenant's identity information, data type information and control of authority strategy
When business class is bound, a data type, which can correspond to, binds one or more control of authority policy service class.
Further, when a data type, which can correspond to, binds a control of authority policy service class, the basis
The above-mentioned control of authority policy service class found out, obtains manipulation authority of the user for the data type, is specifically direct
Perform the control of authority policy service class and obtain its manipulation authority;
It is described to be found out according to above-mentioned when a data type, which can correspond to, binds multiple control of authority policy service classes
Control of authority policy service class, obtain manipulation authority of the user for the data type, specifically perform what is respectively found out
Control of authority policy service class, according to the logical AND between each control of authority policy service class, logic or relation with logic NOT
Obtained implementing result, judge whether user has to manipulating authority corresponding to the data type according to the result.
Further, after the control of authority policy service class corresponding to find, in addition to by the control of authority strategy
Service class is stored into tenant's type privilege banding cache, so that next time directly can read in the caching.
A kind of data permission control system towards cloud computing multi-tenant pattern, including:
Data type data storehouse, for storing all data type informations;
Authorization policy database, for storing control of authority policy service class, the control of authority policy service class includes
Tenant's identity information for binding together, subscriber identity information, data type information corresponding with the subscriber identity information, with
And control authority information corresponding with the data type;
Type privilege binding data storehouse, for storage class authority binding information, the type authority binding information includes
Tenant's identity information, data type information and the control of authority policy service class bound together;
Data associater, for inciting somebody to action mutually corresponding tenant's identity information, data type information and control of authority strategy
Service class carries out binding generation type privilege binding information, and stores to the type privilege binding data storehouse;
Type privilege adaptation, for obtaining the data type information of the corresponding manipulation of user, with reference to its subscriber identity information,
Tenant's identity information belonging to the user searched in the authorization policy database corresponding to control of authority policy service class;
Authority determining device, for according to the above-mentioned control of authority policy service class found out, obtaining the user for the number
According to the manipulation authority of type.
Further, the data associater will mutually corresponding tenant's identity information, data type information and authority
When control strategy service class is bound, a data type, which can correspond to, binds one or more control of authority policy service
Class.
Further, when a data type, which can correspond to, binds a control of authority policy service class, the authority
Determining device obtains manipulation authority of the user for the data type according to the above-mentioned control of authority policy service class found out,
Specifically directly perform the control of authority policy service class and obtain its manipulation authority;
When a data type can correspond to bind multiple control of authority policy service classes when, the authority determining device according to
The above-mentioned control of authority policy service class found out, obtains manipulation authority of the user for the data type, specifically performs
The control of authority policy service class respectively found out, according to the logical AND between each control of authority policy service class, logic or and is patrolled
The implementing result that non-relation obtains is collected, judge whether user has according to the result weighs to being manipulated corresponding to the data type
Limit.
Further, tenant's type privilege banding cache, the authority found for storing the type privilege adaptation
Control strategy services class, so that next time directly can read in the caching.
The present invention is bound tenant's identity information, data type information and control of authority policy service class, and this is just
So that for different tenants, tenant keeper can be directed to the situation of this tenant, carry out the rights management configuration of personalization.Cause
This, the control of authority strategy of same data type can be different in different tenants, and which solves " multi-tenant mould
The problem of under formula, individual demand of the different tenants to rights management " is supported.
In the present invention, same tenant can include multiple control of authority strategies for same data type, form one
Individual set.Each control of authority strategy by logical AND, logic or with three kinds of logical operation relations of logic NOT so that can be by each
The logical combination of kind of control strategy realizes more complicated data permission control.
Therefore, the present invention can meet individual demand of the different tenants to rights management under multi-tenant pattern, and
The consuming of database manipulation time is largely reduced, but also more complicated data permission control can be realized.
Brief description of the drawings
This illustrates provided picture and is used for aiding in a further understanding of the present invention, forms one of the application
Point, inappropriate limitation of the present invention is not formed, in the accompanying drawings:
Fig. 1 is general principle schematic flow sheet corresponding to the inventive method;
Fig. 2 is basic structure schematic diagram corresponding to present system.
Embodiment
As shown in figure 1, present embodiment discloses a kind of data permission control method towards cloud computing multi-tenant pattern, bag
Include:
1)Tenant's identity information, data type information and control of authority policy service class are tied up corresponding to will be mutual
It is fixed, embody the binding relationship of three particular by one type privilege binding information of generation;So that by tenant's identity information,
The subscriber identity information and data type information of the tenant subordinate can be obtained under the tenant in control of authority policy service class
Manipulation authority of the user of category for the data type;
This allows for that for different tenants, tenant keeper the situation of this tenant can be directed to, and carries out the power of personalization
Limit management configuration.Therefore, the control of authority strategy of same data type can be different in different tenants, and this is just solved
The problem of certainly being supported " under multi-tenant pattern, individual demand of the different tenants to rights management ".
Control of authority strategy is the encapsulation for judging data permission operation logic, passes through incoming data to be determined, user
Three information, tenant's information parameters determine that certain user of certain tenant has to which type of authority of certain data.
For example tenant A and tenant B is respectively for the control of authority policy service class of expense report control of authority
FinalExecutiveAuthorityControlServiceImpl and FinalStaffAuthorityControlServiceI
mpl。
The control of authority logic encapsulated in FinalExecutiveAuthorityControlServiceImpl is " such as
Fruit is financial executive either expense report applicant, then can be checked ", it is described as follows using false code:
The control of authority logic encapsulated in FinalStaffAuthorityControlServiceImpl be " if
Financial attache either expense report applicant, then can be checked ", it is described as follows using false code:
2)The data type information of the corresponding manipulation of user is obtained, with reference to the tenant belonging to its subscriber identity information, the user
Identity information search corresponding to control of authority policy service class, be inquire current tenant it is related be directed to the data type
Control of authority strategy;
3)According to the above-mentioned control of authority policy service class found out, manipulation power of the user for the data type is obtained
Limit.
Preferably, it is described by mutually corresponding tenant's identity information, data type information and control of authority policy service
When class is bound, a data type, which can correspond to, binds one or more control of authority policy service class.So data
The final result of authority is determined by multiple control of authority policy service class implementing results, multiple control of authority policy service classes
Implementing result can be merged using logical operation, therefore can add new data in type privilege binding data storehouse
Arrange " logical operator ".
Wherein, it is described according to above-mentioned when a data type, which can correspond to, binds a control of authority policy service class
The control of authority policy service class found out, manipulation authority of the user for the data type is obtained, be specifically directly to perform
The control of authority policy service class obtains it and manipulates authority.
Wherein, it is described according to above-mentioned when a data type, which can correspond to, binds multiple control of authority policy service classes
The control of authority policy service class found out, manipulation authority of the user for the data type is obtained, specifically performs and respectively looks into
The control of authority policy service class found out, according to the logical AND between each control of authority policy service class, logic or and logic NOT
The obtained implementing result of relation, judge whether user has to manipulating authority corresponding to the data type according to the result.
Same tenant can include multiple control of authority strategies for same data type, form a set.Each control of authority
Strategy have logical AND, logic or with three kinds of logical operation relations of logic NOT so that the logic of various control strategies can be passed through
Combine to realize more complicated data permission control.
Preferably, after the control of authority policy service class corresponding to find, include control of authority strategy clothes
Business class is stored into tenant's type privilege banding cache, so that next time directly can read in the caching.Once carried out some
After the matching of data type, control of authority policy service class is put into caching, directly postponed when being matched next time
Taken in depositing, avoid multiple database manipulation, improve running efficiency of system.
As shown in Fig. 2 the present embodiment also discloses a kind of data permission control system towards cloud computing multi-tenant pattern,
Including:
Data type data storehouse 1, for storing all data type informations, such as expense report type, single type etc. of asking for leave.
Authorization policy database 2, for storing control of authority policy service class, the control of authority policy service class includes
Tenant's identity information for binding together, subscriber identity information, data type information corresponding with the subscriber identity information, with
And control authority information corresponding with the data type;
Control of authority policy service class is write using object-oriented language (such as Java), and it inherits authority control
Policy service interface processed, encapsulates authority decision logic wherein.
Using Java language, control of authority policy service interface is defined as:
Wherein method is returned to user and had by two incoming data entity to be judged, user profile userinfo parameters
Certain authority Permission [] having.
For example tenant A and the control of authority policy service class of tenant's B expense report controls of authority are respectively
FinalExecutiveAuthorityControlServiceImpl and FinalStaffAuthorityControlServiceI
Mpl, the two control of authority policy service classes are stored in authorization policy database.
The reality of checkPermission methods in FinalExecutiveAuthorityControlServiceImpl
Existing false code is as follows:
The realization of checkPermission methods in FinalStaffAuthorityControlServiceImpl
False code is as follows:
Type privilege binding data storehouse 3, for storage class authority binding information, the type authority binding information includes
Tenant's identity information, data type information and the control of authority policy service class bound together;
Data associater 4, for inciting somebody to action mutually corresponding tenant's identity information, data type information and control of authority plan
Slightly service class carries out binding generation type privilege binding information, and stores to the type privilege binding data storehouse;Such as tenant A
It is as shown in the table with the binding information of tenant's B expense report control of authority policy service classes:
Tenant's name |
Data type |
Control of authority policy service class name |
Tenant A |
Expense report |
FinalExecutiveAuthorityControlServiceImpl |
Tenant B |
Expense report |
FinalStaffAuthorityControlServiceImpl |
Type privilege adaptation 5, for obtaining the data type information of the corresponding manipulation of user, believe with reference to its user identity
Breath, tenant's identity information belonging to the user searched in the authorization policy database corresponding to control of authority policy service
Class;
Authority determining device 6, for according to the above-mentioned control of authority policy service class found out, obtaining the user for the number
According to the manipulation authority of type.
Wherein, the data associater will mutually corresponding tenant's identity information, data type information and control of authority
When policy service class is bound, a data type, which can correspond to, binds one or more control of authority policy service class.
Multiple control of authority demands are had for same data type, it is possible to corresponding multiple control of authority policy service classes, then
The final result of data permission is determined, multiple control of authority strategies by multiple control of authority policy service class implementing results
The implementing result of service class can be merged using logical operation, therefore can be added in type privilege binding data storehouse new
Data row " logical operator ".Such as tenant A with the addition of an expense report control authority " line manager can check member and
The expense report of member under all subdivisions ", corresponding control of authority service class is DeparmentMgrAuthorityContro
lServiceImpl.The relation of the authority and control of authority policy service class before is the relation of " logic or ", as long as meeting
One of which.Information is in type privilege binding data storehouse:
Before logging in system by user operates to data, authority judgement will be carried out.Type privilege adaptation input parameter
For data type to be determined, user profile, tenant's information and type privilege binding library, inquiry obtains authority control of the tenant to data
Policy service class processed.
For example after tenant A user logs in, the operation of checking of expense report is performed, the parameter data to be determined of input are some
Forms data is submitted an expense account, parametric user's information is the information of active user, and parameter tenant information is tenant A, finally matches obtained power
It is FinalExecutiveAuthorityControlServiceImpl to limit control strategy service class.
Wherein, when a data type, which can correspond to, binds a control of authority policy service class, the authority judges
Device obtains manipulation authority of the user for the data type, specifically according to the above-mentioned control of authority policy service class found out
It is directly to perform the control of authority policy service class to obtain its manipulation authority;
Wherein, when a data type, which can correspond to, binds multiple control of authority policy service classes, the authority judges
Device obtains manipulation authority of the user for the data type, specifically according to the above-mentioned control of authority policy service class found out
It is to perform the control of authority policy service class respectively found out, according to the logical AND between each control of authority policy service class, logic
Or the implementing result obtained with the relation of logic NOT, judge whether user has to corresponding to the data type according to the result
Manipulate authority.
The control of authority policy service class that authority determining device gets execution type privilege adaptation, if multiple authorities
Control strategy service class, then take out each control of authority policy service class corresponding to logical operator calculated.Such as tenant A
Line manager when this department's member's expense report is checked, the control of authority policy service class inquired is
FinalExecutiveAuthorityControlServiceImpl and DeparmentMgrAuthorityControlServic
eImpl.Authority determining device 170 will perform the two service classes successively, and be judged using " logic or " computing.So
The result that FinalExecutiveAuthorityControlServiceImpl is returned after performing is false (false), and
The result that DeparmentMgrAuthorityControlServiceImpl is returned is true (true), using " logic or " computing
Final result is true (true) afterwards, then it represents that the line manager has the right for checking sector member's expense report.
Preferably, the system also includes tenant's type privilege banding cache, is looked into for storing the type privilege adaptation
The control of authority policy service class found, so that next time directly can read in the caching.Once carried out some data type
After matching, control of authority policy service class is put into caching, directly taken when being matched next time from caching,
Multiple database manipulation is avoided, improves running efficiency of system.
Preferred embodiment of the invention described in detail above, it will be appreciated that the ordinary skill of this area is without wound
The property made work can makes many modifications and variations according to the design of the present invention.Therefore, all technician in the art
According to present inventive concept in prior art basis by logic analysis, reasoning or according to the limited available technology of experiment
Scheme, should be among the protection domain determined by the claims.