CN114760134B - Multi-tenant isolation method and related device - Google Patents
Multi-tenant isolation method and related device Download PDFInfo
- Publication number
- CN114760134B CN114760134B CN202210403196.3A CN202210403196A CN114760134B CN 114760134 B CN114760134 B CN 114760134B CN 202210403196 A CN202210403196 A CN 202210403196A CN 114760134 B CN114760134 B CN 114760134B
- Authority
- CN
- China
- Prior art keywords
- tenant
- target
- isolation
- user
- service data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000002955 isolation Methods 0.000 title claims abstract description 159
- 238000000034 method Methods 0.000 claims abstract description 37
- 230000008569 process Effects 0.000 claims abstract description 20
- 238000012795 verification Methods 0.000 claims description 14
- 238000001914 filtration Methods 0.000 claims description 12
- 238000004590 computer program Methods 0.000 claims description 9
- 238000013500 data storage Methods 0.000 claims description 6
- 238000011161 development Methods 0.000 abstract description 23
- 238000004891 communication Methods 0.000 abstract description 8
- 230000008878 coupling Effects 0.000 abstract description 8
- 238000010168 coupling process Methods 0.000 abstract description 8
- 238000005859 coupling reaction Methods 0.000 abstract description 8
- 239000002699 waste material Substances 0.000 abstract description 8
- 230000000694 effects Effects 0.000 abstract description 4
- 238000010586 diagram Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 3
- 238000010276 construction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000002513 implantation Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/242—Query formulation
- G06F16/2433—Query languages
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2453—Query optimisation
- G06F16/24534—Query rewriting; Transformation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The application discloses a multi-tenant isolation method, which is applied to a multi-tenant isolation assembly and comprises the following steps: determining a target isolation scheme according to the isolation scheme configuration information; in the process of executing the target isolation scheme, after receiving a service data query request of a user, determining a target tenant and a target account cover; reading business data from a database according to the ID of the target tenant and the ID of the target account cover; and returning the read business data to the user. The method can reduce the communication cost of multi-team collaborative development, avoid resource waste caused by repeated development, reduce the coupling degree of the system and realize multi-level isolation of multi-tenant and multi-account covers. The application also discloses a multi-tenant isolation device, equipment and a computer readable storage medium, which have the technical effects.
Description
Technical Field
The application relates to the technical field of business data security, in particular to a multi-tenant isolation method; also relates to a multi-tenant isolation device, equipment and a computer readable storage medium.
Background
The SaaS platform is a platform that operates SaaS software. In the software development process of the SaaS platform, in order to ensure the isolation of service data among users, a tenant isolation technology is required to be used, so that the security of the service data among users is ensured. At present, the software development process in the SaaS platform in the industry mainly comprises the following steps: firstly, a unified tenant isolation specification is determined, and then, the specification is uniformly informed to each software service development team, so that the software service development team can develop according to the unified tenant isolation specification. In the process, each software service development team needs to realize tenant isolation, and related logic of tenant isolation is also considered in service function development, and in the process of multi-team collaborative development, on one hand, communication cost is increased, on the other hand, resource waste is caused by repeated development, and the coupling is higher, so that the subsequent expansion is not facilitated.
In view of this, how to reduce the communication cost of multi-team collaborative development, avoid the resource waste caused by repeated development, and reduce the coupling degree of the system has become a technical problem to be solved by those skilled in the art.
Disclosure of Invention
The application aims to provide a multi-tenant isolation method, which can reduce the communication cost of multi-team collaborative development, avoid resource waste caused by repeated development, reduce the system coupling degree and realize multi-tenant multi-account set multi-level isolation. Another object of the present application is to provide a multi-tenant isolation device, apparatus and computer readable storage medium, which all have the above technical effects.
In order to solve the above technical problems, the present application provides a multi-tenant isolation method, which is applied to a multi-tenant isolation assembly, and includes:
Determining a target isolation scheme according to the isolation scheme configuration information;
in the process of executing the target isolation scheme, after receiving a service data query request of a user, determining a target tenant and a target account cover;
reading business data from a database according to the ID of the target tenant and the ID of the target account cover;
and returning the read business data to the user.
Optionally, the reading the business data from the database according to the ID of the target tenant and the ID of the target ledger includes:
Constructing a logical query SQL, and adding the ID of the target tenant and the ID of the target account cover in the logical query SQL;
and reading business data from the database according to a logic query SQL added with the ID of the target tenant and the ID of the target account cover.
Optionally, before determining the target tenant and the target account set, the method further includes:
User authentication is carried out on the user;
And when the user authentication passes, determining the target tenant and the target account cover.
Optionally, before the service data is read from the database according to the ID of the target tenant and the ID of the target account cover, the method further includes:
Performing access right verification on the user;
And when the access right passes the verification, reading service data from a database according to the ID of the target tenant and the ID of the target account cover.
Optionally, the target isolation scheme is an isolation scheme of an independent service database architecture, or an isolation scheme of a shared service database and an isolated service data architecture, or an isolation scheme of a shared service database and a shared service data architecture.
Optionally, the method further comprises:
when saving tenant service data, saving tenant information; the tenant information comprises a tenant ID and a ledger ID.
In order to solve the technical problem, the application also provides a multi-tenant isolation device, which comprises:
the first determining module is used for determining a target isolation scheme according to the isolation scheme configuration information;
The second determining module is used for determining a target tenant and a target account cover after receiving a service data query request of a user in the process of executing the target isolation scheme;
The reading module is used for reading the business data from the database according to the ID of the target tenant and the ID of the target account cover;
And the sending module is used for returning the read business data to the user.
Optionally, the method further comprises:
the storage module is used for storing tenant information when storing tenant service data; the tenant information comprises a tenant ID and a ledger ID.
In order to solve the technical problem, the present application further provides a multi-tenant isolation device, including:
a memory for storing a computer program;
a processor for implementing the steps of the multi-tenant isolation method as claimed in any one of the preceding claims when executing the computer program.
To solve the above technical problem, the present application further provides a computer readable storage medium, on which a computer program is stored, which when executed by a processor implements the steps of the multi-tenant isolation method as described in any one of the above.
The multi-tenant isolation method provided by the application is applied to a multi-tenant isolation assembly and comprises the following steps: determining a target isolation scheme according to the isolation scheme configuration information; in the process of executing the target isolation scheme, after receiving a service data query request of a user, determining a target tenant and a target account cover; reading business data from a database according to the ID of the target tenant and the ID of the target account cover; and returning the read business data to the user.
Therefore, the multi-tenant isolation method provided by the application provides a multi-tenant isolation component which is used in a case opening manner and realizes multi-tenant isolation, a software developer of the SaaS platform does not need to pay attention to tenant isolation in the development process, the service does not need to realize specific logic of tenant isolation, and the tenant isolation is automatically completed by the multi-tenant isolation component, so that the communication cost of multi-team collaborative development can be greatly reduced, the resource waste caused by repeated development is avoided, and the system coupling degree is reduced. In addition, the multi-tenant isolation method can realize multi-level isolation of multi-tenants and multi-account covers.
The multi-tenant isolation device, the equipment and the computer readable storage medium provided by the application have the technical effects.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required in the prior art and the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flow chart of a multi-tenant isolation method according to an embodiment of the present application;
fig. 2 is a schematic diagram of a tenant architecture according to an embodiment of the present application;
fig. 3 is a schematic diagram of a business data storage flow provided in an embodiment of the present application;
fig. 4 is a schematic diagram of a service data query flow provided in an embodiment of the present application;
fig. 5 is a schematic diagram of a multi-tenant isolation device according to an embodiment of the present application;
fig. 6 is a schematic diagram of a multi-tenant isolation device according to an embodiment of the present application.
Detailed Description
The core of the application is to provide a multi-tenant isolation method, which can reduce the communication cost of multi-team collaborative development, avoid resource waste caused by repeated development, reduce the system coupling degree and realize multi-tenant multi-account set multi-level isolation. Another core of the present application is to provide a multi-tenant isolation device, apparatus and computer readable storage medium, which all have the above technical effects.
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
Referring to fig. 1, fig. 1 is a flow chart of a multi-tenant isolation method according to an embodiment of the present application, and referring to fig. 1, the method includes:
s101: determining a target isolation scheme according to the isolation scheme configuration information;
The multi-tenant isolation method is realized by running a multi-tenant isolation component. The essence of the multi-tenant technical architecture is to provide tenant isolation for software and ensure business data isolation under the same system. In order to ensure isolation, different isolation schemes are required to be realized according to practical situations. In this embodiment, the multi-tenant isolation component integrates multiple isolation schemes, and a user can configure the isolation scheme according to actual situations and select a required isolation scheme. The multi-tenant isolation component determines an isolation scheme required by a user, namely a target isolation scheme, according to the isolation scheme configuration information, and then the multi-tenant isolation component adopts the target isolation scheme to carry out multi-tenant isolation.
The target isolation scheme is an isolation scheme of an independent service database architecture, or an isolation scheme of a shared service database and an isolated service data architecture, or an isolation scheme of a shared service database and a shared service data architecture.
The independent service database architecture refers to a service database of one tenant, and the user service data isolation level of the isolation scheme is the highest. A shared business database and an isolated business data architecture refers to multiple or all tenants sharing the business database, but one tenant per Schema. The shared service database and the shared service data architecture refer to that tenants share the same service database and the same Schema, but tenant service data is distinguished in a table through tenant fields. The isolation scheme has high sharing degree, but low isolation level.
After the user configures the isolation scheme according to the required isolation scheme, the multi-tenant isolation assembly determines the target isolation scheme from the three isolation schemes according to the isolation scheme configuration information.
S102: in the process of executing the target isolation scheme, after receiving a service data query request of a user, determining a target tenant and a target account cover;
after determining the target isolation scheme, the multi-tenant isolation component employs the target isolation scheme to conduct multi-tenant isolation. During the execution of the target isolation scheme, tenant information is automatically filtered. Specifically, after receiving a service data query request of a user, determining a target tenant and a target account cover. The target tenant refers to the tenant to which the user belongs. The target account book refers to an account book to which the user belongs. The tenant and the account cover are in subordinate relation.
There may be multiple ledgers in each tenant, and there may also be sub-ledgers under each ledger. The business data between the ledgers and the ledgers is isolated. The tenant layer builds a shared space, which each ledger can share.
Taking the group-company scenario as an example, there is generally a hierarchical relationship of group-company-sub-companies. The group is the tenant, the company is the account cover in the tenant, and the subsidiary is the sub account cover in the account cover. The organization structure and personnel of the whole group can be shared at the tenant level. The ledger can perform custom business function isolation.
For example, referring to fig. 2, there are top-level and bottom-level ledgers for tenant 1 and tenant 2, respectively, with two secondary ledgers under the top-level ledgers, and two bottom-level ledgers under each secondary ledgers. The tenant to which the user belongs is tenant 1, and the account set to which the user belongs is secondary account set 1 under tenant 1. Then the target tenant is tenant 1 and the target ledger is secondary ledger 1.
In some embodiments, the determining the target tenant and the target ledger may further include:
user authentication is carried out on the user; for example, authenticating login information of a user, etc.; and when the user authentication passes, determining the target tenant and the target account cover. In contrast, if the user authentication is not passed, the next step is not performed.
S103: reading business data from a database according to the ID of the target tenant and the ID of the target account cover;
S104: and returning the read business data to the user.
After the target tenant and the target account book are determined, service data are read from the database according to the ID of the target tenant and the ID of the target account book, and only the service data of the user belonging to the target account book under the target account can be read. And after the service data is read, returning the read service data to the user.
For example, when the target tenant is tenant 1 and the target ledger is secondary ledger 1, the business data is read from the database according to the ID of tenant 1 and the ID of ledger 1, and only the business data of the user belonging to ledger 1 under tenant 1 can be read.
In some embodiments, reading business data from a database according to the ID of the target tenant and the ID of the target ledger may include;
Constructing a logical query SQL, and adding the ID of the target tenant and the ID of the target account cover in the logical query SQL;
and reading business data from the database according to a logic query SQL added with the ID of the target tenant and the ID of the target account cover.
Specifically, the business logic query service constructs a logic query SQL, and after the logic query SQL is transmitted to the SQL rewriter, the SQL rewriter rewrites the logic query SQL, and the ID of the target tenant and the ID of the target account cover are added in the logic query SQL. And finally, inquiring and reading service data from the database according to the logical inquiry SQL added with the ID of the target tenant and the ID of the target account cover.
In some embodiments, the reading the business data from the database according to the ID of the target tenant and the ID of the target ledger may further include:
Performing access right verification on the user; and when the access right passes the verification, reading service data from a database according to the ID of the target tenant and the ID of the target account cover. In contrast, if the access authentication is not passed, the next step is not performed.
In some embodiments, further comprising:
When saving tenant service data, saving tenant information; the tenant information comprises a tenant ID and a ledger ID. Referring to fig. 3, when data is stored through a service function data storage interface, tenant information is automatically stored, so that tenant information agent implantation is realized.
In one embodiment, as shown in connection with fig. 4, multi-tenant isolation includes automatically saving tenant information when business data is saved and automatically filtering tenant information when business data is queried. The flow of automatically filtering tenant information during data query is as follows:
The user initiates a business logic query. And after the central authentication performs user verification, perceives tenant and account set and access right verification, performing service logic inquiry. Business logic service constructs a logic query SQL. The SQL rewriter rewrites the logical query SQL, and adds the filtering conditions of the tenant ID and the ledger ID. And inquiring service data from the database according to the rewritten logical inquiry SQL, and returning the service data to the user.
In the above embodiment, the premise of automatically storing tenant information during service data storage and automatically filtering tenant information during service data query is that the multi-tenant isolation component starts tenant information filtering interception, if the tenant information filtering interception is closed, the tenant information is not stored again during the operation process of the multi-user component, the tenant information is not filtered and intercepted during the service data storage, and at this time, tenant sharing can be realized. Thus, the multi-tenant isolation component can realize tenant sharing while meeting multi-tenant isolation.
In the multi-tenant system, there are two modes of local multi-tenant and central multi-tenant. Wherein, in the local multi-tenant mode: each business system has its own tenant management center, and tenant information communicated between multiple business systems is not consistent. In the central multi-tenant mode: the plurality of services share one tenant management center, and tenant information communicated between the plurality of service systems is consistent.
In summary, the multi-tenant isolation method provided by the application provides a multi-tenant isolation component for realizing multi-tenant isolation, which is used in a case-opening manner, a software developer of the SaaS platform does not need to pay attention to tenant isolation in the development process, a service does not need to realize specific logic of tenant isolation, and the tenant isolation is automatically completed by the multi-tenant isolation component, so that the communication cost of multi-team collaborative development can be greatly reduced, resource waste caused by repeated development is avoided, and the coupling degree of a system is reduced. In addition, the multi-tenant isolation method can realize multi-level isolation of multi-tenants and multi-account covers.
The application also provides a multi-tenant isolation device, which can be referred to in the following in correspondence with the method described above. Referring to fig. 5, fig. 5 is a schematic diagram of a multi-tenant isolation device according to an embodiment of the present application, and in combination with fig. 5, the device includes:
a first determining module 10, configured to determine a target isolation scheme according to the isolation scheme configuration information;
The second determining module 20 is configured to determine, after receiving a service data query request from a user in a process of executing the target isolation scheme, a target tenant and a target account cover;
A reading module 30, configured to read service data from a database according to the ID of the target tenant and the ID of the target ledger;
And the sending module 40 is used for returning the read service data to the user.
On the basis of the above embodiment, as a specific implementation manner, the reading module 30 includes:
the construction unit is used for constructing a logic query SQL and adding the ID of the target tenant and the ID of the target account cover into the logic query SQL;
And the reading unit is used for reading the business data from the database according to the logic query SQL added with the ID of the target tenant and the ID of the target account cover.
On the basis of the above embodiment, as a specific implementation manner, the method further includes:
The user authentication module is used for carrying out user authentication on the user;
when the user authentication passes, the second determining module 20 determines that the target tenant is in the target ledger.
On the basis of the above embodiment, as a specific implementation manner, the method further includes:
the permission verification module is used for verifying the access permission of the user;
When the access right passes the verification, the reading module 30 reads the service data from the database according to the ID of the target tenant and the ID of the target account cover.
On the basis of the above embodiment, as a specific implementation manner, the target isolation scheme is an isolation scheme of an independent service database architecture, or an isolation scheme of a shared service database and an isolated service data architecture, or an isolation scheme of a shared service database and a shared service data architecture.
On the basis of the above embodiment, as a specific implementation manner, the method further includes:
the storage module is used for storing tenant information when storing tenant service data; the tenant information comprises a tenant ID and a ledger ID.
The multi-tenant isolation device provided by the application can realize multi-tenant isolation, a software developer of the SaaS platform does not need to pay attention to tenant isolation in the development process, the service does not need to realize specific logic of tenant isolation, and the tenant isolation is automatically completed by the multi-tenant isolation device, so that the communication cost of multi-team collaborative development can be greatly reduced, resource waste caused by repeated development is avoided, and meanwhile, the coupling degree of the system is reduced. In addition, the multi-tenant isolation device can realize multi-level isolation of multi-tenants and multi-account covers.
The application also provides a multi-tenant isolation device, as shown with reference to fig. 6, comprising a memory 1 and a processor 2.
A memory 1 for storing a computer program;
A processor 2 for executing a computer program to perform the steps of:
Determining a target isolation scheme according to the isolation scheme configuration information; in the process of executing the target isolation scheme, after receiving a service data query request of a user, determining a target tenant and a target account cover; reading business data from a database according to the ID of the target tenant and the ID of the target account cover; and returning the read business data to the user.
For the description of the apparatus provided by the present application, refer to the above method embodiment, and the description of the present application is omitted herein.
The present application also provides a computer readable storage medium having a computer program stored thereon, which when executed by a processor, performs the steps of:
Determining a target isolation scheme according to the isolation scheme configuration information; in the process of executing the target isolation scheme, after receiving a service data query request of a user, determining a target tenant and a target account cover; reading business data from a database according to the ID of the target tenant and the ID of the target account cover; and returning the read business data to the user.
The computer readable storage medium may include: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
For the description of the computer-readable storage medium provided by the present application, refer to the above method embodiments, and the disclosure is not repeated here.
In the description, each embodiment is described in a progressive manner, and each embodiment is mainly described by the differences from other embodiments, so that the same similar parts among the embodiments are mutually referred. For the apparatus, device and computer readable storage medium of the embodiment disclosure, since it corresponds to the method of the embodiment disclosure, the description is relatively simple, and the relevant points refer to the description of the method section.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative elements and steps are described above generally in terms of functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The multi-tenant isolation method, device, equipment and computer readable storage medium provided by the application are described in detail above. The principles and embodiments of the present application have been described herein with reference to specific examples, the description of which is intended only to facilitate an understanding of the method of the present application and its core ideas. It should be noted that it will be apparent to those skilled in the art that various changes and modifications can be made herein without departing from the principles of the application, which are also intended to fall within the scope of the appended claims.
Claims (5)
1. A multi-tenant isolation method, applied to a multi-tenant isolation component, comprising:
Determining a target isolation scheme according to the isolation scheme configuration information; the target isolation scheme is an isolation scheme of an independent service database architecture, or an isolation scheme of a shared service database and an isolation service data architecture;
In the process of executing the target isolation scheme, after receiving a service data query request of a user, determining a target tenant and a target account cover; the target tenant refers to the tenant to which the user belongs; the target account book refers to the account book to which the user belongs; the tenant and the account cover are in subordinate relation; the business data of the account cover and the account cover room are isolated; the tenant layer builds a shared space, and each account cover shares the shared space; in the central multi-tenant mode, a plurality of businesses share one tenant management center, and tenant information communicated among a plurality of business systems is consistent;
reading business data from a database according to the ID of the target tenant and the ID of the target account cover;
returning the read business data to the user;
the determining the target tenant and the target account set further comprises:
User authentication is carried out on the user;
when the user passes the verification, determining a target tenant and a target account cover;
The method further comprises the steps of, before reading the business data from the database, according to the ID of the target tenant and the ID of the target account cover:
Performing access right verification on the user;
when the access right passes the verification, reading service data from a database according to the ID of the target tenant and the ID of the target account cover;
Further comprises:
When saving tenant service data, saving tenant information; the tenant information comprises a tenant ID and an account set ID; the premise of automatically storing tenant information during service data storage and automatically filtering tenant information during service data query is that the multi-tenant isolation component starts tenant information filtering interception, and if the tenant information filtering interception is closed, the tenant information is not stored during the operation process of the multi-user component, and the tenant information is not filtered and intercepted during service data query so as to realize tenant sharing.
2. The multi-tenant isolation method of claim 1, wherein the reading business data from a database according to the ID of the target tenant and the ID of the target ledger comprises:
Constructing a logical query SQL, and adding the ID of the target tenant and the ID of the target account cover in the logical query SQL;
and reading business data from the database according to a logic query SQL added with the ID of the target tenant and the ID of the target account cover.
3. A multi-tenant isolation device, comprising:
The first determining module is used for determining a target isolation scheme according to the isolation scheme configuration information; the target isolation scheme is an isolation scheme of an independent service database architecture, or an isolation scheme of a shared service database and an isolation service data architecture;
The second determining module is used for determining a target tenant and a target account cover after receiving a service data query request of a user in the process of executing the target isolation scheme; the target tenant refers to the tenant to which the user belongs; the target account book refers to the account book to which the user belongs; the tenant and the account cover are in subordinate relation; in the central multi-tenant mode, a plurality of businesses share one tenant management center, and tenant information communicated among a plurality of business systems is consistent;
The reading module is used for reading the business data from the database according to the ID of the target tenant and the ID of the target account cover;
The sending module is used for returning the read business data to the user;
The user authentication module is used for carrying out user authentication on the user;
When the user verification passes, the second determining module determines the target tenant and the target account cover;
the permission verification module is used for verifying the access permission of the user;
when the access right passes the verification, the reading module reads service data from a database according to the ID of the target tenant and the ID of the target account cover;
the storage module is used for storing tenant information when storing tenant service data; the tenant information comprises a tenant ID and an account set ID; the premise of automatically storing tenant information during service data storage and automatically filtering tenant information during service data query is that the multi-tenant isolation component starts tenant information filtering interception, and if the tenant information filtering interception is closed, the tenant information is not stored during the operation process of the multi-user component, and the tenant information is not filtered and intercepted during service data query so as to realize tenant sharing.
4. A multi-tenant isolation device, comprising:
a memory for storing a computer program;
processor for implementing the steps of the multi-tenant isolation method according to claim 1 or 2 when executing the computer program.
5. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the steps of the multi-tenant isolation method according to claim 1 or 2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210403196.3A CN114760134B (en) | 2022-04-18 | 2022-04-18 | Multi-tenant isolation method and related device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210403196.3A CN114760134B (en) | 2022-04-18 | 2022-04-18 | Multi-tenant isolation method and related device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114760134A CN114760134A (en) | 2022-07-15 |
| CN114760134B true CN114760134B (en) | 2024-05-28 |
Family
ID=82331530
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210403196.3A Active CN114760134B (en) | 2022-04-18 | 2022-04-18 | Multi-tenant isolation method and related device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114760134B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114969612A (en) * | 2022-07-29 | 2022-08-30 | 深圳市星卡软件技术开发有限公司 | Multi-tenant data isolation method, system and computer equipment |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10009337B1 (en) * | 2015-06-30 | 2018-06-26 | EMC IP Holding Company LLC | Child tenant revocation in a multiple tenant environment |
| CN110188307A (en) * | 2019-05-31 | 2019-08-30 | 东信和平科技股份有限公司 | A kind of multi-tenant data partition method, server and system |
| CN110263558A (en) * | 2019-06-13 | 2019-09-20 | 泰康保险集团股份有限公司 | Service authority management method, device, electronic equipment and computer-readable medium |
| CN111079131A (en) * | 2019-12-20 | 2020-04-28 | 金卡智能集团股份有限公司 | Method and system for authorization and control of authority of cross-company service |
| CN111582773A (en) * | 2020-06-22 | 2020-08-25 | 南京德睿能源研究院有限公司 | Multi-tenant technology-based micro-grid energy cloud model control method and system |
| CN111865943A (en) * | 2020-07-02 | 2020-10-30 | 北京同创永益科技发展有限公司 | Multi-level tenant authentication method and device based on micro-service |
| CN112559076A (en) * | 2020-12-21 | 2021-03-26 | 支付宝(杭州)信息技术有限公司 | Tenant information processing method, device, system and equipment |
| CN113779625A (en) * | 2021-08-31 | 2021-12-10 | 成都商汤科技有限公司 | Data access method and device, electronic equipment and storage medium |
| CN113986528A (en) * | 2021-09-29 | 2022-01-28 | 济南浪潮数据技术有限公司 | Method, system, equipment and storage medium for multi-tenant space resource management |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9411973B2 (en) * | 2013-05-02 | 2016-08-09 | International Business Machines Corporation | Secure isolation of tenant resources in a multi-tenant storage system using a security gateway |
-
2022
- 2022-04-18 CN CN202210403196.3A patent/CN114760134B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10009337B1 (en) * | 2015-06-30 | 2018-06-26 | EMC IP Holding Company LLC | Child tenant revocation in a multiple tenant environment |
| CN110188307A (en) * | 2019-05-31 | 2019-08-30 | 东信和平科技股份有限公司 | A kind of multi-tenant data partition method, server and system |
| CN110263558A (en) * | 2019-06-13 | 2019-09-20 | 泰康保险集团股份有限公司 | Service authority management method, device, electronic equipment and computer-readable medium |
| CN111079131A (en) * | 2019-12-20 | 2020-04-28 | 金卡智能集团股份有限公司 | Method and system for authorization and control of authority of cross-company service |
| CN111582773A (en) * | 2020-06-22 | 2020-08-25 | 南京德睿能源研究院有限公司 | Multi-tenant technology-based micro-grid energy cloud model control method and system |
| CN111865943A (en) * | 2020-07-02 | 2020-10-30 | 北京同创永益科技发展有限公司 | Multi-level tenant authentication method and device based on micro-service |
| CN112559076A (en) * | 2020-12-21 | 2021-03-26 | 支付宝(杭州)信息技术有限公司 | Tenant information processing method, device, system and equipment |
| CN113779625A (en) * | 2021-08-31 | 2021-12-10 | 成都商汤科技有限公司 | Data access method and device, electronic equipment and storage medium |
| CN113986528A (en) * | 2021-09-29 | 2022-01-28 | 济南浪潮数据技术有限公司 | Method, system, equipment and storage medium for multi-tenant space resource management |
Non-Patent Citations (1)
| Title |
|---|
| SaaS模式下多租户数据库的研究;何海棠;朱晓辉;陈苏蓉;;郑州铁路职业技术学院学报;20120920(第03期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114760134A (en) | 2022-07-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109522735B (en) | Data permission verification method and device based on intelligent contract | |
| US20210329453A1 (en) | Blockchain based wireless access point password management | |
| US10762559B2 (en) | Management of payroll lending within an enterprise system | |
| CN110049048B (en) | Data access method, equipment and readable medium for government affair public service | |
| CN101873333B (en) | Enterprise data maintenance method, device and system based on banking system | |
| CN102546530B (en) | Method, device and ERP (enterprise resource planning) system for user identity and permission validation | |
| CN110677383B (en) | Firewall wall opening method and device, storage medium and computer equipment | |
| EP3547634A1 (en) | Method and apparatus for determining access permission, and terminal | |
| US11245577B2 (en) | Template-based onboarding of internet-connectible devices | |
| WO2020228531A1 (en) | Consortium blockchain governance method and apparatus, computer device and storage medium | |
| CN108537498A (en) | Interorganizational project management method, system, equipment and medium based on block chain | |
| CN105225072A (en) | A kind of access management method of multi-application system and system | |
| CN114760134B (en) | Multi-tenant isolation method and related device | |
| CN108376214A (en) | Right management method, device and vehicle-mounted background system | |
| CN110138767A (en) | Processing method, device, equipment and the storage medium of transactions requests | |
| CN1601954B (en) | Moving principals across security boundaries without service interruption | |
| CN106921708B (en) | Group management method and device | |
| CN110049031A (en) | A kind of interface security authentication method and server, authentication center's server | |
| CN112950201A (en) | Node management method and related device applied to block chain system | |
| US10623528B2 (en) | Enterprise application ecosystem operating system | |
| CN114157448A (en) | Method, device, terminal and storage medium for establishing and deploying password service platform | |
| CN111783076A (en) | Multi-scenario normalization processing model for construction, right establishment, authorization and verification of authority resources | |
| CN117499015A (en) | Power consumption data isolation method, system, alliance chain, terminal and charging pile | |
| CN115225647B (en) | Intelligent contract-based safety interaction method between manufacturing industry data evolution entity departments | |
| CN113300853B (en) | Financial credit information management method, device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |