The content of the invention
The embodiments of the invention provide a kind of data isolation storage method and system, set up separate for different tenants
Data center, the data center for carrying out data interaction is identified by data switch engine, then passes through the number under data center
The management that data store logic in tenant database is carried out according to gateway, it is achieved thereby that the data storage management of tenant is with being
The isolation of system network, has effectively ensured the security that tenant data is stored in management information system.Rented simultaneously in system
When family extends, it can be ensured that do not interfere with the data safety of existing tenant completely.
In a first aspect, the embodiments of the invention provide a kind of data isolation storage method, methods described includes:
The first data that the user of first tenant inputs are sent to data switch engine by the first application;
The data switch engine determines that the primary of first data stores according to the data attribute of first data
Logic;
First data are sent to the first tenant of management by the data switch engine according to the primary storage logic
The data gateway of database;
The data gateway is stored first data in first tenant database.
It is preferred that, methods described also includes:
The data gateway is recorded to storage logic of first data in first tenant database.
It is preferred that, the data gateway includes multistage gateway, and when the multistage is two-stage, the data gateway will be described
First data carry out storage in first tenant database to be included:
First data are sent to institute by the one-level gateway in the data gateway according to the attribute of first data
State two-staged netgate in data gateway or by first data storage one-level gateway management the first tenant database
In one subdata base;
When being sent to the two-staged netgate, by the two-staged netgate by first data in the two-staged netgate pipe
Stored in second subdata base of the first tenant database of reason.
It is preferred that, methods described also includes:
First application receives the data call instruction of user's input of the first tenant;The data call instruction is to ask
Call the second data;
First application produces the second data call request according to data call instruction, and is sent to the data
Switching engine;The second data call request includes the information of the first tenant and the attribute information of second data;
The information for first tenant that the data switch engine asks to include according to second data call, to institute
The data gateway for stating the first tenant database of management sends the second data call instruction;The second data call instruction includes institute
State the attribute information of the second data;
The data gateway determines second data in first tenant according to the attribute information of second data
Storage logic in database, and second data are obtained according to the storage logic;
Second data are returned to the data switch engine by the data gateway;
Second data are sent to first application by the data switch engine.
Further preferred, methods described also includes:
The user interface provided by the described first application, the second data are shown to the user.
Second aspect, the embodiments of the invention provide a kind of data-storage system towards multi-tenant, the system includes:
The shared application platform of multi-tenant, including multiple applications, to be provided to the different user of different tenants to management
The interactive interface that information system is operated;
Data switch engine, for the multiple application and the data interaction between multiple data centers;
The multiple data center, each data center is towards a tenant, including data gateway and tenant database;Its
In, the data interaction that the data gateway is used between the data switch engine and the tenant database;Each tenant's number
A tenant is belonged to according to storehouse, is stored for the data to the tenant.
It is preferred that, when the data that the data gateway reception data switch engine is sent, and it is sent to the tenant
When being stored in database, the data gateway is additionally operable to, and generates storage logic of the data in tenant database, and
Stored.
It is preferred that, the data switch engine is additionally operable to, and is determined to carry out data friendship with application according to the data attribute of data
Mutual data center.
It is preferred that, the data gateway includes multistage gateway.
It is further preferred that when the data gateway include one-level gateway and two-staged netgate when, the one-level gateway according to
First data are sent to the two-staged netgate in the data gateway by the attribute of first data, or described first is counted
In the first subdata base according to the first tenant database for being stored in one-level gateway management;
When being sent to the two-staged netgate, by the two-staged netgate by first data in the two-staged netgate pipe
Stored in second subdata base of the first tenant database of reason.
Data isolation storage method proposed by the present invention, separate data center is set up for different tenants, is passed through
Data switch engine identifies the data center for carrying out data interaction, then carries out data by the data gateway under data center
The management of logic is stored in tenant database, it is achieved thereby that isolating for the data storage management of tenant and grid, has
Effect has ensured the security that tenant data in management information system is stored, while it is good expansible to also ensure that system has
Performance.
Embodiment
To make the object, technical solutions and advantages of the present invention clearer, below in conjunction with the accompanying drawings to present invention specific implementation
Example is described in further detail.
In management information system, its operation platform is often to be opened for multiple tenants, is carried on operation platform
Multiple applications can provide user interface to tenant so that each user under each tenant can use management information system
The various services provided.
Describe data isolation storage method provided in an embodiment of the present invention in detail by taking Fig. 1 as an example below, Fig. 1 is real for the present invention
A kind of data isolation storage method flow chart of example offer is provided.The subject of implementation of present invention method is management information system
Operation platform.Fig. 3 shows the block diagram for the data isolation storage system that the embodiment of the present invention is proposed.With reference to Fig. 1 and Fig. 3 institutes
Show, this method comprises the following steps:
Step 110, the first data that the user of the first tenant inputs are sent to data switch engine by the first application;
Specifically, first using one in the multiple applications for referring to load on operation platform.Operation platform is to multi-tenant
Simultaneously open, when the user under certain tenant carries out data input by the user interface of the first application, the first application being capable of root
Data exchange is sent to after handling the data received with the tenant's information for inputting the data according to the data received to draw
Hold up.Wherein, record has tenant's information in the data attribute for sending data.
Step 120, the data switch engine determines first data according to the data attribute of first data
Primary storage logic;
Specifically, data switch engine is towards all applications, be in management information system data in backstage storage and
Fabric Interface between foreground application.
In embodiments of the present invention, the effect of data switch engine mainly is to be determined according to the data attribute of data with applying
Carry out the data center of data interaction.
Include multiple data centers in systems, each data center is towards a tenant, and data center all includes number
According to gateway and tenant database.
In data switch engine, by tenant's attribute described in data and data center towards tenant between corresponding pass
System is recorded as primary storage logic.
Step 130, first data are sent to management by the data switch engine according to the primary logic that stores
The data gateway of first tenant database;
Specifically, according to primary storage logic described above, data switch engine is assured that data need transmission
To the data gateway of the data center of which tenant.Such as, record has the letter of the first tenant in the data attribute of the first data
Breath, then data switch engine just according to the information of the first tenant, determines the first data being sent to by primary storage logic
Manage the data gateway of the first tenant database.
Step 140, the data gateway is stored first data in first tenant database.
Specifically, data gateway is used to determine and record storage logic of the data in tenant database.
Further, the storage of data can use traditional centralised storage, it would however also be possible to employ distributed storage.
Storage of the data in tenant database can be stored with metadata form, now need data switch engine
When storage to data, using the method for some data processings, the advanced row data structure of the data of different application is turned
Change and split with data, data are split as data field and are converted to meet metadata as defined in data dictionary under data center
Data structure, re-sends to data gateway, is stored by data gateway in tenant database.
Because data gateway can voluntarily be managed by tenant, therefore according to the demand of tenant, can be by data gateway
One-level is set to, multistage can also be arranged to.Likewise, the tenant database of a tenant can also include multiple subdatas
Storehouse.
Illustrated in case of data gateway includes one-level gateway and two-staged netgate, now system architecture can be as
Shown in Fig. 4.
When the data gateway includes one-level gateway and two-staged netgate, the one-level gateway is according to first data
First data are sent to the two-staged netgate in the data gateway by attribute, or by first data storage in one-level net
In first subdata base of the first tenant database for closing management;
When being sent to the two-staged netgate, by the two-staged netgate by first data in the two-staged netgate pipe
Stored in second subdata base of the first tenant database of reason.
Such as, in the management information system of some enterprise, creation data is stored in the first of one-level gateway management by regulation
In subdata base, in the second subdata base that the financial data of more secret is stored in two-staged netgate management.In data storage
When, it is only necessary to confirm that the data are financial data or creation data according to one-level gateway data attribute, you can it is determined that being
Stored, or stored in the second subdata base in one subdata base.
Accordingly, authority can also be set to each user of enterprise, when user carries out data call, is known by gateway
The authority for the user for asking data call is not invited, such as creation data calls authority to be opened to all users, financial data
Only administrative staff and Finance Department personnel are opened.Therefore when financial data is requested and called, it is possible to pass through two-staged netgate
First confirm to propose whether the user of call request is administrative staff or Finance Department personnel, if it is confirmed that having permission, then enters line number
According to calling.Wherein, user right information can be carried in data call request.
By way of for accessing tenant database in the data gateway privately owned tenant that above-described embodiment is proposed we
Referred to as non-managed formula is stored, certainly, in the management information system for supporting the storage of non-managed formula, can also there is hosted-type simultaneously
The storage logic management of storage, i.e. tenant database is directly performed by data switch engine, i.e., data are in tenant database
Directly interacted between application by data switch engine.In the system shown in Fig. 3 and Fig. 4, include hosted-type
Storage and non-managed formula store two ways.Wherein, non-managed formula storage proposed by the present invention significantly more efficient can realize number
According to storage isolation.
When tenant needs pause to write and read the data of tenant database for network security or from the aspect of other
When, if close data gateway can by tenant database from whole system it is offline.
When management information system increases new tenant, it is only necessary to data center of the corresponding configuration increase for the tenant
(data gateway+tenant database).Other tenants using management information system application platform are not interfered with completely.
Data isolation storage method proposed by the present invention, separate data center is set up for different tenants, is passed through
Data switch engine identifies the data center for carrying out data interaction, then carries out data by the data gateway under data center
The management of logic is stored in tenant database, it is achieved thereby that isolating for the data storage management of tenant and grid, has
Effect has ensured the security that tenant data in management information system is stored, while it is good expansible to also ensure that system has
Performance.
Data isolation storage method provided in an embodiment of the present invention is illustrated in said process by taking Fig. 1 as an example.Below, to scheme
Exemplified by 2 and combination Fig. 3, illustrate the data calling method provided in an embodiment of the present invention based on above-mentioned data isolation storage method.
With reference to shown in Fig. 2 and Fig. 3, the data calling method comprises the following steps:
Step 210, the first application receives the data call instruction of user's input of the first tenant;The data call instruction
To the data of request call second;
Specifically, when user needs some application call data in management information system, the use provided by application
Family interface meeting input data call instruction, the instruction may be by clicking on the button in the user interface that application is provided, and such as " look into
Ask " button generation, it is also possible to produced when user operates and starts application by the action opened using user interface, also
It is probably to be produced with other modes of operation.
Step 220, first application produces the second data call request according to data call instruction, and is sent to
The data switch engine;The second data call request includes the information of the first tenant and the attribute letter of second data
Breath;
Specifically, when instructing using the data call for receiving user, to instruction can parse obtaining needing to call
Some attribute informations of data and the information of the tenant for the user attaching for sending call instruction.Wherein, the attribute information of data can
With the staff list of department during data including continuous item information, such as user's request call for describing this data,
The title of this department can just be included by being then requested in the attribute information for calling data, can also include describing requested call
The implication information of data, such as " name ", etc..
These information can be all loaded into during using according to data call instruction generation data call request in call request,
It is sent to data switch engine.
Step 230, first tenant's that the data switch engine asks to include according to second data call
Information, the second data call instruction is sent to the data gateway of the first tenant database of the management;Second data call
Instruction includes the attribute information of second data;
Specifically, data switch engine receive data call request after, the tenant's information wherein carried can be parsed.Number
The data center with application progress data interaction is determined according to the data attribute of data according to switching engine.Because, in data exchange
Engine includes the memory management module for managing tenant and data center's corresponding relation, therefore asks what is carried by data call
Tenant's information, it is possible to determine which data center is the data that needs are called be stored in.
Data switch engine can send data call instruction, in data after data center is confirmed to the data center
Call instruction calls the attribute information of data needed for including.
Step 240, the data gateway determines second data described according to the attribute information of second data
Storage logic in first tenant database, and second data are obtained according to the storage logic;
Specifically, data call instruction is sent to the data gateway of data center, instruct what is included by data call
The required attribute information for calling data, it is determined that the data storage logic of required data, subsequent data storage logic is in tenant data
The data called needed for being obtained in storehouse.
Step 250, second data are returned to the data switch engine by the data gateway;
Specifically, after data gateway gets data, data are returned firstly into data switch engine.
Step 260, second data are sent to first application by the data switch engine.
Specifically, the data called are sent to the application for sending data call request by data switch engine.If number
Stored according in tenant database with metadata form, then data switch engine can first by calling functional modules,
The metadata fields of acquisition are subjected to data structure conversion and data splicing, metadata fields are converted to using the data supported
Structure is simultaneously spliced into data and is being sent to application.
Finally, the user interface that can also be provided by the first application, the second data are shown or entered to user
Row other needed for data processing.
Accordingly, the embodiment of the present invention additionally provide it is a kind of can be to realize the data of above-mentioned data isolation storage method
Isolated storage system, in the present embodiment, the block diagram of data isolation storage system can be with as shown in figure 3, mainly include:Multi-tenant
Shared application platform 1, data switch engine 2 and multiple data centers are (including in data center 31, data center 32 and data
The heart 33).
The shared application platform 1 of multi-tenant includes multiple applications, to be provided to the different user of different tenants to management
The interactive interface that information system is operated;In management information system, it can support for a variety of user rights of different tenants
It can be without identical according to authority to set there is provided the interactive interface of the different user to different tenants.
Data switch engine 2, for the multiple application and the data interaction between multiple data centers.Data exchange is drawn
Holding up 2 has the function of being determined according to the data attribute of data with the data center of application progress data interaction.
Multiple data centers' (including data center 31, data center 32 and data center 33 shown in figure), each data
Center towards a tenant, including data gateway 4 and tenant database (be the different tenants of differentiations, be shown in figure 5-1,5-2 and
5-3, below unless carried out specified otherwise for some tenant, is referred to as tenant database 5);Wherein, the data gateway 4
For the data interaction between the data switch engine 2 and the tenant database 5;Each tenant database 5 belongs to one
Individual tenant, stores for the data to the tenant.
When the user of tenant is by using to data center's data storage, the application sends the data to the data
Switching engine 2.Data switch engine 2 receives the data that application is sent, and the information of tenant is identified according to data, and according to tenant
Information determine data are stored in data center.Storage finally by the data gateway 4 of data center to data
Logic is managed, and the tenant database 5 stored to data is further determined that, followed by data storage.
When the user of tenant is by using to data center requests data, using generation data call request, and send
To data switch engine 2.Data switch engine 2 receives the data call request that application is sent, and is asked to recognize according to data call
Go out the information of tenant, and the data center of data storage is determined according to the information of tenant, subsequent data switch engine 2 will be to the number
Data call instruction is sent according to the data gateway 4 at center, the requested tune carried is instructed based on data call to data gateway 4
With the data attribute of data, the storage logic managed according to data gateway 4 determines memory block of the data in tenant database 5
Domain, so as to call the data.
Fig. 4 also show the framework of another data isolation storage system, and wherein data gateway includes multistage gateway.
In this system, appropriate section function phase of the function of other various pieces all with system shown in Figure 3 is same, is only
The course of work of data gateway slightly has difference.Illustrated below just for data gateway part.
As shown in figure 4, data gateway 4 includes one-level gateway 41 and two-staged netgate 42, its data storage procedure is:
Two-staged netgate 42 or deposit data that one-level gateway 41 is sent the data in data gateway 4 according to the attribute of data
Store up in the first subdata base (in figure not separately shown) for the first tenant database that one-level gateway 41 is managed;
When being sent to two-staged netgate 42, the first tenant's number for being managed data in two-staged netgate 42 by two-staged netgate 42
According to being stored in second subdata base (in figure not separately shown) in storehouse.
The process of data call is similar therewith, repeats no more.
Data isolation storage system proposed by the present invention, separate data center is set up for different tenants, is passed through
Data switch engine identifies the data center for carrying out data interaction, then carries out data by the data gateway under data center
The management of logic is stored in tenant database, it is achieved thereby that isolating for the data storage management of tenant and grid, has
Effect has ensured the security that tenant data in management information system is stored, while it is good expansible to also ensure that system has
Performance.
Professional should further appreciate that, each example described with reference to the embodiments described herein
Unit and algorithm steps, can be realized with electronic hardware, computer software or the combination of the two, hard in order to clearly demonstrate
The interchangeability of part and software, generally describes the composition and step of each example according to function in the above description.
These functions are performed with hardware or software mode actually, depending on the application-specific and design constraint of technical scheme.
Professional and technical personnel can realize described function to each specific application using distinct methods, but this realize
It is not considered that beyond the scope of the embodiment of the present invention.
The method that is described with reference to the embodiments described herein can use hardware, computing device the step of algorithm
Software module, or the two combination are implemented.Software module can be placed in random access memory (RAM), internal memory, read-only storage
(ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technical field
In any other form of storage medium well known to interior.
Above-described embodiment, to the embodiment of the present invention, technical scheme and beneficial effect carried out entering one
Step is described in detail, should be understood that the embodiment that the foregoing is only the embodiment of the present invention, is not used to limit
Determine the protection domain of the embodiment of the present invention, it is all any modifications within the spirit and principle of the embodiment of the present invention, made, equivalent
Replace, improve etc., it should be included within the protection domain of the embodiment of the present invention.