CN114301714B - Multi-tenant authority control method and system - Google Patents
Multi-tenant authority control method and system Download PDFInfo
- Publication number
- CN114301714B CN114301714B CN202210066705.8A CN202210066705A CN114301714B CN 114301714 B CN114301714 B CN 114301714B CN 202210066705 A CN202210066705 A CN 202210066705A CN 114301714 B CN114301714 B CN 114301714B
- Authority
- CN
- China
- Prior art keywords
- user
- tenant
- client
- authority
- identification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 50
- 238000004590 computer program Methods 0.000 claims description 10
- 238000012795 verification Methods 0.000 abstract description 5
- 238000010586 diagram Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 4
- 238000002955 isolation Methods 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000000802 evaporation-induced self-assembly Methods 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The embodiment of the application discloses a multi-tenant authority control method and system, wherein the method comprises the following steps: judging the user type of a user according to user account information sent by a client, and sending a user type token and user information to the client so that the user can operate according to the user information; according to a user operation request sent by the client, invoking a multi-tenant authority control model to judge whether the role and tenant relation identification of the user have the authority of the operation identification in a database, and returning a judgment result to the client; and according to the data calling request sent by the client, calling a multi-tenant authority control model to judge whether the role and tenant relation identification of the user have the authority of the data identification in a database, and if so, calling corresponding data to return to the client. And the client and the server can carry out multiple permission verification on the user demands, prevent unauthorized operation, improve the safety and reduce the data redundancy of the database.
Description
Technical Field
The embodiment of the application relates to the technical field of computers, in particular to a multi-tenant authority control method and system.
Background
With the development of industrial informatization, rights control and user access security issues are becoming more important.
Generally, for a general service system, a conventional RBAC (Role-Based Access Control) model is generally adopted as a rights model, while for a multi-tenant industrial system, the conventional RBAC model design rights system can make Role table data redundant, and has limited data isolation scope, so that data isolation of the same user in different tenants cannot be realized. Whereas existing industrial systems only authenticate the rights of users through the server. The authentication mode is too single, is easy to be operated by unauthorized, and has potential safety hazard.
Disclosure of Invention
Therefore, the embodiment of the application provides a multi-tenant authority control method and system, wherein multiple authority checks can be performed on user requirements at a client and a server, unauthorized operation is prevented, safety is improved, and meanwhile, data redundancy of a database is reduced.
In order to achieve the above purpose, the embodiment of the present application provides the following technical solutions:
according to a first aspect of embodiments of the present application, there is provided a multi-tenant authority control method, including:
judging the user type of a user according to user account information sent by a client, and sending a user type token and user information to the client so that the user can operate according to the user information; the user information comprises user basic information, a user menu range and a user authority range; the user basic information comprises the corresponding relation between the user and the roles and the tenants;
according to a user operation request sent by the client, invoking a multi-tenant authority control model to judge whether the role and tenant relation identification of the user have the authority of the operation identification in a database, and returning a judgment result to the client;
and according to the data calling request sent by the client, calling a multi-tenant authority control model to judge whether the role and tenant relation identification of the user have the authority of the data identification in a database, and if so, calling corresponding data to return to the client.
Optionally, according to a user operation request sent by the client, invoking a multi-tenant permission control model to determine whether the role and the tenant relationship identifier of the user have permission of the operation identifier in a database, including:
verifying according to the token carried by the user operation request, and if the token has corresponding user information in the cache, taking the user information out of the cache;
according to the user identification and the tenant identification, a multi-tenant authority control model is called to inquire the role and the tenant relation identification from a database and operate the authority identification;
inquiring whether the operation permission identification is the same as the permission identification corresponding to the target operation requested by the user in a database, and if so, having the permission of the operation identification; if the operation identifier is different, the operation identifier is not authorized.
Optionally, according to the data call request sent by the client, the multi-tenant permission control model is called to determine whether the role and the tenant relationship identifier of the user have the permission of the data identifier in the database, including:
verifying according to the token carried by the data call request, and if the token has corresponding user information in the cache, taking the user information out of the cache;
according to the user identification and the tenant identification, a multi-tenant authority control model is called to inquire roles and tenant relation identifications and data authority identifications from a database;
inquiring whether the data authority identification is the same as the authority identification corresponding to the target data of the data call request in a database, and if so, having the authority of the data identification; if the data identification rights are different, the data identification rights are not available.
Optionally, the method includes judging a user type of the user according to user account information sent by the client, and sending a user type token and user information to the client, including:
judging the user type of the user as a single-tenant user according to the user account information, generating a single-tenant token, storing the single-tenant token and the user information into a cache in the form of keys and values, and returning the single-tenant token and the user information to a client; or alternatively
And generating a temporary token when the user type of the user is judged to be the multi-tenant user according to the user account information, sending a tenant list and the temporary token to the client so that after the user of the client selects the tenant, verifying the user information through the temporary token, deleting the temporary token, generating a new multi-tenant token, storing the multi-tenant token and the user information into a cache in the form of keys and values, and returning the multi-tenant token and the user information to the client.
Optionally, the database comprises an entity class data table, a relationship table and a permission table;
the entity class data table comprises a user table, a tenant table, a role table and a resource table;
the relation table comprises a relation table of users and tenants, a relation table of users and roles, and a relation table of roles and tenants.
Optionally, the user and tenant relation table is used for binding the user and tenant, and each row in the table stores a primary key relation identifier, user representation and tenant representation;
the user and role relation table is used for binding the user and the role, and each row in the table stores a main key relation identifier, a user identifier and a role identifier;
the role-tenant relation table is used for binding roles and tenants, and each row in the table stores a relation identifier, a role identifier and a tenant identifier;
the permission table is used for binding the relation between the resources and the roles and the tenant, and each row in the table stores a master key permission identifier, a resource identifier and a relation identifier between the roles and the tenant.
Optionally, the sending the user type token and the user information to the client so that the user operates according to the user information, and the method includes:
and sending the user type token and the user information to the client so that the client judges the authority of the user operation according to the user menu range and the user authority range, and continuing if the user operation has the authority.
According to a second aspect of embodiments of the present application, there is provided a multi-tenant entitlement control system, the system comprising:
the type judging module is used for judging the user type of the user according to the user account information sent by the client, and sending a user type token and user information to the client so that the user can operate according to the user information; the user information comprises user basic information, a user menu range and a user authority range; the user basic information comprises the corresponding relation between the user and the roles and the tenants;
the operation authority judging module is used for calling the multi-tenant authority control model to judge whether the role of the user and the tenant relation identifier have the authority of the operation identifier in the database according to the user operation request sent by the client, and returning the judging result to the client;
and the data authority judging module is used for calling the multi-tenant authority control model to judge whether the role of the user and the tenant relation identification have the authority of the data identification in the database according to the data calling request sent by the client, and calling corresponding data to return to the client if the role of the user and the tenant relation identification have the authority of the data identification.
According to a third aspect of embodiments of the present application, there is provided an electronic device, including: a memory, a processor and a computer program stored on the memory and executable on the processor, the processor executing the computer program to perform the method of the first aspect.
According to a fourth aspect of embodiments of the present application, there is provided a computer readable storage medium having stored thereon computer readable instructions executable by a processor to implement the method of the first aspect described above.
In summary, the embodiments of the present application provide a method and a system for multi-tenant authority control, which determine a user type of a user according to user account information sent by a client, and send a user type token and user information to the client, so that the user performs an operation according to the user information; the user information comprises user basic information, a user menu range and a user authority range; the user basic information comprises the corresponding relation between the user and the roles and the tenants; according to a user operation request sent by the client, invoking a multi-tenant authority control model to judge whether the role and tenant relation identification of the user have the authority of the operation identification in a database, and returning a judgment result to the client; and according to the data calling request sent by the client, calling a multi-tenant authority control model to judge whether the role and tenant relation identification of the user have the authority of the data identification in a database, and if so, calling corresponding data to return to the client. And the client and the server can carry out multiple permission verification on the user demands, prevent unauthorized operation, improve the safety and reduce the data redundancy of the database.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It will be apparent to those of ordinary skill in the art that the drawings in the following description are exemplary only and that other implementations can be obtained from the extensions of the drawings provided without inventive effort.
The structures, proportions, sizes, etc. shown in the present specification are shown only for the purposes of illustration and description, and are not intended to limit the scope of the invention, which is defined by the claims, so that any structural modifications, changes in proportions, or adjustments of sizes, which do not affect the efficacy or the achievement of the present invention, should fall within the scope of the invention.
Fig. 1 is a schematic diagram of a multi-tenant authority control flow provided in an embodiment of the present application;
FIG. 2 is a block diagram of a rights control model provided in an embodiment of the present application;
FIG. 3 is a schematic diagram of a data binding manner according to an embodiment of the present disclosure;
fig. 4 is a block diagram of a multi-tenant authority control system provided in an embodiment of the present application;
fig. 5 shows a schematic structural diagram of an electronic device according to an embodiment of the present application;
fig. 6 shows a schematic diagram of a computer-readable storage medium according to an embodiment of the present application.
Detailed Description
Other advantages and advantages of the present invention will become apparent to those skilled in the art from the following detailed description, which, by way of illustration, is to be read in connection with certain specific embodiments, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Compared with the prior art, the multi-tenant authority control method adds the concept of tenants on the basis of the original RBAC model. The data isolation among tenants is enhanced, the data redundancy of a database is reduced, the control flow of authority is increased, double check can be carried out on user operation at a client side and a server side, and unauthorized operation of a user through an illegal way is prevented.
Fig. 1 shows a multi-tenant authority control method provided in an embodiment of the present application, where the method includes:
step 101: judging the user type of a user according to user account information sent by a client, and sending a user type token and user information to the client so that the user can operate according to the user information; the user information comprises user basic information, a user menu range and a user authority range; the user basic information comprises the corresponding relation between the user and the roles and the tenants;
step 102: according to a user operation request sent by the client, invoking a multi-tenant authority control model to judge whether the role and tenant relation identification of the user have the authority of the operation identification in a database, and returning a judgment result to the client;
step 103: and according to the data calling request sent by the client, calling a multi-tenant authority control model to judge whether the role and tenant relation identification of the user have the authority of the data identification in a database, and if so, calling corresponding data to return to the client.
In a possible implementation manner, in the step 101, the determining the user type of the user according to the user account information sent by the client, and sending the user type token and the user information to the client includes:
judging the user type of the user as a single-tenant user according to the user account information, generating a single-tenant token, storing the single-tenant token and the user information into a cache in the form of keys and values, and returning the single-tenant token and the user information to a client; or judging the user type of the user as a multi-tenant user according to the user account information, generating a temporary token, sending a tenant list and the temporary token to the client so that after the user of the client selects the tenant, verifying the user information through the temporary token, deleting the temporary token, generating a new multi-tenant token, storing the multi-tenant token and the user information into a cache in the form of keys and values, and returning the multi-tenant token and the user information to the client.
In a possible implementation manner, in step 102, according to a user operation request sent by the client, the multi-tenant permission control model is called to determine whether the role and the tenant relationship identifier of the user have permission of the operation identifier in the database, including:
verifying according to the token carried by the user operation request, and if the token has corresponding user information in the cache, taking the user information out of the cache; according to the user identification and the tenant identification, a multi-tenant authority control model is called to inquire the role and the tenant relation identification from a database and operate the authority identification; inquiring whether the operation permission identification is the same as the permission identification corresponding to the target operation requested by the user in a database, and if so, having the permission of the operation identification; if the operation identifier is different, the operation identifier is not authorized.
In a possible implementation manner, in step 103, according to a data call request sent by the client, a multi-tenant permission control model is called to determine whether a role and a tenant relationship identifier of a user have permission of a data identifier in a database, including:
verifying according to the token carried by the data call request, and if the token has corresponding user information in the cache, taking the user information out of the cache; according to the user identification and the tenant identification, a multi-tenant authority control model is called to inquire roles and tenant relation identifications and data authority identifications from a database; inquiring whether the data authority identification is the same as the authority identification corresponding to the target data of the data call request in a database, and if so, having the authority of the data identification; if the data identification rights are different, the data identification rights are not available.
In one possible implementation, the database includes an entity class data table, a relationship table, and a rights table; the entity class data table comprises a user table, a tenant table, a role table and a resource table; the relation table comprises a relation table of users and tenants, a relation table of users and roles, and a relation table of roles and tenants.
The user and tenant relation table is used for binding the user and the tenant, and each row in the table stores a primary key relation identifier, user representation and tenant representation.
The user and role relation table is used for binding the user and the role, and each row in the table stores a main key relation identifier, a user identifier and a role identifier.
The role-tenant relation table is used for binding roles and tenants, and each row in the table stores a relation identifier, a role identifier and a tenant identifier.
The permission table is used for binding the relation between the resources and the roles and the tenant, and each row in the table stores a master key permission identifier, a resource identifier and a relation identifier between the roles and the tenant.
In a possible implementation manner, in step 101, the sending the user type token and the user information to the client, so that the user performs an operation according to the user information, the method includes:
and sending the user type token and the user information to the client so that the client judges the authority of the user operation according to the user menu range and the user authority range, and continuing if the user operation has the authority.
Fig. 2 shows an RBAC model applicable to the multi-tenant authority control method provided by the embodiment of the present application, and combines the concept of tenants, and improves the binding of users and roles into the binding of roles and tenants into a single domain, and the users bind with the domain again, so that the data acquired after the users log in different tenant platforms are isolated from each other. Each role must be bound to a tenant (many-to-many relationship), and the user is bound to the roles again (many-to-many relationship), so that each role corresponding to the user exists in only one tenant. The tenant isolation is functionally achieved, meanwhile, each role cannot exist independently of the tenant, the roles can exist in multiple tenants, but specific authorities corresponding to each role are different, and layered control is achieved.
FIG. 3 is a schematic diagram of a data binding manner according to an embodiment of the present disclosure; when the user logs in the system to select different tenants, the data ranges are different, the data between the tenants are isolated, the data cannot be simultaneously displayed in a plurality of tenants, the user can switch the tenants to operate the corresponding data, but the user cannot operate the data across the tenants. All data needs to be bound with the corresponding tenant.
The database used by the multi-tenant authority control method provided by the embodiment of the application comprises an entity class data table, a relation table and an authority table. The entity class data table comprises a user table, a tenant table, a role table and a resource table. The resource table is used for storing resource information. The permas_flag field in the resource table is a permission identifier, permission characters are user-defined character strings, and users can adjust the range of the permission characters at a code layer according to the permission identifier. The permission table is used for storing permission information corresponding to the resource information.
The relationship table comprises a user and tenant relationship table, a user and role relationship table and a role and tenant relationship table. The user and the tenant are bound through a user and tenant relation table, and each row in the table stores a primary key relation id, a user id and a tenant id. The user and the role are bound through a user and role relation table, and each row in the table stores a main key relation id, a user id and a role id. The roles and the tenants are bound through a role-tenant relationship table, and each row in the table stores a relationship id, a role id and a tenant id.
The relation between the resources and the roles and the tenants is bound through a permission table, each row in the table stores a master key permission id and a resource id and a role and tenant relation id, and the same role has different permissions in different tenants through the table.
And each time the user requests the interface, the server side performs authority verification and judges whether the interface request is within the authority range of the user. And when the data is accessed each time, the server side can also perform corresponding data permission verification. Double inspection can be carried out on user operation at the client and the server to prevent the user from unauthorized operation through illegal ways.
A further embodiment of the multi-tenant authority control method provided in the embodiment of the present application is described in detail below:
step 1: the user inputs an account number and a password on a login page, clicks a login button, and enables the client to send a login request to the server. After the user logs in, the menu pages displayed by different users are different.
Step 2: and the server authenticates the account number and the password of the user, and if the authentication is not passed, a message of failed login of the client is returned. If the authentication is passed, executing the step 3;
step 3: judging whether the user is a multi-tenant user or a single-tenant user according to the user account information; if the user is a single-tenant user, a single-tenant token is generated, the single-tenant token and user information are stored in a cache in the form of keys and values, and the single-tenant token and the user information are returned to the client. If the user is a multi-tenant user, a temporary token is generated, a tenant list and the temporary token are sent to the client, so that after the user of the client selects a tenant, user information is verified through the temporary token, then the temporary token is deleted, a new multi-tenant token is generated, the multi-tenant token and the user information are stored in a cache in the form of keys and values, and the multi-tenant token and the user information are returned to the client. The user information comprises user basic information, a menu range of the user and a permission range of the user, and is returned to the client in a collective form.
Step 4: and after receiving the returned message, the client renders an interface according to the menu range and the authority range of the user. When a user operates a menu function, the client judges the operation authority of the user according to the authority range of the user: verifying according to the token carried by the user operation request, and if the token has corresponding user information in the cache, taking the user information out of the cache; according to the user identification and the tenant identification, a multi-tenant authority control model is called to inquire the role and the tenant relation identification from a database and operate the authority identification; inquiring whether the operation authority identification is the same as the authority identification corresponding to the target operation requested by the user in the database, if so, having the authority of the operation identification, and continuing to request the menu function; if the operation identifier is different, the user is prompted to have no operation authority of the menu function.
Step 5: after receiving a database service data calling request sent by a client, a server calls a multi-tenant authority control model, and judges the data authority range of a user by combining the current tenant and user information of the user: verifying according to the token carried by the data call request, and if the token has corresponding user information in the cache, taking the user information out of the cache; according to the user identification and the tenant identification, a multi-tenant authority control model is called to inquire roles and tenant relation identifications and data authority identifications from a database; inquiring whether the data authority identification is the same as the authority identification corresponding to the target data of the data call request in a database, and if so, having the authority of the data identification; if the data identification rights are different, the data identification rights are not available. And if the authority is available, calling the corresponding data to return to the client.
In summary, the embodiments of the present application provide a method and a system for multi-tenant authority control, which determine a user type of a user according to user account information sent by a client, and send a user type token and user information to the client, so that the user performs an operation according to the user information; the user information comprises user basic information, a user menu range and a user authority range; the user basic information comprises the corresponding relation between the user and the roles and the tenants; according to a user operation request sent by the client, invoking a multi-tenant authority control model to judge whether the role and tenant relation identification of the user have the authority of the operation identification in a database, and returning a judgment result to the client; and according to the data calling request sent by the client, calling a multi-tenant authority control model to judge whether the role and tenant relation identification of the user have the authority of the data identification in a database, and if so, calling corresponding data to return to the client. And the client and the server can carry out multiple permission verification on the user demands, prevent unauthorized operation, improve the safety and reduce the data redundancy of the database.
Based on the same technical concept, the embodiment of the application further provides a multi-tenant authority control system, as shown in fig. 4, where the system includes:
the type determining module 401 is configured to determine a user type of a user according to user account information sent by a client, and send a user type token and user information to the client, so that the user performs an operation according to the user information; the user information comprises user basic information, a user menu range and a user authority range; the user basic information comprises the corresponding relation between the user and the roles and the tenants;
the operation authority judging module 402 is configured to invoke a multi-tenant authority control model to judge whether the role of the user and the tenant relationship identifier have the authority of the operation identifier in the database according to the user operation request sent by the client, and return the judgment result to the client;
and the data authority judging module 403 is configured to invoke a multi-tenant authority control model according to a data invoking request sent by the client, judge whether the role of the user and the tenant relationship identifier have authority of the data identifier in the database, and invoke corresponding data to return to the client if the role of the user and the tenant relationship identifier have authority.
The embodiment of the application also provides electronic equipment corresponding to the method provided by the embodiment. Referring to fig. 5, a schematic diagram of an electronic device according to some embodiments of the present application is shown. The electronic device 20 may include: a processor 200, a memory 201, a bus 202 and a communication interface 203, the processor 200, the communication interface 203 and the memory 201 being connected by the bus 202; the memory 201 stores a computer program executable on the processor 200, and the processor 200 executes the method provided in any of the foregoing embodiments of the present application when the computer program is executed.
The memory 201 may include a high-speed random access memory (RAM: random Access Memory), and may further include a non-volatile memory (non-volatile memory), such as at least one disk memory. The communication connection between the system network element and at least one other network element is implemented through at least one physical port 203 (which may be wired or wireless), the internet, a wide area network, a local network, a metropolitan area network, etc. may be used.
Bus 202 may be an ISA bus, a PCI bus, an EISA bus, or the like. The buses may be classified as address buses, data buses, control buses, etc. The memory 201 is configured to store a program, and the processor 200 executes the program after receiving an execution instruction, and the method disclosed in any of the foregoing embodiments of the present application may be applied to the processor 200 or implemented by the processor 200.
The processor 200 may be an integrated circuit chip with signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in the processor 200 or by instructions in the form of software. The processor 200 may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU for short), a network processor (Network Processor, NP for short), etc.; but may also be a Digital Signal Processor (DSP), application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of a method disclosed in connection with the embodiments of the present application may be embodied directly in hardware, in a decoded processor, or in a combination of hardware and software modules in a decoded processor. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The storage medium is located in the memory 201, and the processor 200 reads the information in the memory 201, and in combination with its hardware, performs the steps of the above method.
The electronic device provided by the embodiment of the application and the method provided by the embodiment of the application are the same in the invention conception, and have the same beneficial effects as the method adopted, operated or realized by the electronic device.
The present application further provides a computer readable storage medium corresponding to the method provided in the foregoing embodiments, referring to fig. 6, the computer readable storage medium is shown as an optical disc 30, on which a computer program (i.e. a program product) is stored, where the computer program, when executed by a processor, performs the method provided in any of the foregoing embodiments.
It should be noted that examples of the computer readable storage medium may also include, but are not limited to, a phase change memory (PRAM), a Static Random Access Memory (SRAM), a Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), a Read Only Memory (ROM), an Electrically Erasable Programmable Read Only Memory (EEPROM), a flash memory, or other optical or magnetic storage medium, which will not be described in detail herein.
The computer readable storage medium provided by the above-described embodiments of the present application has the same advantageous effects as the method adopted, operated or implemented by the application program stored therein, for the same inventive concept as the method provided by the embodiments of the present application.
It should be noted that:
the algorithms and displays presented herein are not inherently related to any particular computer, virtual machine, or other apparatus. Various general purpose devices may also be used with the teachings herein. The required structure for the construction of such devices is apparent from the description above. In addition, the present application is not directed to any particular programming language. It will be appreciated that a variety of programming languages may be used to implement the teachings of the present application as described herein, and the above description of specific languages is provided for disclosure of preferred embodiments of the present application.
In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the present application may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the application, various features of the application are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the application and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be construed as reflecting the intention that: i.e., the claimed application requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this application.
Those skilled in the art will appreciate that the modules in the apparatus of the embodiments may be adaptively changed and disposed in one or more apparatuses different from the embodiments. The modules or units or components of the embodiments may be combined into one module or unit or component and, furthermore, they may be divided into a plurality of sub-modules or sub-units or sub-components. Any combination of all features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or units of any method or apparatus so disclosed, may be used in combination, except insofar as at least some of such features and/or processes or units are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings), may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features but not others included in other embodiments, combinations of features of different embodiments are meant to be within the scope of the present application and form different embodiments. For example, in the following claims, any of the claimed embodiments can be used in any combination.
Various component embodiments of the present application may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that some or all of the functions of some or all of the components in the creation means of a virtual machine according to embodiments of the present application may be implemented in practice using a microprocessor or Digital Signal Processor (DSP). The present application may also be embodied as an apparatus or device program (e.g., computer program and computer program product) for performing a portion or all of the methods described herein. Such a program embodying the present application may be stored on a computer readable medium, or may have the form of one or more signals. Such signals may be downloaded from an internet website, provided on a carrier signal, or provided in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the application, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The application may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The use of the words first, second, third, etc. do not denote any order. These words may be interpreted as names.
The foregoing is merely a preferred embodiment of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions easily contemplated by those skilled in the art within the technical scope of the present application should be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (9)
1. A multi-tenant entitlement control method, the method comprising:
judging the user type of the user as a single-tenant user according to the user account information, generating a single-tenant token, storing the single-tenant token and the user information into a cache in the form of keys and values, and returning the single-tenant token and the user information to a client; or judging the user type of the user as a multi-tenant user according to the user account information, generating a temporary token, sending a tenant list and the temporary token to the client so that after the user of the client selects the tenant, verifying the user information through the temporary token, deleting the temporary token again, generating a new multi-tenant token, storing the multi-tenant token and the user information into a cache in the form of keys and values, and returning the multi-tenant token and the user information to the client so that the user operates according to the user information; the user information comprises user basic information, a user menu range and a user authority range; the user basic information comprises the corresponding relation between the user and the roles and the tenants;
according to a user operation request sent by the client, invoking a multi-tenant authority control model to judge whether the role and tenant relation identification of the user have the authority of the operation identification in a database, and returning a judgment result to the client;
and according to the data calling request sent by the client, calling a multi-tenant authority control model to judge whether the role and tenant relation identification of the user have the authority of the data identification in a database, and if so, calling corresponding data to return to the client.
2. The method of claim 1, wherein invoking the multi-tenant entitlement control model to determine in a database whether the role and tenant relationship identities of the user have the entitlement of the operation identity according to the user operation request sent by the client comprises:
verifying according to the token carried by the user operation request, and if the token has corresponding user information in the cache, taking the user information out of the cache;
according to the user identification and the tenant identification, a multi-tenant authority control model is called to inquire the role and the tenant relation identification from a database and operate the authority identification;
inquiring whether the operation permission identification is the same as the permission identification corresponding to the target operation requested by the user in a database, and if so, having the permission of the operation identification; if the operation identifier is different, the operation identifier is not authorized.
3. The method of claim 1, wherein invoking the multi-tenant entitlement control model to determine in a database whether the user's role and tenant relationship identities have the entitlement of the data identity according to the data invocation request sent by the client comprises:
verifying according to the token carried by the data call request, and if the token has corresponding user information in the cache, taking the user information out of the cache;
according to the user identification and the tenant identification, a multi-tenant authority control model is called to inquire roles and tenant relation identifications and data authority identifications from a database;
inquiring whether the data authority identification is the same as the authority identification corresponding to the target data of the data call request in a database, and if so, having the authority of the data identification; if the data identification rights are different, the data identification rights are not available.
4. The method of claim 1, wherein the database comprises an entity class data table, a relationship table, and a rights table;
the entity class data table comprises a user table, a tenant table, a role table and a resource table;
the relation table comprises a relation table of users and tenants, a relation table of users and roles, and a relation table of roles and tenants.
5. The method of claim 4, wherein a user and tenant relationship table is used to bind users to tenants, each row in the table storing a primary key relationship identification, a user representation, and a tenant representation;
the user and role relation table is used for binding the user and the role, and each row in the table stores a main key relation identifier, a user identifier and a role identifier;
the role-tenant relation table is used for binding roles and tenants, and each row in the table stores a relation identifier, a role identifier and a tenant identifier;
the permission table is used for binding the relation between the resources and the roles and the tenant, and each row in the table stores a master key permission identifier, a resource identifier and a relation identifier between the roles and the tenant.
6. The method of claim 1, wherein the user type token and user information are sent to the client to enable a user to operate according to the user information, the method comprising:
and sending the user type token and the user information to the client so that the client judges the authority of the user operation according to the user menu range and the user authority range, and continuing if the user operation has the authority.
7. A multi-tenant entitlement control system, the system comprising:
the type judging module is used for judging the user type of the user as a single-tenant user according to the user account information, generating a single-tenant token, storing the single-tenant token and the user information into a cache in the form of keys and values, and returning the single-tenant token and the user information to the client; or judging the user type of the user as a multi-tenant user according to the user account information, generating a temporary token, sending a tenant list and the temporary token to the client so that after the user of the client selects the tenant, verifying the user information through the temporary token, deleting the temporary token again, generating a new multi-tenant token, storing the multi-tenant token and the user information into a cache in the form of keys and values, and returning the multi-tenant token and the user information to the client so that the user operates according to the user information; the user information comprises user basic information, a user menu range and a user authority range; the user basic information comprises the corresponding relation between the user and the roles and the tenants;
the operation authority judging module is used for calling the multi-tenant authority control model to judge whether the role of the user and the tenant relation identifier have the authority of the operation identifier in the database according to the user operation request sent by the client, and returning the judging result to the client;
and the data authority judging module is used for calling the multi-tenant authority control model to judge whether the role of the user and the tenant relation identification have the authority of the data identification in the database according to the data calling request sent by the client, and calling corresponding data to return to the client if the role of the user and the tenant relation identification have the authority of the data identification.
8. An electronic device, comprising: memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor executes to implement the method according to any of the claims 1-6 when running the computer program.
9. A computer readable storage medium having stored thereon computer readable instructions executable by a processor to implement the method of any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210066705.8A CN114301714B (en) | 2022-01-20 | 2022-01-20 | Multi-tenant authority control method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210066705.8A CN114301714B (en) | 2022-01-20 | 2022-01-20 | Multi-tenant authority control method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114301714A CN114301714A (en) | 2022-04-08 |
| CN114301714B true CN114301714B (en) | 2024-01-19 |
Family
ID=80978189
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210066705.8A Active CN114301714B (en) | 2022-01-20 | 2022-01-20 | Multi-tenant authority control method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114301714B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115118765B (en) * | 2022-06-20 | 2024-04-05 | 北京京东乾石科技有限公司 | Service processing method, device, electronic equipment and storage medium |
| CN115827205B (en) * | 2023-01-10 | 2023-05-30 | 北京有生博大软件股份有限公司 | Permission scheduling method and system based on multi-tenant mode |
| CN117313051B (en) * | 2023-09-12 | 2024-07-05 | 天翼爱音乐文化科技有限公司 | Multi-tenant unified authority management method, system, device and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108600177A (en) * | 2018-03-27 | 2018-09-28 | 北京明朝万达科技股份有限公司 | A kind of authority control method and device |
| CN109214151A (en) * | 2018-09-28 | 2019-01-15 | 北京赛博贝斯数据科技有限责任公司 | The control method and system of user right |
| CN109670336A (en) * | 2018-12-20 | 2019-04-23 | 福建南威软件有限公司 | A kind of cloud management method of multistage application |
| CN109829336A (en) * | 2019-02-12 | 2019-05-31 | 浪潮软件股份有限公司 | A kind of management method and device of menu permission |
| CN111400676A (en) * | 2020-02-28 | 2020-07-10 | 平安国际智慧城市科技股份有限公司 | Service data processing method, device, equipment and medium based on sharing authority |
| CN111641627A (en) * | 2020-05-26 | 2020-09-08 | 深圳壹账通智能科技有限公司 | User role authority management method and device, computer equipment and storage medium |
| CN112019543A (en) * | 2020-08-27 | 2020-12-01 | 四川长虹电器股份有限公司 | Multi-tenant permission system based on BRAC model |
-
2022
- 2022-01-20 CN CN202210066705.8A patent/CN114301714B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108600177A (en) * | 2018-03-27 | 2018-09-28 | 北京明朝万达科技股份有限公司 | A kind of authority control method and device |
| CN109214151A (en) * | 2018-09-28 | 2019-01-15 | 北京赛博贝斯数据科技有限责任公司 | The control method and system of user right |
| CN109670336A (en) * | 2018-12-20 | 2019-04-23 | 福建南威软件有限公司 | A kind of cloud management method of multistage application |
| CN109829336A (en) * | 2019-02-12 | 2019-05-31 | 浪潮软件股份有限公司 | A kind of management method and device of menu permission |
| CN111400676A (en) * | 2020-02-28 | 2020-07-10 | 平安国际智慧城市科技股份有限公司 | Service data processing method, device, equipment and medium based on sharing authority |
| CN111641627A (en) * | 2020-05-26 | 2020-09-08 | 深圳壹账通智能科技有限公司 | User role authority management method and device, computer equipment and storage medium |
| CN112019543A (en) * | 2020-08-27 | 2020-12-01 | 四川长虹电器股份有限公司 | Multi-tenant permission system based on BRAC model |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114301714A (en) | 2022-04-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114301714B (en) | Multi-tenant authority control method and system | |
| CN107508680B (en) | Digital certificate management method and device and electronic equipment | |
| CN112637214B (en) | Resource access method and device and electronic equipment | |
| US11196772B2 (en) | Data access policies | |
| US9418219B2 (en) | Inter-process message security | |
| CN109246089B (en) | Role-based front-end and back-end separation architecture access control system and method | |
| US10831915B2 (en) | Method and system for isolating application data access | |
| JP2014503909A (en) | Anti-tamper location service | |
| CN111931154B (en) | Service processing method, device and equipment based on digital certificate | |
| CN110784450A (en) | Single sign-on method and device based on browser | |
| CN106330958A (en) | Secure accessing method and device | |
| US20090328137A1 (en) | Method for protecting data in mashup websites | |
| CN111814172A (en) | Method, device and equipment for acquiring data authorization information | |
| KR20160018554A (en) | Roaming internet-accessible application state across trusted and untrusted platforms | |
| CN112149108A (en) | Access control method, device, electronic equipment and storage medium | |
| CN111090616B (en) | File management method, corresponding device, equipment and storage medium | |
| CN112433985A (en) | Controlling the composition of information submitted to a computing system | |
| US20210042043A1 (en) | Secure Data Processing | |
| CN111818094B (en) | Identity registration method, device and equipment | |
| CN113901428A (en) | Login method and device of multi-tenant system | |
| CN112733102A (en) | Ambari-based quick link secure access method and system | |
| CN111639020B (en) | Program bug reproduction method, system, device, electronic equipment and storage medium thereof | |
| CN106330818B (en) | Protection method and system for embedded page of client | |
| CN116980182B (en) | Abnormal request detection method and device and electronic equipment | |
| CN114065237A (en) | Verification method, verification device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |