CN112596857B - Method, device, equipment and medium for isolating SaaS multi-tenant data - Google Patents
Method, device, equipment and medium for isolating SaaS multi-tenant data Download PDFInfo
- Publication number
- CN112596857B CN112596857B CN202011563870.1A CN202011563870A CN112596857B CN 112596857 B CN112596857 B CN 112596857B CN 202011563870 A CN202011563870 A CN 202011563870A CN 112596857 B CN112596857 B CN 112596857B
- Authority
- CN
- China
- Prior art keywords
- tenant
- data
- current
- entity
- identification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 61
- 238000002955 isolation Methods 0.000 claims abstract description 62
- 238000003860 storage Methods 0.000 claims abstract description 9
- 230000008569 process Effects 0.000 claims description 9
- 238000012544 monitoring process Methods 0.000 claims description 8
- 238000004458 analytical method Methods 0.000 claims description 5
- 238000004590 computer program Methods 0.000 claims description 5
- 239000000243 solution Substances 0.000 description 9
- 238000012423 maintenance Methods 0.000 description 8
- 238000011161 development Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000002159 abnormal effect Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000007726 management method Methods 0.000 description 3
- 230000008520 organization Effects 0.000 description 3
- 238000012795 verification Methods 0.000 description 3
- 239000000306 component Substances 0.000 description 2
- 238000004806 packaging method and process Methods 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 238000012550 audit Methods 0.000 description 1
- 239000008358 core component Substances 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000012858 packaging process Methods 0.000 description 1
- 238000012856 packing Methods 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 230000010076 replication Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000001502 supplementing effect Effects 0.000 description 1
- 238000012384 transportation and delivery Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45595—Network integration; Enabling network access in virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Bioethics (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Automation & Control Theory (AREA)
- Storage Device Security (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The application provides a method, a device, equipment and a medium for isolating SaaS multi-tenant data, wherein the method comprises the following steps: acquiring a data operation request sent by a current tenant through a terminal page; the data operation request carries the tenant identification and the data operation instruction of the current tenant; judging whether the current tenant is an entity tenant or not according to the tenant identification of each entity tenant in the entity tenant list and the tenant identification of the current tenant; if the current tenant is an entity tenant, operating the data in an encrypted data table corresponding to the tenant identification of the current tenant according to the data operation instruction to obtain a first operation result, and sending the first operation result to a terminal page; if the current tenant is a non-entity tenant, operating the data in the general data table according to the data operation instruction to obtain a second operation result, and sending the second operation result to the terminal page, so that the multi-tenant data is isolated in storage and operation, and the security of multi-tenant data isolation is improved.
Description
Technical Field
The application relates to the technical field of computers, in particular to a method, a device, equipment and a medium for isolating SaaS multi-tenant data.
Background
Software as a service (SaaS) is a Software application mode, that is, a Software service is provided through the internet, tenants lease as required, usually one Software can serve multiple tenants simultaneously, and by reducing the cost of each tenant in the multiple tenants, the service delivery and operation and maintenance costs can be greatly reduced, so as to realize the maximization of benefits. Multi-tenant refers to running a single application on a server, but serving multiple enterprises at the same time. The applications used by the users of each enterprise are customized versions. However, in the multi-tenant mode, since the software stack is shared, the generated and used data is shared by multiple tenants, so that the data between the multiple tenants can interfere with each other, thereby causing a problem of traffic errors. Thus, there is a need for secure isolation of multi-tenant data. A qualified SaaS multi-tenant system needs to meet the requirement of providing services for a plurality of different tenants, meanwhile, needs to ensure that data among the tenants are isolated from each other, and system resources are independent and do not influence each other.
Most of the existing micro-service-based SaaS multi-tenant systems only can meet the isolation of data and resources, if the same instance and table are adopted for isolation in the existing data isolation scheme, the data of a plurality of tenants are actually stored in the same table of one database instance and are distinguished through one tenant ID, and certain potential safety hazards exist in the method; if a plurality of database examples are adopted for data isolation, the system cost and the operation and maintenance deployment difficulty are indirectly increased, and the system is difficult to expand in a big data scene system.
Disclosure of Invention
In view of the above, the application aims to provide a method, a device, equipment and a medium for data isolation of SaaS multi-tenancy, which solve the problems that in the prior art, certain potential safety hazards exist in data isolation, the system cost and the operation and maintenance deployment difficulty are high, and the data isolation is difficult to expand in a big data scene system.
In a first aspect, an embodiment of the present application provides a method for SaaS multi-tenant data isolation, where the method includes:
acquiring a data operation request sent by a current tenant through a terminal page; the data operation request carries the tenant identification and the data operation instruction of the current tenant;
judging whether the current tenant is an entity tenant or not according to the tenant identification of each entity tenant in the entity tenant list and the tenant identification of the current tenant;
If the current tenant is the entity tenant, operating data according to the data operation instruction in an encrypted data table corresponding to the tenant identification of the current tenant to obtain a first operation result, and sending the first operation result to the terminal page;
If the current tenant is a non-entity tenant, operating the data in a general data table according to the data operation instruction to obtain a second operation result, and sending the second operation result to the terminal page.
Optionally, before determining whether the current tenant is an entity tenant according to the tenant identifier of each entity tenant in the entity tenant list and the tenant identifier of the current tenant, the method further includes:
And intercepting the data operation request sent by the current tenant through the terminal page.
Optionally, if the current tenant is the entity tenant, operating data according to the data operation instruction in an encrypted data table corresponding to the tenant identifier of the current tenant to obtain a first operation result, and sending the first operation result to the terminal page, where the step includes:
analyzing the data operation instruction to obtain a data operation statement corresponding to the data operation instruction;
Adding the tenant identification into the data operation statement to obtain an identification additional statement;
determining an encryption data table corresponding to the tenant identification of the current tenant according to the identification additional statement, operating the encryption data table according to the identification additional statement to obtain the first operation result, and sending the first operation result to the terminal page.
Optionally, before the obtaining the data operation request sent by the current tenant through the terminal page, the method further includes:
Acquiring an opening request of the current tenant, wherein the opening request carries tenant information of the current tenant;
Checking the tenant information, and if the checking is correct, generating environment configuration information corresponding to the current tenant according to the tenant information;
And configuring corresponding resources based on the environment configuration information corresponding to the current tenant, and starting a corresponding terminal page for the current tenant.
Optionally, the configuring the corresponding resource based on the environment configuration information corresponding to the current tenant and starting the corresponding terminal page for the current tenant includes:
compiling the environment configuration information corresponding to the current tenant into a service image corresponding to the current tenant;
And generating a corresponding instance based on the service object, and starting a terminal page corresponding to the current tenant according to the instance corresponding to the service image, wherein the terminal page at least comprises one instance corresponding to the service image.
Optionally, the tenant information includes any one or more of the following information:
tenant enterprise names, tenant account numbers, tenant contacts, tenant mailboxes, tenant contact phones, and the like.
Optionally, the method further comprises:
In the process of starting the corresponding terminal page for the current tenant, detecting whether the terminal page is started normally or not through an online page;
and after the corresponding terminal page is started for the current tenant, monitoring and early warning are carried out on the service state through the online page.
In a second aspect, an embodiment of the present application further provides an apparatus for SaaS multi-tenant data isolation, including:
The acquisition module is used for acquiring a data operation request sent by the current tenant through the terminal page; the data operation request carries the tenant identification and the data operation instruction of the current tenant;
The judging module is used for judging whether the current tenant is an entity tenant or not according to the tenant identification of each entity tenant in the entity tenant list and the tenant identification of the current tenant;
The first sending module is used for operating the data according to the data operation instruction in the encrypted data table corresponding to the tenant identification of the current tenant if the current tenant is an entity tenant, obtaining a first operation result, and sending the first operation result to the terminal page;
And the second sending module is used for operating the data in the general data table according to the data operation instruction if the current tenant is a non-entity tenant, obtaining a second operation result and sending the second operation result to the terminal page.
In a third aspect, an embodiment of the present application provides an electronic device, including a processor, a memory, and a bus, where the memory stores machine-readable instructions executable by the processor, where the processor and the memory communicate via the bus when the electronic device is running, and where the machine-readable instructions are executed by the processor to perform the steps of the method described above.
In a fourth aspect, embodiments of the present application provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the above method.
The embodiment of the application provides a SaaS multi-tenant data isolation method, which comprises the steps of firstly, obtaining a data operation request sent by a current tenant through a terminal page; the data operation request carries the tenant identification and the data operation instruction of the current tenant; then, judging whether the current tenant is an entity tenant or not according to the tenant identification of each entity tenant in the entity tenant list and the tenant identification of the current tenant; finally, if the current tenant is the entity tenant, operating data according to the data operation instruction in an encrypted data table corresponding to the tenant identification of the current tenant to obtain a first operation result, and sending the first operation result to the terminal page; if the current tenant is a non-entity tenant, operating the data in a general data table according to the data operation instruction to obtain a second operation result, and sending the second operation result to the terminal page.
The method provided by the embodiment of the application can acquire the data operation request sent by the current tenant through the terminal page, compares the tenant identification in the data operation request with the tenant identification in the entity tenant list, operates the data in the encryption data table corresponding to the tenant identification of the current tenant when judging that the tenant is the entity tenant, and operates the data in the general data table when judging that the tenant is the non-entity tenant. The isolation method for the same database and different data tables is realized in the aspect of data isolation, and the requirement of sharing public data of multiple tenants in a big data application scene is maximally utilized, so that the resource waste is reduced, the development efficiency of SaaS products is improved, and the operation and maintenance cost is reduced.
In order to make the above objects, features and advantages of the present application more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a basic flow diagram of a method for data isolation of SaaS multi-tenancy provided in an embodiment of the present application;
Fig. 2 is a flow chart of a detailed SaaS multi-tenant data isolation method according to an embodiment of the present application;
Fig. 3 is a flow chart of another detailed SaaS multi-tenant data isolation method according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a device for data isolation of SaaS multi-tenants provided in an embodiment of the present application;
Fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. The components of the embodiments of the present application generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the application, as presented in the figures, is not intended to limit the scope of the application, as claimed, but is merely representative of selected embodiments of the application. Based on the embodiments of the present application, every other embodiment obtained by a person skilled in the art without making any inventive effort falls within the scope of protection of the present application.
SaaS (Software AS A SERVICE ), i.e., providing Software services over the internet. Today enterprise-level applications are increasingly challenged in SaaS multi-tenant scenarios, particularly in financial software services. According to research, most of the existing micro-service-based SaaS multi-tenant system can only meet the isolation of the data and resources in the data, and the method mainly comprises two steps: one is that a plurality of tenants share one database instance and table, data isolation is realized through one tenant ID, and a plurality of tenant data are stored in the same table; the second is that each tenant uses independent database instance to realize each group of data isolation through different databases.
The following aspects mainly exist in the existing scheme are insufficient: in the existing data isolation scheme, if the same instance and table are adopted for isolation, the scheme effectively distinguishes the data of multiple tenants in the same table of one database instance through one tenant ID. The method has a certain potential safety hazard, and if a malicious user guesses the ID of other tenants to perform injection attack, the method can acquire the data of other tenants, so that the method is absolutely impermissible in a financial scene. The second scheme fundamentally solves the security problem to achieve physical isolation of data of each tenant, because multiple database instances are used, each instance needs to use independent service, which indirectly increases the system cost and the operation and maintenance deployment difficulty. And in large data scene systems, expansion is difficult, and development cost is greatly increased if multi-instance isolation is to be realized based on a plurality of different databases.
The existing scheme lacks a tenant isolation method integrating data and resources, most of the tenant isolation method can only meet one of the tenant isolation method and the tenant isolation method, and the traditional scheme is difficult to meet the SaaS requirement of financial enterprise-level clients.
Based on the data, the embodiment of the application provides a SaaS multi-tenant data isolation method, which solves the problem of unified isolation of data and resources in a micro-service SaaS scene.
Referring to fig. 1, fig. 1 is a basic flow chart of a method for SaaS multi-tenant data isolation according to an embodiment of the present application. As shown in fig. 1, a method for isolating SaaS multi-tenant data provided by an embodiment of the present application includes:
s101, acquiring a data operation request sent by a current tenant through a terminal page; the data operation request carries the tenant identification and the data operation instruction of the current tenant.
In this step S101, the tenant refers to a client who uses a system or computer computing resource, and subscribes to an enterprise organization or group or the like using the SaaS application as needed. The current tenant refers to the tenant that is accessing the SaaS service and operating. The terminal page refers to a page capable of receiving a data operation request input by a tenant to a computer and returning a processing result output by the computer, in this embodiment, the terminal page may be a micro-service, where the micro-service refers to a solution of the SaaS multi-tenant data isolation method, and the micro-service may be configured in a browser, and the tenant accesses a related micro-service through the browser. The device for displaying the terminal page can be electronic devices such as a computer, a notebook computer, a tablet computer and a mobile phone, and the SaaS service provided on the related micro-service can be accessed through a browser. The data operation request refers to a request corresponding to operations of adding, deleting, changing, checking and the like of the tenant on the data, wherein the data operation request comprises a tenant identifier of the current tenant and a data operation instruction, the tenant identifier refers to the tenant identifier corresponding to the current tenant, the tenant identifier is automatically generated for the tenant when the tenant accesses respective terminal pages, each tenant corresponds to a unique tenant identifier, and the data operation instruction refers to an instruction corresponding to the operation of the tenant on the database.
In implementation, the tenant may access the respective terminal page according to the independent domain name corresponding to each tenant, for example, the tenant a may access the terminal page of the tenant a according to "tenanta.knowlegene.com", where "tenantA" may be determined as the tenant identity of the tenant a, and the tenant B may access the terminal page of the tenant B according to "tenantb.knowlegene.com", where "tenantB" may be determined as the tenant identity of the tenant B.
S102, judging whether the current tenant is an entity tenant or not according to the tenant identification of each entity tenant in the entity tenant list and the tenant identification of the current tenant.
In this step S102, the entity tenant list refers to a list containing tenant identifications of all tenants, and the entity tenant refers to the tenant who has made the provisioning application, and the tenant identification of the tenant is in the entity tenant list. Comparing the tenant identification of the current tenant with the tenant identification of each entity tenant in the entity tenant list, and judging the current tenant as the entity tenant if the tenant identification of the current tenant is in the entity tenant list.
In the implementation, after the tenant performs the provisioning application and passes the application, an independent access domain name is generated for the tenant, the tenant is an entity tenant, and the tenant identifications of all the tenants performing the provisioning application are added into the entity tenant list.
And S103, if the current tenant is an entity tenant, operating the data according to the data operation instruction in an encrypted data table corresponding to the tenant identification of the current tenant to obtain a first operation result, and sending the first operation result to the terminal page.
In step S103, the encrypted data table refers to a data table specific to each tenant, and is allocated to one tenant to store only the encrypted data table of the tenant data, where the encrypted data table can only be accessed by the tenant to which the encrypted data table belongs, and the tenant data is isolated to ensure the security of the tenant data. The first operation result refers to an operation result obtained after data operation is performed on the encrypted data table of the entity tenant.
When the implementation is carried out, when the current tenant is judged to be the entity tenant, the corresponding encrypted data table is found according to the tenant identification of the entity tenant, the data in the encrypted data table is operated according to the data operation instruction, and the operated result is sent to the terminal page of the entity tenant.
And S104, if the current tenant is a non-entity tenant, operating the data in the general data table according to the data operation instruction to obtain a second operation result, and sending the second operation result to the terminal page.
In step S104, the non-entity tenant refers to an entity that has not performed an opening application and has no tenant identification, and the data table that the entity can access is a general data table, and the general data table refers to a data table that all entities can operate, and the general data table can be accessed by all entities. The second operation result refers to an operation result obtained after the data operation is performed on the general data table.
When the current tenant is judged to be the non-entity tenant, the data in the general data table is operated according to the data operation instruction, and the operated result is sent to the terminal page of the non-entity tenant.
Through the four steps, when a data operation request which is sent by a current tenant through a terminal page and contains a tenant identifier and a data operation instruction is received, comparing the tenant identifier with the tenant identifier in an entity tenant list, judging whether the current tenant is an entity tenant or not, determining an encrypted data table corresponding to the tenant identifier of the entity tenant, and performing data operation on the encrypted data table, thereby performing data operation on the encrypted data table corresponding to each tenant identifier during data operation, realizing the isolation of multi-tenant data on data storage and data operation, improving the security of multi-tenant data isolation, and performing data isolation in different data tables of the same database by using only one database instance, improving the development efficiency of SaaS products and simultaneously reducing the operation and maintenance cost.
In specific implementation, the method further includes isolating resource environments among tenants, taking the tenant-based namespace resource environment isolation as a resource isolation core component, and taking kubernetes (a container-based basic service) based namespace implementation, where a namespace (namespace) can be understood as a combination of the following two cases:
Lateral isolation between tenant to tenant: lateral isolation can be understood as a plurality of software firewall policies among the tenants, so that the processes, network communication and users served among the tenants are ensured to be independent. One naltespace contains a set of micro services, each based on Linux CGroups (Linux Control Groups, physical resource isolation mechanism) to achieve resource isolation.
Single service resource isolation CGroups: the single service resource isolation is supported based on CGroups provided by a Linux kernel, CGroups supports CPU, memory, disk, network resources and the like, and the program performs encapsulation image mirroring based on an interface provided by a bottom layer to realize resource limitation of single service.
Before comparing the tenant identifications, in order to make the judgment whether the tenant entity is faster and more accurate, without missing any data operation request, before judging whether the current tenant is an entity tenant according to the tenant identification of each entity tenant and the tenant identification of the current tenant in the entity tenant list, the method further includes:
and intercepting a data operation request sent by the current tenant through the terminal page.
In the implementation process, the framework interceptor intercepts all data operation requests sent by the terminal pages in the process of program running, and the main function of the framework interceptor is to intercept the data operation requests of the tenants and perform corresponding judgment to judge whether the tenant identification of the current tenant is the tenant identification in the tenant entity table. Because the frame interceptor intercepts the data operation request, the operation of the data operation request directly on the data is reduced, and the data operation request is further subjected to security verification after interception, so that the security of the data is improved. And the judgment of the tenant identification of the current tenant can be more accurate through intercepting the data operation request of the tenant, so that the security of multi-tenant data isolation is improved.
Referring to fig. 2, fig. 2 is a flowchart illustrating a detailed SaaS multi-tenant data isolation method according to an embodiment of the present application. As shown in fig. 2, includes:
S201, analyzing the data operation instruction to obtain a data operation statement corresponding to the data operation instruction.
In this step S201, the data operation statement refers to an SQL (Structured Query Language, structured query) statement corresponding to the data operation instruction, and each data operation instruction may have a corresponding data operation statement. In specific implementation, the SQL parser parses the received data operation instruction to obtain an SQL statement corresponding to the data operation instruction. The SQL parser refers to a database management tool in a database management system, and is mainly divided into lexical analysis, grammar analysis and semantic analysis, optimization and code generation, and the parsed codes can generate grammar trees.
S202, adding the tenant identification to the data operation statement to obtain an identification additional statement.
S203, determining an encryption data table corresponding to the tenant identification of the current tenant according to the identification additional statement, operating the encryption data table according to the identification additional statement to obtain a first operation result, and sending the first operation result to the terminal page.
In the above steps S202 and S203, the tenant identifier of the current tenant is added to the data operation statement parsed by the SQL parser, and the value of the tenant identifier is spliced to the data operation statement, thereby obtaining the identifier additional statement after the addition. Determining an encryption data table corresponding to the tenant identification of the current tenant according to the added identification and adding statement, converting the conventional data operation statement into an operation statement corresponding to the multi-tenant, converting the conventional data operation into an operation mode corresponding to the multi-tenant, performing data operation according to the operation instruction in the encryption data table corresponding to the current tenant to obtain a first operation result, and sending the first operation result to a terminal page corresponding to the current user.
Referring to fig. 3, fig. 3 is a flowchart illustrating another detailed method for SaaS multi-tenant data isolation according to an embodiment of the present application. As shown in fig. 3, in order to implement data isolation of multiple tenants, before performing data isolation, the tenants need to perform opening of resources, and start corresponding terminal pages for the tenants. Optionally, in the method for data isolation of SaaS multi-tenants provided by the embodiment of the present application, before obtaining a data operation request sent by a current tenant through a terminal page, the method further includes:
s301, acquiring an opening request of a current tenant, wherein the opening request carries tenant information of the current tenant.
S302, checking the tenant information, and if the checking is correct, generating environment configuration information corresponding to the current tenant according to the tenant information.
In the above steps S301 and S302, the provisioning request refers to a provisioning application submitted by the tenant in the tenant management system, for provisioning the tenant with a corresponding SaaS service. The tenant information refers to basic information, contact information, and the like of the tenant, which are included in the tenant's provisioning request. Checking the submitted tenant information, and generating environment configuration information corresponding to the tenant according to the tenant information after the tenant information is checked, wherein the environment configuration information refers to some parameters of the running environment of the current tenant in the current terminal page, including the tenant identification of the current tenant and the configuration information of the current tenant, for example, the parameter information of the current tenant and the software environment information of the current tenant, namely, the computing resource configuration of the current tenant, such as: a central processing unit (CPU, central Processing Unit), a memory, a disk, and a network card; network type parameter configuration, such as: interface rate, routing information, mapping relation, etc.; configuration of a software environment, etc. If the tenant information does not pass the audit, returning the tenant information to a terminal page of the tenant, and after supplementing the tenant information, sending the opening request through the terminal page.
In specific implementation, the tenant information includes any one or more of the following information:
tenant enterprise names, tenant account numbers, tenant contacts, tenant mailboxes, tenant contact phones, and the like.
Wherein the tenant enterprise name refers to the name of an enterprise organization or group that subscribes to use the SaaS application on demand; the tenant account refers to an account of a tenant submitting an opening application and is used for logging in a SaaS application corresponding to the tenant; tenant contact refers to the name of the tenant submitting the opening application; the tenant mailbox refers to a mailbox to which the tenant contact belongs; the tenant contact phone refers to a contact phone to which the tenant contact person belongs, and in implementation, the contact phone may be a mobile phone number of the tenant or a fixed phone number of the enterprise organization or group.
S303, configuring corresponding resources based on environment configuration information corresponding to the current tenant, and starting a corresponding terminal page for the current tenant.
In step S303, corresponding resources are configured for the tenant based on the generated environment configuration information corresponding to the current tenant, resources such as a container memory, a CPU, a hard disk and the like are configured according to the minimum requirement of the tenant, and a corresponding terminal page is started for the current tenant based on the configured resources.
When the implementation is carried out, after the opening request of the tenant passes, a domain name which can be independently accessed by the tenant is generated according to the tenant identification in the tenant environment configuration information, verification and test are carried out on the generated domain name, and after the verification and test pass, a corresponding mail is generated by the account number and the password for accessing the domain name according to a template and is sent to a tenant mailbox in the tenant information. The tenant may access the respective micro-services through the respective independent domain names.
In the step S303, the configuring the corresponding resource based on the environment configuration information corresponding to the current tenant and starting the corresponding terminal page for the current tenant includes:
step 3031, compiling the environment configuration information corresponding to the current tenant into the service image corresponding to the current tenant.
In step 3031, the service image refers to a carrier of the service, including a system environment on which the service runs, including software and a server or disk template configured as necessary, and also including operating system or service data. Compiling the environment configuration information corresponding to the current tenant into a service image, wherein the compiled data of the service image of each tenant are different, and the service image contains the resources, the environment and the system which the current tenant depends on and the environment configuration information corresponding to the current tenant.
Before compiling the service image, the method further comprises the following development flow:
A developer writes Dockerfile a file in the development stage, dockerfile is a text file for constructing an image, the text content contains a piece of instructions and descriptions required for constructing the image, the file describes a basic image and environment configuration on which the current service depends, and Dockerfile file roughly includes the following sentences:
introducing a basic image FROM image address in a FROM grammar mode;
MAINTAINER to describe the current mirror maintainer;
EVN, is used for setting up environment mirror image character set and environment variable;
ADD, for adding external file resources to the current image;
RUN for mirroring the script to be executed in the packaging process;
And the CMD is used for mirroring the script which needs to be executed in the process of starting the container.
After the Dockerfile files are written, the Dockerfile files are submitted to the corresponding code base, and after the code base captures a submitting event, the code base triggers an automatic construction program to start packaging the service images.
The developer submits the code to the Git version library, git is an open-source distributed version control system for agilely and efficiently handling any larger or smaller project. The Git version library captures a push event sent by a developer, a program monitors the push event of a specified branch of the code library, and a packing service is invoked after the event is triggered. Multiple branches, such as a development branch, a production branch, a repair branch and the like, are set in the code library, and when a pushing event submitted by a certain branch is captured, the changed code is packed and compiled. The compiling and packaging server starts to package and compile the codes through pre-configuration, if the compiling fails, a developer is informed of the problem of locating through mail, and the codes are submitted after being modified again. And finally uploading the compiled image file to an image server for subsequent service arrangement.
Step 3032, generating a corresponding instance based on the service image, and starting a terminal page corresponding to the current tenant according to the instance corresponding to the service image, wherein the terminal page at least comprises one instance corresponding to the service image.
In this step 3032, the instance corresponding to the service image refers to a copy of the executable program corresponding to each service image, and each different service image corresponds to a different instance for the tenant to perform data operation, and each terminal page may include at least one instance. After the compiling of the service image is completed, the service image corresponding to the current tenant is obtained according to the tenant identification of the current tenant, and a minimum service unit configuration file is generated according to the environment configuration information in the service image. The configuration file may be generated by the following code:
timeoutSeconds:1
resources:
limits:
cpu:1500m
memory:1500Mi
requests:
cpu:200m
memory:300Mi
replicas:2
The limits.cpu configuration specifies the maximum CPU required by the current service, the limits.memory configuration specifies the maximum memory resource required by the current service, the requests.cpu agree on the minimum required CPU, the requests.memory agree on the minimum required memory resource, replicas agree on the number of instances of the service image, and the virtualization platform automatically expands and contracts according to the service access pressure.
In implementation, if the service access pressure of the current tenant is too high, the instance is copied according to the service mirror corresponding to the current tenant. The service access pressure refers to a user accessing a terminal page corresponding to a current tenant, the user refers to a user directly using the SaaS service, and one tenant may include a plurality of users, for example, if an enterprise a subscribes to use the SaaS service, the enterprise a is a tenant of the SaaS service, and an employee of the enterprise a may become a user using the SaaS service. When the number of users accessing the terminal page corresponding to the current tenant is too large, the bottom layer cluster can copy the instance in the terminal page according to the service image corresponding to the current tenant so as to cope with the access pressure of the terminal page. In specific implementation, the maximum number of replicated examples may be set up to an upper limit according to the size of the base resource pool, and because the entire underlying cluster needs to be kept stable and cannot be replicated and expanded infinitely, the upper limit of the number of replicated examples, for example, 5, may be set up according to the size of the base resource pool, and replication is stopped after 5 examples are replicated.
Optionally, when the corresponding terminal page is started for the current tenant, in order to ensure that the terminal page of the current tenant can be started normally, the SaaS data isolation method can be operated normally, and the method further includes:
step 3033, in the process of starting the corresponding terminal page for the current tenant, detecting whether the terminal page is started normally through an online page.
Step 3034, after the corresponding terminal page is started for the current tenant, monitoring and early warning are performed on the service state through the online page.
In the steps 3033 and 3034, during implementation, the online page detects the start of the terminal page, and the online page detects the node to ensure that the SaaS multi-tenant data isolation method can operate normally. And in the online page, whether the starting details of the terminal page are normal or not can be known by monitoring the starting log, if abnormal occurs when a node is started, the code corresponding to the node in the online page can be changed into red, and the terminal page can be automatically restarted until the node is recovered to be normal. If serious configuration problems occur, manual intervention is needed, the position of the abnormal node is notified to the developer through mail, and the developer starts a terminal page for the current tenant after adjustment. After the terminal page is normally started, a monitoring program is implanted in the normal running process of the service image, index information of the service image in running can be obtained in real time, all index information is put into the same database through collection of the index information, the monitoring page is presented, and the index information of which tenant is abnormal is displayed in the monitoring page.
Referring to fig. 4, fig. 4 is a schematic structural diagram of a SaaS multi-tenant data isolation device according to an embodiment of the present application. As shown in fig. 4, the apparatus includes:
an obtaining module 401, configured to obtain a data operation request sent by a current tenant through a terminal page; the data operation request carries the tenant identification and the data operation instruction of the current tenant;
A judging module 402, configured to judge whether the current tenant is an entity tenant according to the tenant identifier of each entity tenant in the entity tenant list and the tenant identifier of the current tenant;
A first sending module 403, configured to operate, if the current tenant is an entity tenant, on data according to a data operation instruction in an encrypted data table corresponding to a tenant identifier of the current tenant, obtain a first operation result, and send the first operation result to the terminal page;
and the second sending module 404 is configured to operate on the data according to the data operation instruction in the general data table if the current tenant is a non-entity tenant, obtain a second operation result, and send the second operation result to the terminal page.
Optionally, before the determining module 402 determines whether the current tenant is an entity tenant according to the tenant identifier of each entity tenant in the entity tenant list and the tenant identifier of the current tenant, the method further includes:
The interception module is used for intercepting the data operation request sent by the current tenant through the terminal page.
Optionally, the first sending module 403 includes:
The analysis unit is used for analyzing the data operation instruction to obtain a data operation statement corresponding to the data operation instruction;
An adding unit, configured to add the tenant identifier to the data operation statement, to obtain an identifier adding statement;
The determining unit is used for determining an encryption data table corresponding to the tenant identification of the current tenant according to the identification additional statement, operating the encryption data table according to the identification additional statement to obtain a first operation result, and sending the first operation result to the terminal page.
Optionally, before the obtaining module 401 obtains the data operation request sent by the current tenant through the terminal page, the method further includes:
The information acquisition module is used for acquiring an opening request of the current tenant, wherein the opening request carries tenant information of the current tenant;
the auditing module is used for auditing the tenant information, and if the auditing is correct, the environment configuration information corresponding to the current tenant is generated according to the tenant information;
The configuration module is used for configuring corresponding resources based on the environment configuration information corresponding to the current tenant and starting a corresponding terminal page for the current tenant.
Optionally, the configuration module includes:
The compiling unit is used for compiling the environment configuration information corresponding to the current tenant into the service image corresponding to the current tenant;
The starting unit is used for starting a terminal page corresponding to the current tenant according to the environment configuration information and the instance corresponding to the service image, wherein the terminal page at least comprises one instance corresponding to the service image.
Optionally, the tenant information includes any one or more of the following information:
tenant enterprise names, tenant account numbers, tenant contacts, tenant mailboxes, tenant contact phones, and the like.
Optionally, the SaaS multi-tenant data isolation device further includes:
the detection module is used for detecting whether the terminal page is started normally or not through an online page in the process of starting the corresponding terminal page for the current tenant;
And the monitoring and early warning module is used for monitoring and early warning the service state through the online page after the corresponding terminal page is started for the current tenant.
Referring to fig. 5, fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the application. As shown in fig. 5, the electronic device 500 includes a processor 510, a memory 520, and a bus 530.
The memory 520 stores machine-readable instructions executable by the processor 510, when the electronic device 500 is running, the processor 510 communicates with the memory 520 through the bus 530, and when the machine-readable instructions are executed by the processor 510, the steps of the SaaS multi-tenant data isolation method in the method embodiment shown in fig. 1 can be executed, so that the problems that in the prior art, a certain potential safety hazard exists in data isolation, the system cost and the operation and maintenance deployment difficulty are high, and the expansion is difficult in a big data scene system are solved, and the specific implementation can be referred to the method embodiment and is not repeated herein.
The embodiment of the application also provides a computer readable storage medium, and a computer program is stored on the computer readable storage medium, and when the computer program is run by a processor, the computer program can execute the steps of the SaaS multi-tenant data isolation method in the embodiment of the method shown in the figure 1, so that the problems that certain potential safety hazards exist in data isolation in the prior art, the system cost and the operation and maintenance deployment difficulty are high, and the expansion is difficult in a big data scene system are solved, and the specific implementation mode can be referred to the method embodiment and is not repeated.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
In the several embodiments provided by the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. The above-described apparatus embodiments are merely illustrative, for example, the division of the units is merely a logical function division, and there may be other manners of division in actual implementation, and for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some communication interface, device or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer readable storage medium executable by a processor. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
It should be noted that: like reference numerals and letters in the following figures denote like items, and thus once an item is defined in one figure, no further definition or explanation of it is required in the following figures, and furthermore, the terms "first," "second," "third," etc. are used merely to distinguish one description from another and are not to be construed as indicating or implying relative importance.
Finally, it should be noted that: the above examples are only specific embodiments of the present application, and are not intended to limit the scope of the present application, but it should be understood by those skilled in the art that the present application is not limited thereto, and that the present application is described in detail with reference to the foregoing examples: any person skilled in the art may modify or easily conceive of the technical solution described in the foregoing embodiments, or perform equivalent substitution of some of the technical features, while remaining within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application, and are intended to be included in the scope of the present application. Therefore, the protection scope of the application is subject to the protection scope of the claims.
Claims (9)
1. A method of SaaS multi-tenant data isolation, the method comprising:
acquiring a data operation request sent by a current tenant through a terminal page; the data operation request carries the tenant identification and the data operation instruction of the current tenant;
judging whether the current tenant is an entity tenant or not according to the tenant identification of each entity tenant in the entity tenant list and the tenant identification of the current tenant;
If the current tenant is the entity tenant, operating data according to the data operation instruction in an encrypted data table corresponding to the tenant identification of the current tenant to obtain a first operation result, and sending the first operation result to the terminal page;
if the current tenant is a non-entity tenant, operating the data in a general data table according to the data operation instruction to obtain a second operation result, and sending the second operation result to the terminal page;
If the current tenant is the entity tenant, operating the data in the encrypted data table corresponding to the tenant identifier of the current tenant according to the data operation instruction to obtain a first operation result, and sending the first operation result to the terminal page, where the step of obtaining the first operation result includes:
analyzing the data operation instruction to obtain a data operation statement corresponding to the data operation instruction;
Adding the tenant identification into the data operation statement to obtain an identification additional statement;
determining an encryption data table corresponding to the tenant identification of the current tenant according to the identification additional statement, operating the encryption data table according to the identification additional statement to obtain the first operation result, and sending the first operation result to the terminal page.
2. The method of claim 1, wherein prior to determining whether the current tenant is an entity tenant based on the tenant identity of each entity tenant in the entity tenant list and the tenant identity of the current tenant, the method further comprises:
And intercepting the data operation request sent by the current tenant through the terminal page.
3. The method of claim 1, wherein prior to the obtaining the data operation request sent by the current tenant through the terminal page, the method further comprises:
Acquiring an opening request of the current tenant, wherein the opening request carries tenant information of the current tenant;
Checking the tenant information, and if the checking is correct, generating environment configuration information corresponding to the current tenant according to the tenant information;
And configuring corresponding resources based on the environment configuration information corresponding to the current tenant, and starting a corresponding terminal page for the current tenant.
4. The method of claim 3, wherein the configuring the corresponding resources based on the environment configuration information corresponding to the current tenant and starting the corresponding terminal page for the current tenant comprises:
compiling the environment configuration information corresponding to the current tenant into a service image corresponding to the current tenant;
And generating a corresponding example based on the service image, and starting a terminal page corresponding to the current tenant according to the example corresponding to the service image, wherein the terminal page at least comprises one example corresponding to the service image.
5. A method according to claim 3, wherein the tenant information comprises any one or more of the following:
tenant enterprise names, tenant account numbers, tenant contacts, tenant mailboxes, tenant contact phones, and the like.
6. A method according to claim 3, characterized in that the method further comprises:
In the process of starting the corresponding terminal page for the current tenant, detecting whether the terminal page is started normally or not through an online page;
and after the corresponding terminal page is started for the current tenant, monitoring and early warning are carried out on the service state through the online page.
7. An apparatus for SaaS multi-tenant data isolation, comprising:
The acquisition module is used for acquiring a data operation request sent by the current tenant through the terminal page; the data operation request carries the tenant identification and the data operation instruction of the current tenant;
The judging module is used for judging whether the current tenant is an entity tenant or not according to the tenant identification of each entity tenant in the entity tenant list and the tenant identification of the current tenant;
The first sending module is used for operating the data according to the data operation instruction in the encrypted data table corresponding to the tenant identification of the current tenant if the current tenant is an entity tenant, obtaining a first operation result, and sending the first operation result to the terminal page;
the second sending module is used for operating the data in the general data table according to the data operation instruction if the current tenant is a non-entity tenant, obtaining a second operation result and sending the second operation result to the terminal page;
The first transmitting module includes:
The analysis unit is used for analyzing the data operation instruction to obtain a data operation statement corresponding to the data operation instruction;
An adding unit, configured to add the tenant identifier to the data operation statement, to obtain an identifier adding statement;
The determining unit is used for determining an encryption data table corresponding to the tenant identification of the current tenant according to the identification additional statement, operating the encryption data table according to the identification additional statement to obtain a first operation result, and sending the first operation result to the terminal page.
8. An electronic device, comprising: a processor, a memory and a bus, said memory storing machine readable instructions executable by said processor, said processor and said memory communicating via said bus when the electronic device is running, said machine readable instructions when executed by said processor performing the steps of a method of SaaS multi-tenant data isolation as claimed in any one of claims 1 to 6.
9. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon a computer program which, when executed by a processor, performs the steps of a method of SaaS multi-tenant data isolation as claimed in any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011563870.1A CN112596857B (en) | 2020-12-25 | 2020-12-25 | Method, device, equipment and medium for isolating SaaS multi-tenant data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011563870.1A CN112596857B (en) | 2020-12-25 | 2020-12-25 | Method, device, equipment and medium for isolating SaaS multi-tenant data |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112596857A CN112596857A (en) | 2021-04-02 |
| CN112596857B true CN112596857B (en) | 2024-06-21 |
Family
ID=75202204
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011563870.1A Active CN112596857B (en) | 2020-12-25 | 2020-12-25 | Method, device, equipment and medium for isolating SaaS multi-tenant data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112596857B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113378026B (en) * | 2021-06-30 | 2022-07-26 | 特赞(上海)信息科技有限公司 | Method and device for managing search engine index in multi-tenant system and electronic equipment |
| CN114745443A (en) * | 2022-05-09 | 2022-07-12 | 中国工商银行股份有限公司 | Service calling method, service calling device, computer equipment, storage medium and program product |
| CN115544784A (en) * | 2022-10-19 | 2022-12-30 | 泰科信(北京)科技有限公司 | Multi-tenant virtual test method and device, electronic equipment and storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111478961A (en) * | 2020-04-03 | 2020-07-31 | 中国建设银行股份有限公司 | Multi-tenant service calling method and device |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP6540063B2 (en) * | 2015-02-05 | 2019-07-10 | 日本電気株式会社 | Communication information control apparatus, relay system, communication information control method, and communication information control program |
| CN107122364B (en) * | 2016-02-25 | 2021-05-18 | 华为技术有限公司 | Data operation method and data management server |
| CN107133243A (en) * | 2016-02-29 | 2017-09-05 | 华为技术有限公司 | A kind of data processing method and server |
| CN110399368B (en) * | 2018-04-23 | 2022-08-19 | 华为技术有限公司 | Method for customizing data table, data operation method and device |
| CN109388631A (en) * | 2018-10-11 | 2019-02-26 | 山东浪潮通软信息科技有限公司 | A kind of database of multi-tenant divides library implementation method |
| CN110532074B (en) * | 2019-08-08 | 2021-11-23 | 北明云智(武汉)网软有限公司 | Task scheduling method and system for multi-tenant mode SaaS service cluster environment |
| CN111367887A (en) * | 2020-03-03 | 2020-07-03 | 威海新北洋数码科技有限公司 | Multi-tenant data sharing system, management method thereof and database deployment method |
| CN111582773B (en) * | 2020-06-22 | 2023-04-18 | 南京德睿能源研究院有限公司 | Multi-tenant technology-based micro-grid energy cloud model control method and system |
-
2020
- 2020-12-25 CN CN202011563870.1A patent/CN112596857B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111478961A (en) * | 2020-04-03 | 2020-07-31 | 中国建设银行股份有限公司 | Multi-tenant service calling method and device |
Non-Patent Citations (1)
| Title |
|---|
| 面向多租户的业务模型管理平台研究;陈启斗;《中国知网硕士电子期刊网》;20130715(第7期);正文第5.2.1节 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112596857A (en) | 2021-04-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10565077B2 (en) | Using cognitive technologies to identify and resolve issues in a distributed infrastructure | |
| CN112596857B (en) | Method, device, equipment and medium for isolating SaaS multi-tenant data | |
| US10599874B2 (en) | Container update system | |
| US11030084B2 (en) | API specification parsing at a mocking server | |
| US10216508B1 (en) | System and method for configurable services platform | |
| US10938902B2 (en) | Dynamic routing of file system objects | |
| CA2919839A1 (en) | Virtual computing instance migration | |
| WO2019180599A1 (en) | Data anonymization | |
| CN112000992B (en) | Data leakage prevention protection method and device, computer readable medium and electronic equipment | |
| US11803429B2 (en) | Managing alert messages for applications and access permissions | |
| CN114168156A (en) | Multi-tenant data persistence method and device, storage medium and computer equipment | |
| US20240232420A9 (en) | System and method of dynamic search result permission checking | |
| WO2022046225A1 (en) | Automated code analysis tool | |
| CN114895879B (en) | Management system design scheme determining method, device, equipment and storage medium | |
| US20230025740A1 (en) | Assessing data security of a managed database deployed in the cloud using a secured sandbox environment | |
| CN111241540A (en) | Service processing method and device | |
| AU2021268828B2 (en) | Secure data replication in distributed data storage environments | |
| CN111368231B (en) | Method and device for testing heterogeneous redundancy architecture website | |
| CN111581670B (en) | Data life cycle management method | |
| CN114253852A (en) | Automatic testing method, device, equipment and medium | |
| US11841881B2 (en) | Querying for custom data objects | |
| US20240104003A1 (en) | Testing integration applications for systems | |
| US20240232259A1 (en) | Just-in-time materialization of cloned users in computing environments within a database system | |
| US11176108B2 (en) | Data resolution among disparate data sources | |
| Gonçalves | VVallet: Virtual Document Holder Based on Scalability and High-Availability Quality Attributes |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |