CN115396152A - Data isolation method and system for multi-tenant software-as-a-service platform - Google Patents

Data isolation method and system for multi-tenant software-as-a-service platform Download PDF

Info

Publication number
CN115396152A
CN115396152A CN202210888854.2A CN202210888854A CN115396152A CN 115396152 A CN115396152 A CN 115396152A CN 202210888854 A CN202210888854 A CN 202210888854A CN 115396152 A CN115396152 A CN 115396152A
Authority
CN
China
Prior art keywords
tenant
identification
request
identifier
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210888854.2A
Other languages
Chinese (zh)
Inventor
龙小清
涂婷婷
郭尧
张钊
赵磊
左奋强
赵振宇
冯文宇
薛永新
陈帅彬
谢铁云
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Seashell Housing Beijing Technology Co Ltd
Original Assignee
Seashell Housing Beijing Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Seashell Housing Beijing Technology Co Ltd filed Critical Seashell Housing Beijing Technology Co Ltd
Priority to CN202210888854.2A priority Critical patent/CN115396152A/en
Publication of CN115396152A publication Critical patent/CN115396152A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/22Indexing; Data structures therefor; Storage structures
    • G06F16/2282Tablespace storage structures; Management thereof
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/28Databases characterised by their database models, e.g. relational or object models
    • G06F16/284Relational databases
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • G06F9/5027Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/547Remote procedure calls [RPC]; Web services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2209/00Indexing scheme relating to G06F9/00
    • G06F2209/54Indexing scheme relating to G06F9/54
    • G06F2209/544Remote

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computational Linguistics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The application discloses a data isolation method and a data isolation system for a multi-tenant software as a service (SaaS) platform, wherein an application layer of the SaaS platform in the embodiment of the application intercepts a hypertext transfer protocol (http) request, analyzes a tenant identifier or/and an enterprise identifier carried by the http request, and caches the tenant identifier or/and the enterprise identifier in a thread of the SaaS platform; and intercepting an sql request by a data layer of the SaaS platform, calling the tenant identification or/and the state identification from a thread, and putting the sql request into the data layer to access data corresponding to the tenant identification or/and the state identification in a database table. Therefore, the embodiment of the invention can simply and conveniently realize the data isolation in the database of the multi-tenant SaaS platform.

Description

Data isolation method and system for multi-tenant software-as-a-service platform
Technical Field
The present application relates to computer network technologies, and in particular, to a data isolation method and system for a Software-as-a-Service (SaaS) platform of multiple tenants.
Background
With the continuous development of computer network technology, a SaaS platform appears, and the SaaS platform can provide a service of a certain service for enterprise users without setting up a service platform of the service for the enterprise users. The SaaS platform can provide the same service for a plurality of enterprise users at the same time, different enterprise users are used as tenants to access the SaaS platform, and the SaaS platform distinguishes the tenants based on tenant identification to provide the service of the service for different tenants. Here, the multi-tenant technology of the SaaS platform is a software architecture technology, and one multi-tenant SaaS platform can be leased to multiple tenants, and one tenant includes one or more users. Each tenant shares resources such as hardware, application programs, databases and the like related to a certain service, which are provided by the SaaS platform. Therefore, for a multi-tenant SaaS platform, how to isolate data among tenants and control data access authority is an urgent problem to be solved.
In a traditional multi-tenant SaaS platform, a data storage manner includes: 1. storing in an independent database; 2. sharing a database and storing the database by adopting an isolated organization structure for different tenants (the isolated organization structure is constructed by adopting schema); 3. the system comprises a shared database, an organization structure of the shared database and a shared database table under the organization structure of the shared database. The mode 1) refers to that each tenant shares one database, and tenant data are isolated from each other, and the mode has the highest data isolation degree, better data security and high cost. Mode 2) different tenant data are associated to different schemas under the same database, data logics among the different tenant data are invisible, and due to the sharing of the database, the database is simple to access, but statistics, backup or updating of the different tenant data need to be realized in the different schemas, so that the processing is complex and the cost is high; mode 3) realizes data sharing of different tenants at the database table level, and the realization cost is low, but the realization complexity is higher.
At present, when a multi-tenant SaaS platform isolates data of different tenants, since the cost of the mode 3) is the lowest, the mode 3) is generally adopted), and the specific implementation of the mode 3) includes: when setting a database table in a database storing tenant data, a tenant identification (tenant _ id) attribute is set for identifying the tenant to which the data belongs. When data in a database table is accessed by an SaaS platform, such as insertion, update, query, and the like, an application layer of the SaaS platform needs to analyze a received access data request, and a structured query language (sql) request for accessing a data layer is generated according to the request, so that a database in the data layer of the SaaS platform accesses corresponding tenant data. In the above process, in order to support data isolation of multiple tenants, it is necessary to modify the application layer interface setting of the SaaS platform and the access setting of the data layer, that is, add a parameter for distinguishing tenant identification on an Application Programming Interface (API) for receiving an access data request, so as to determine different tenants corresponding to the access data; in the generation of the sql requests, the filtering condition of the tenant identification is added one by one for use in accessing the database table of the data layer. The software-as-a-service (SaaS) platform has the advantages of great change on an application layer and a data layer of the SaaS platform, complex implementation and easy error.
Disclosure of Invention
In view of this, embodiments of the present application provide a data isolation method and system for a multi-tenant SaaS platform, which can easily implement data isolation in a database of the multi-tenant SaaS platform.
The embodiment of the application is realized as follows:
a data isolation method for a software as a service (SaaS) platform oriented to multiple tenants comprises the following steps:
an application layer of the SaaS platform intercepts a hypertext transfer protocol http request, analyzes a tenant identification or/and an enterprise identification carried by the http request, and caches the tenant identification or/and the enterprise identification in a thread of the SaaS platform;
and intercepting a structured query language (sql) request by a data layer of the SaaS platform, calling the tenant identification or/and the state identification from a thread, and placing the sql request to access data corresponding to the tenant identification or/and the state identification in a database table.
Preferably, the intercepting an http request by an application layer of the SaaS platform, and the analyzing a tenant identifier or/and an enterprise identifier carried by the http request includes:
intercepting by an http request interceptor arranged in an application layer of the SaaS platform, and analyzing a tenant identifier or/and an enterprise identifier carried in the head of the http request;
the method for intercepting the sql request by the data layer of the SaaS platform comprises the following steps:
and intercepting the sql request by a mybatis interceptor arranged in a data layer of the SaaS platform.
Preferably, the invoking the tenant identity or/and the state identity from the thread, and placing the sql request includes:
and taking the tenant identification or/and the state identification called from the thread as a filtering condition of the tenant identification or/and the state identification in the sql request.
Preferably, the method further comprises:
an application layer of the SaaS platform intercepts a remote call RPC request, wherein the RPC request is used for calling data in a database table in a micro-service platform of cross-service;
and the application layer of the SaaS platform calls the tenant identification or/and the state identification from the thread, generates an http request carrying the tenant identification or/and the state identification based on an RPC (remote procedure call) request, and transmits the http request to the micro service platform so as to access data in a database table in the micro service platform.
Preferably, the intercepting, by an application layer of the SaaS platform, the RPC request includes:
an application layer of the SaaS platform sets a feign call interceptor, and the set feign call interceptor is adopted to intercept the RPC request;
the method comprises the following steps of calling the tenant identification or/and the state identification from a thread, and generating an http request carrying the tenant identification or/and the state identification based on an RPC request, wherein the http request comprises the following steps:
and the tenant identification or/and the state identification called from the thread are/is placed into the head of the http request.
Preferably, the accessing data corresponding to the tenant identity or/and the enterprise identity in the database table includes:
presetting attributes of a tenant identifier or/and an attitude identifier aiming at stored data in the database table;
and accessing data with the attribute of the tenant identification or/and the state identification in the database table based on the tenant identification or/and the state identification which are/is arranged in the sql request.
A data isolation system of a software as a service (SaaS) platform facing multi-tenant comprises an http request interceptor, a thread unit and a mybatis interceptor, wherein,
the http request interceptor is used for intercepting an http request at an application layer on the SaaS platform, analyzing a tenant identifier or/and an enterprise identifier carried by the http request, and caching the tenant identifier or/and the enterprise identifier in a thread unit of the SaaS platform;
the mybatis interceptor is used for intercepting an sql request at a data layer of the SaaS platform, calling the tenant identification or/and the state identification from a thread unit, and placing the sql request so as to access data corresponding to the tenant identification or/and the state identification in a database table.
Preferably, the system further comprises a feign call interceptor, which is further configured to intercept a remote call RPC request, generate an http request carrying the tenant identifier or/and the state identifier based on the RPC request, and transmit the http request to the micro service platform to access data in a database table in the micro service platform.
An electronic device, comprising:
a processor;
a memory storing a program configured to implement the data isolation method of the multi-tenant SaaS platform as set forth in any one of the above when executed by the processor.
A non-transitory computer readable storage medium storing instructions that, when executed by a processor, cause the processor to perform a method of data isolation for a multi-tenant SaaS platform as claimed in any one of the above.
As seen from the above, an application layer of the SaaS platform in the embodiment of the present application intercepts a hypertext transfer protocol (http) request, parses a tenant identifier or/and an enterprise identifier carried in the http request, and caches the tenant identifier or/and the enterprise identifier in a thread of the SaaS platform; and intercepting an sql request by a data layer of the SaaS platform, calling the tenant identifier or/and the business identifier from a thread, and embedding the sql request to access data corresponding to the tenant identifier or/and the business identifier in a database table. Therefore, through the transfer of the tenant identification or/and the state identification from the front end of the SaaS platform to the background interface and from the application layer to the data layer, the background interface parameters of the application layer of the SaaS platform and the access operation of the data layer do not need to be set, and the data isolation in the database of the multi-tenant SaaS platform is realized simply and conveniently.
Drawings
Fig. 1 is a flowchart of a data isolation method for a multi-tenant SaaS platform according to an embodiment of the present disclosure;
fig. 2 is a schematic structural diagram of a data isolation system of a multi-tenant SaaS platform according to an embodiment of the present application;
fig. 3 is a flowchart illustrating a specific example of a data isolation method for a multi-tenant SaaS platform according to an embodiment of the present disclosure;
fig. 4 is a schematic diagram of an enterprise identity or/and a tenant identity provided in an embodiment of the present application;
FIG. 5 is a schematic diagram of storing isolated data for a database table according to an embodiment of the present application;
fig. 6 is a schematic process diagram of transferring an enterprise identifier or/and a tenant identifier between a front end and a background interface of a SaaS platform and between an upper layer and a lower layer according to an embodiment of the present application;
fig. 7 is a schematic diagram of a process of intercepting and processing an http request by an http request interceptor according to an embodiment of the present application;
fig. 8 is a schematic process diagram of a feign call interceptor provided in the embodiment of the present application intercepting and processing an RPC request;
fig. 9 is a schematic process diagram of the mybatis interceptor provided in the embodiment of the present application intercepting and processing an sql request;
FIG. 10 is a schematic view of a processing procedure of a mybatis interceptor (TenantMyBatis interceptor) according to an embodiment of the present application;
fig. 11 is a schematic diagram of an electronic device according to another embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The terms "first," "second," "third," "fourth," and the like in the description and claims of this application and in the above-described drawings, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are, for example, capable of operation in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprising" and "having," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements explicitly listed, but may include other steps or elements not explicitly listed or inherent to such process, method, article, or apparatus.
At present, when a multi-tenant SaaS platform isolates data of different tenants, the process is as follows: when a database table for storing tenant data is set, a tenant identification attribute is set for identifying the tenant to which the data belongs. The method comprises the steps of modifying the setting of a background interface in an application layer of the SaaS platform and the access setting of a data layer, namely adding parameters for distinguishing tenant identifications on an API (application programming interface) for receiving an access data request so as to determine different tenants corresponding to access data; in generating the sql request, the filter condition of the tenant identity is added for use in accessing the database tables of the data tier. The application layer and the data layer of the SaaS platform are greatly changed. Especially, when a single-tenant SaaS platform is upgraded to a multi-tenant SaaS platform, the method is very unfriendly, a large number of API setting parameters for connecting a background interface to a front end in an application layer of the SaaS platform need to be changed, logical judgment of tenants is added in an application program for identifying and accessing data requests, a filtering condition needs to be added in sql requests operated in a bottom data layer, the workload is large, and when data in a bottom database table is queried each time, manual participation is needed, risks of missed writing and wrong writing easily occur, and complexity and easiness in making mistakes are realized. Therefore, a simpler and more convenient way for isolating data in the underlying database report on the SaaS platform of multiple tenants is needed.
In practice, a business user may have a plurality of similar business states, such as a home decoration business state and a home decoration business state, and the business services provided by the two business states are different, but the data involved in the business services are similar or/and the same, so the data stored in the database table is similar or/and the same. Still further, data involved in a business service may be targeted to multiple tenants. For the multi-business multi-tenant SaaS platform, the currently adopted multi-tenant mode cannot completely meet the requirements, and a problem that new business service cannot be dynamically extended exists, for example, how to implement database table multiplexing in a bottom data layer, isolation of data for businesses and tenants, and high extensibility, and being capable of dynamically extending similar business services, and the like, which requires the SaaS platform to fully consider the data isolation.
Therefore, in order to overcome the above problems, in the embodiment of the present application, an application layer of a SaaS platform intercepts an http request, parses a tenant identifier or/and an enterprise identifier carried in the http request, and caches the tenant identifier or/and the enterprise identifier in a thread of the SaaS platform; and intercepting an sql request by a data layer of the SaaS platform, calling the tenant identification or/and the state identification from a thread, and putting the sql request into the data layer to access data corresponding to the tenant identification or/and the state identification in a database table.
Therefore, through the transfer of the tenant identification or/and the state identification from the front end of the SaaS platform to the background interface and from the application layer to the data layer, the background interface parameters of the application layer of the SaaS platform and the access operation of the data layer are not required to be set, and the data isolation in the database of the multi-tenant SaaS platform is realized simply and conveniently.
The attributes of the tenant identifier or/and the state identifier are preset in the database table of the SaaS platform for the stored data, and when the data is stored in the database table, the attributes are stored corresponding to the tenant identifier or/and the state identifier.
In the embodiment of the application, when the front end of the SaaS platform of a certain service receives an http request, the tenant identifier or/and the state identifier are/is inserted into a header of the http request and transmitted to a background interface of the SaaS platform, and the analysis is performed by the background interface of the SaaS platform.
Furthermore, the embodiment of the present invention further includes: an application layer of the SaaS platform intercepts a remote call (RPC) request, wherein the RPC request is used for calling data in a database table of a micro service platform of cross-service; and the application layer of the SaaS platform calls the tenant identification or/and the business status identification from threads, generates an http request carrying the tenant identification or/and the business status identification based on an RPC request, and transmits the http request to the micro service platform so as to access data in a database table in the micro service platform. Here, the micro service platform may be a SaaS platform that provides another service, and may also be another micro service platform that provides a service, which is not limited herein. And remote calling of RPC requests is carried out between the SaaS platform and the micro-service platform.
Fig. 1 is a flowchart of a data isolation method for a multi-tenant SaaS platform according to an embodiment of the present application, which includes the following specific steps:
step 101, an application layer of a SaaS platform intercepts an http request, analyzes a tenant identification or/and an enterprise identification carried by the http request, and caches the tenant identification or/and the enterprise identification in a thread of the SaaS platform;
and 102, intercepting an sql request by a data layer of the SaaS platform, calling the tenant identification or/and the business status identification from a thread, and embedding the sql request to access data corresponding to the tenant identification or/and the business status identification in a database table.
In the method, the transmission path of the data requested to be stored in the database table of the SaaS platform is as follows: on an application layer of the SaaS platform, when receiving an http request sent by a tenant, the front end of the SaaS platform inserts a tenant identifier or/and an enterprise identifier into a header of the http request and transmits the tenant identifier or/and the enterprise identifier to a background interface of the SaaS platform; in a data layer of the SaaS platform, after an sql request is constructed based on accessed data, the sql request is processed, and then the data is accessed to a database table. Here, the front end of the SaaS platform refers to a client of the tenant, and the background interface of the SaaS platform refers to an interface with the client of the tenant.
In the method, accessing the data corresponding to the tenant identity or/and the business identity in the database table is to query, update or/and insert the data corresponding to the tenant identity or/and the business identity in the database table.
In the method, the step of intercepting the http request by the application layer of the SaaS platform and analyzing the tenant identification or/and the business identification carried by the http request comprises the following steps:
intercepting by an http request interceptor arranged in an application layer of the SaaS platform, and analyzing a tenant identifier or/and an enterprise identifier carried in the head of the http request;
the method for intercepting the sql request by the data layer of the SaaS platform comprises the following steps:
and intercepting the sql request by a mybatis interceptor arranged in a data layer of the SaaS platform.
Here, the http request interceptor is actually a piece of written software program, which can intercept the http request and perform corresponding processing. The mybatis interceptor is actually a piece of written software program that can intercept sql requests and perform corresponding processing.
In the above method, the invoking the tenant identity or/and the state identity from the thread, and the placing the sql request includes: and taking the tenant identification or/and the state identification called from the thread as a filtering condition of the tenant identification or/and the state identification in the sql request.
In the above method, the method further comprises:
an application layer of the SaaS platform intercepts a remote call RPC request, wherein the RPC request is used for calling data in a database table in a micro-service platform of cross-service;
and the application layer of the SaaS platform calls the tenant identification or/and the state identification from the thread, generates an http request carrying the tenant identification or/and the state identification based on an RPC (remote procedure call) request, and transmits the http request to the micro service platform so as to access data in a database table in the micro service platform.
Here, the tenant identity or/and the state identity may be passed across platforms.
Specifically, the intercepting, by an application layer of the SaaS platform, an RPC request includes:
an application layer of the SaaS platform sets a feign call interceptor, and the set feign call interceptor is adopted to intercept the RPC request;
the method comprises the following steps of calling the tenant identification or/and the state identification from a thread, and generating an http request carrying the tenant identification or/and the state identification based on an RPC request, wherein the http request comprises the following steps:
and placing the tenant identification or/and the state identification called from the thread into the head of the http request.
Here, the fail call interceptor is actually a piece of written software program that can intercept RPC requests and perform corresponding processing.
In the method, the structure of the data stored in the database table needs to be modified to adapt to data isolation of different tenants or/and statuses, so that data of different tenants or/and statuses can be accessed conveniently. Accessing data corresponding to the tenant identity or/and the state identity in the database table comprises: presetting attributes of a tenant identifier or/and an attitude identifier aiming at stored data in the database table; and accessing data with the attribute of the tenant identification or/and the state identification in the database table based on the tenant identification or/and the state identification which are/is arranged in the sql request.
Fig. 2 is a schematic structural diagram of a data isolation system of a software as a service (SaaS) platform for multiple tenants according to an embodiment of the present disclosure, where the system includes an http request interceptor, a thread unit, and a mybatis interceptor,
the http request interceptor is used for intercepting an http request on an application layer of the SaaS platform, analyzing a tenant identifier or/and an enterprise identifier carried by the http request, and caching the tenant identifier or/and the enterprise identifier in a thread unit of the SaaS platform;
the mybatis interceptor is used for intercepting an sql request at a data layer of the SaaS platform, calling the tenant identification or/and the state identification from a thread unit, and placing the sql request so as to access data corresponding to the tenant identification or/and the state identification in a database table.
The system further comprises a fet call interceptor which is used for intercepting a remote call RPC request, calling the tenant identification or/and the state identification from a thread unit, generating an http request carrying the tenant identification or/and the state identification based on the RPC request, and transmitting the http request to the microservice platform so as to access the data in a database table in the microservice platform.
The method can realize the multiplexing of the bottom database table of the SaaS platform, ensure the isolation of the data based on multiple statuses or/and multiple tenants, solve the problem of difficulty in expanding new services of the multi-tenant SaaS platform, and greatly reduce the development and maintenance cost, reduce the repetitive work and reduce the error risk for improving the SaaS platform of a single tenant into the multi-status or/and multi-tenant SaaS platform.
In the embodiment of the present application, in order to implement data isolation of a multi-tenant SaaS platform for multiple business states or/and multiple tenants, the following points need to be implemented.
1) Setting an attitude identifier (business _ id) and a tenant identifier (tenant _ id), setting the attitude identifier and the tenant identifier which meet the actual business scene requirements in consideration of the actual business scene requirements during specific setting, adding the attributes of the attitude identifier and the tenant identifier in a database table, indicating the corresponding attitude and tenant of the data during data storage, and isolating the data of different attitudes and/or different tenants in the database table.
2) The method comprises the following steps of transmitting an enterprise identifier or/and a tenant identifier from a front end to a background interface in an application layer of the SaaS platform: the front end transmits the business state identifier or/and the tenant identifier to a background interface of an application layer of the SaaS platform through an http request, wherein the business state identifier or/and the tenant identifier is carried in an http request header of the http request. The method transfers the state identification or/and the tenant identification without increasing the API interface parameters, saves a large amount of work brought by changing the API interface parameters, solves the difficulty of changing, upgrading and re-docking the API interface parameters, and reduces the risks of missed transmission and wrong transmission which may occur due to the large increase of the API interface parameters. Meanwhile, the status identifier or/and the tenant identifier do not need to be mixed in other service parameters of the API, and the exclusivity of the set service parameters of the API is ensured.
3) The business state identification or/and the tenant identification are transmitted between an application layer and a data layer of the SaaS platform: the http request interceptor intercepts an http request, reads the business identifier or/and the tenant identifier in a request header (header), and caches the tenant identifier or/and the business identifier in a thread of the SaaS platform; and (3) intercepting all RPC requests by a feign call interceptor, taking out the state identifier or/and the tenant identifier from the thread, carrying the state identifier or/and the tenant identifier in a header of the generated http request, and performing subsequent processing. Therefore, the http request is directly intercepted through the http request interceptor and the feign call interceptor, the state identifier or/and the tenant identifier is obtained from the header of the http request, and then the state identifier or/and the tenant identifier are transmitted to the RPC request through the thread, so that the problem that cross-business service mutual calling of the state identifier or/and the tenant identifier obtains corresponding data is solved. The mybatis interceptor is used to intercept sql requests, i.e. to intercept execute prepare (prepare) methods written in sql, which may intercept query (select), update (updata) and insert (insert) types of sql requests. For the sql request of the query type, adding a selection field of the state identifier or/and the tenant identifier and setting a filtering condition of the state identifier or/and the tenant identifier; and for the sql request of the update type and the sql request of the insert type, adding fields and field values for updating and inserting, wherein the field values are set corresponding to the state identifier or/and the tenant identifier. Therefore, the setting work that the same business state identifier or/and tenant identifier needs to be added to all sql requests is omitted, the development cost is reduced, and the risks of missed writing and wrong writing are reduced.
The following examples are provided to illustrate the present invention in detail.
Fig. 3 is a flowchart of an embodiment of a data isolation method for a multi-tenant SaaS platform according to an embodiment of the present application, which includes the following steps:
step 301, setting generation rules of the business status identifier or/and the tenant identifier, adding attributes of the business status identifier or/and the tenant identifier in a database table, and storing data in the database table corresponding to the business status identifier or/and the tenant identifier;
in this step, the database table is a data table for storing data in a bottom data layer of the multi-tenant SaaS platform;
step 302, a front end of a service layer of the multi-tenant SaaS platform requests a background interface, and an http request carrying an attitude identifier or/and a tenant identifier in a header is transmitted;
step 303, an http request interceptor of a service layer of the multi-tenant SaaS platform intercepts an http request at a back-end interface, acquires an attitude identifier or/and a tenant identifier from a header of the http request, and places the attitude identifier or/and the tenant identifier into a thread;
in this step, the process of embedding into the thread is: the state identification or/and the tenant identification are stored in thread local of the thread by using a thread local variable (thread) method;
304, a feign calling interceptor of a service layer of the multi-tenant SaaS platform intercepts all feign requests, acquires an attitude identifier or/and a tenant identifier from a thread, and transmits the acquired attitude identifier or/and tenant identifier after the feign requests are put in;
305, intercepting an sql request by a mybatis interceptor of a data layer of the multi-tenant SaaS platform, acquiring an attitude identifier or/and a tenant identifier from a thread, and putting the attitude identifier or/and the tenant identifier into the sql request;
in this step, in order to access data in a database table in the data layer of the multi-tenant SaaS platform, an sql request, which may be generated based on an http request on the application layer of the multi-tenant SaaS platform, needs to be written.
In this method, step 304 and step 305 are not performed sequentially, and when there is no external feign request, step 304 is not performed, which is not limited herein. The feign request of step 304 is actually an external RPC request.
The above steps are explained in detail below.
1. Setting generation rules of the state identifier or/and the tenant identifier in step 301, and storing isolated data in a database table.
The business state refers to the business state of different businesses of an enterprise, such as a home state, a home decoration state, or a home clothes state.
The tenant refers to a user sharing the SaaS platform, such as an enterprise user, and there may be multiple tenants in the same business state of the business provided by the SaaS platform, for example, the business provided by the SaaS platform is a house agency business, and there may be a first home decoration tenant and a second home decoration tenant in a home decoration business state of the business.
According to an actual service scenario, as shown in fig. 4, fig. 4 is a schematic diagram of an enterprise identity or/and a tenant identity provided in the embodiment of the present application. Wherein, the set state mark is two bits, for example: a home furnishing state (10) or a home furnishing state (20). The tenant identity is a combination of two-bit business state identity and 3-bit enterprise identity, for example: a first tenant identity 10100 or a second tenant identity (10101) in a home decoration state; and a first tenant identification (20100) in a home state, and the like. If the number of tenants is large or the state data is large, the number of identification bits can be increased according to the actual service, which is not limited here.
Setting generation rules of the state identification or/and the tenant identification, adding attributes of the state identification or/and the tenant identification to a database table, setting corresponding state identification for data needing state isolation and placing the corresponding state identification into the attributes of the state identification, and setting corresponding tenant identification for the data needing tenant isolation and placing the corresponding tenant identification into the attributes of the tenant identification.
By way of example, as shown in fig. 5, fig. 5 is a schematic diagram of storing isolated data for a database table according to an embodiment of the present application. The commodity data of the home decoration industry and the home decoration industry need to be isolated according to the industry, and the industry identification needs to be added to the related commodity data table. Each tenant may have its own tenant data, such as the tenant's store data, the data of the goods in the store, and these data tables are all added with the tenant identification.
2. In step 302, a front end requests a background interface, and an http request carries an attitude identifier or/and a tenant identifier
And the business identifier or/and the tenant identifier are transmitted from the front end of the multi-tenant SaaS platform to a background interface, the business identifier or/and the tenant identifier are placed into a header of the http request by the front end according to actual services, and key attributes (keys) convenient to identify are added into the header to store the business identifier or/and the tenant identifier. In the method, the API parameter setting of the SaaS platform is not required to be changed, namely the API parameters of the state identifier and/or the tenant identifier are/is increased, the trouble of interface upgrading caused by the change of the API parameters can be avoided, and furthermore, the interface called between services does not need to change the dependent version of each service and re-connect a new interface.
As shown in fig. 6, fig. 6 is a schematic process diagram for transferring an enterprise identity or/and a tenant identity between a front end and a background interface of a SaaS platform and between an upper layer and a lower layer according to an embodiment of the present application, and the specific steps include:
601, constructing an http request at the front end of an application layer of a multi-tenant SaaS platform;
specifically, after an http request is received by the front end of an application layer of a multi-tenant SaaS platform, an enterprise identifier or/and a tenant identifier are/is set in a header of the http request;
step 602-603, intercepting an http request by an http request interceptor of a background interface of an application layer of the multi-tenant SaaS platform, and setting an attitude identifier or/and a tenant identifier in a header of the http request in a set thread;
in this step, the process set in the set thread is: storing the state identifier or/and the tenant identifier in the header of the http request in the thread by using a thread local method;
step 604, the application layer of the multi-tenant SaaS platform transmits the http request to the data layer of the multi-tenant SaaS platform, and the data layer of the multi-tenant SaaS platform generates an sql request;
here, the sql request may be set based on the http request, which is not limited here;
605, after intercepting the sql request, a mybatis interceptor of a data layer of the multi-tenant SaaS platform acquires an attitude identifier or/and a tenant identifier from a thread, and places the attitude identifier or/and the tenant identifier into the sql request;
step 606, the data layer of the multi-tenant SaaS platform executes the sql request, and inquires data corresponding to the business state identifier or/and the tenant identifier from the database table;
step 607, after intercepting the RPC request, obtaining the state identifier or/and the tenant identifier from the thread, and placing the obtained state identifier or/and the tenant identifier into the http request generated based on the RPC request;
and step 608, the application layer of the multi-tenant SaaS platform transmits the updated RPC request to the data layer of the multi-tenant SaaS platform, and subsequent processing is performed based on the updated RPC request.
3. The http request interceptor in step 303 intercepts the http request at a background interface, obtains the business state identifier or/and the tenant identifier from the header of the http request, and places the business state identifier or/and the tenant identifier into the thread.
The whole process of step 303 is written by a software program, and is generally written based on a java computer language, as shown in fig. 7, fig. 7 is a schematic process diagram of an http request interceptor provided in the embodiment of the present application for intercepting and processing an http request, and the specific steps include:
step 701, defining an http request interceptor (TenantIntercenter) class;
in this step, the class implements an http request processing interceptor (handleterinterceptor) interface, that is, sets an http request interceptor for intercepting the current http request;
step 702, defining an http request interceptor to realize a head interceptor (handler interceptor) interface method preHandle (), before processing an interface control (Controller) method called by an intercepted http request, extracting a state identifier or/and a tenant identifier from a request header of the http request, and storing the state identifier or/and the tenant identifier in thread through a thread local method;
in this step, the extracted state identifier is actually the first two digits of the extracted tenant identifier;
step 703, the http request interceptor defines the aftercomplete () in the handler interface method, and after the Controller method of the interface called by the intercepted request is processed, the state identifier or/and the tenant identifier in the thread are removed;
step 704, defining an http request interceptor registration configuration class (TenantMvcConf), realizing a WebMvcConfigrer interface of a spring framework, realizing an add insert (addInterrectors ()) method of the interface, and registering a self-defined http request interceptor TenantInterreceptor to enable the self-defined http request interceptor to be effective.
Here, step 703 and step 704 are not performed in sequence, and step 704 configures registration of the http request interceptor 1.
4. The feign in step 304 calls an interceptor to intercept the feign request.
The API interface of the service provided by the SaaS platform may be mutually called with interfaces between other cross-service micro service platforms, and one API interface may have multiple external RPC calls. In this case, the application layer of the SaaS platform uses a feign call interceptor to intercept all RPC requests, obtains the status identifier or/and the tenant identifier from the thread, and places the obtained status identifier or/and tenant identifier into the request header of the http request.
The whole process is written by a software program, the software program is written based on java computer language, as shown in fig. 8, fig. 8 is a schematic diagram of a process for intercepting and processing an RPC request by a feign call interceptor provided by the embodiment of the present application, and the specific steps include:
step 801, defining a Feign call interceptor (FeignTenantInterreceptor) class, wherein the class realizes a request interceptor (RequestInterreceptor) interface of a spring framework and is used for intercepting all external RPC requests;
step 802, defining an application () method in the Feign call interceptor class, acquiring the state identifier or/and the tenant identifier from the thread, and putting the state identifier or/and the tenant identifier into a request header of the http request.
5. The mybatis interceptor in step 305 intercepts the sql request, acquires the business state identifier or/and the tenant identifier from the thread, and places the business state identifier or/and the tenant identifier into the sql request.
Adding attribute fields of the state identifier or/and the tenant identifier in a database table, and when sql operation is performed on the database table, adding a filter condition of the state identifier or/and the tenant identifier in an operating sql request. And adding an attitude identifier or/and a tenant identifier into the sql request of the query type, the update type or the insertion type by adopting a mybatis interceptor, running the updated sql request, and executing sql operation in a database table to realize query, update or insertion processing of data in the database table.
The whole process of intercepting the sql request by the mybatis interceptor is written by a software program written based on java computer language, as shown in fig. 9, fig. 9 is a schematic diagram of a process of intercepting and processing the sql request by the mybatis interceptor according to an embodiment of the present application, and includes:
1) And a configuration stage, which is used for carrying out corresponding configuration in a configuration center of the mybatis interceptor.
The method specifically comprises the following steps: configuring a table name of a database table needing to intercept and add tenant identification or/and state identification, configuring a table name and a field name needing to intercept and add multi-field or non-default fields, and adding @ WithTenant on a mapper method needing to intercept to configure a project root directory;
2) Interceptor configuration for mybatis interceptor (TennatMyBatis Config)
The method specifically comprises the following steps: reading the configured table name needing to intercept the sql request from the configuration center, and storing all the table names in a tableSet; the name of the method added with the annotation @ WithTenant is analyzed: reading a configured project root path needing to be intercepted, and storing all method names in a tenantClassMethodSet set according to all interface methods added with a comment @ WithTenant in a project path scanning path; the sequence of the interceptors is modified by an object (IntercaptorChain) in the reflection frame, and the customized interceptors prepareInterreceptor and TenantMyBatis Interreceptor are ensured to be executed firstly.
3) Self-defining mybatis interceptor: based on the configuration of the point 2), the mybatis Interceptor is customized, and the mybatis Interceptor comprises a prepareInterceptor and a TenantMyBatis Interreceptor, and the functions of the mybatis Interceptor and the Interreceptor are realized.
Here, the mybatis interceptor may support two configurations, one is a configuration according to a table name, and the other is a configuration according to a method injection on an sql mapper (mapper), which will be described separately below.
Mode one, according to the configuration mode of the table name
Firstly, table names needing to be intercepted are configured in a configuration center of a mybatis interceptor, such as an apollo or properties file.
Specifically, the table name is divided by an english comma, and the arrangement format is as follows: internal table = tableA, tableB, tableC.
Secondly, the non-query methods for configuring the default interception in the mybatis interceptor include an insert (insert or inter select) method, a query or update (insert orapdate or insert orapdateselect) method, and a data (update byprimarykey or update byprimarykey) method for updating the corresponding attribute in the data table.
And finally, setting the query conditions in the mybatis interceptor as follows:
1) For single table operation of a database table, if the single table operation is multi-table operation, no sql modification operation is performed;
2) The interception method comprises selectByExample, selectOneByExample and selectByPrimaryKey;
3) The method is provided with @ WithTenant annotation, namely, query operation is carried out on the corresponding tenant identification.
And the second mode is to configure according to the mode of adding and solving the method on the mapper
1) In a configuration center of a mybatis interceptor, such as an apollo or properties file, table names of filter conditions needing to be added with tenant identifications or/and state identifications are configured.
Here, the plurality of table names are separated by english commas, and are arranged in a format such as: latent. Tables = tableA, tableB, tableC, for a configured table by default will intercept sql requests, add the default field tenant _ id, and only intercept the default method.
2) For the sql request which requires multi-field filtering or requires tenant identification with filtering conditions not being default, for example, the addition of the state identification is required, and the table name and the field name which require the addition of conditions in the sql request are configured in the configuration center of the mybatis interceptor.
Here, the configuration key under the table name is a fixed value: the value (value) corresponding to the configuration key under the table name is the field name in the database table.
3) For the non-default query, insertion or update method needing to be intercepted, adding @ WithTenant annotation on the method of the Mapper interface, and configuring the root path of the item needing to be intercepted in the configuration center, such as: project-root-path = com.
4) The custom mybatis Interceptor comprises a prepareInterreceptor and a TenantMyBatis Interreceptor, and the functions of the mybatis Interceptor and the Interreceptor are realized.
5) A configuration class (TenantMyBatisConfig) is set, which implements the interface ApplicationContextAware and the interface ApplicationRunner of the spring framework. A run () method that configures a tenantmybatis config-like implementation of the ApplicationRunner interface.
Here, run () method execution includes:
resolving the configured table name: reading the configured table name which needs to intercept the sql request from the configuration center, and storing all the table names in a tableSet;
the name of the method added with the annotation @ WithTenant is analyzed: reading a configured project root path needing to intercept an sql request, and storing all method names in a tentacle method set according to all interface methods added with a comment @ WithTenant in a project path scanning path;
modifying the sequence of the interceptors through an object (IntercaptorChain) in a reflection frame to ensure that the customized interceptors PrepareInterceptor and TenantMyBatis Interreceptor are executed firstly;
6) The Interceptor tenantmybatis Interceptor realizes the inter () method of the interface Interceptor, and the whole process is shown in fig. 10, and fig. 10 is a schematic diagram of a processing process of the mybatis Interceptor (tenantmybatis Interceptor) provided in the embodiment of the present application. Wherein, the interceptor TenantMyBatis Interreceptor takes out tenant (tent) information from the thread, if the tent information is empty, the modification of sql request is not carried out. If the tentate information is not null, analyzing relevant information in the sql request through an analysis method set by the mybatis interceptor, and judging whether the table name is in an analyzed configured table name set tableSet or whether the method name is in an analyzed annotated method name set tentaclassmethodset. And if the table name or the method name is not hit, the modification of the sql request is not carried out, if the table name or the method name is hit, the type of the sql request is judged, and the types of the sql request supporting interception comprise insert, update and select. And selecting different ways for intercepting and modifying the sql request according to the type of the sql request.
Specifically, if the sql request is of insert type, a previously configured field name (e.g., tent _ id, business _ id) needing to be added is added to an original inserted field list, tenant information (10100, 10) obtained from a thread is added to the original field value list, if a field needing to be added already exists in the original field list, the tenant information is not added, and then the modified sql statement replaces the original sql statement and is inserted into the sql request.
The modification policy for Update type sql requests is similar to insert type sql requests.
The modification strategy of select type sql request is field names (such as ten _ id and business _ id) which are configured before adding in the query field list and need to be added, and if the fields which need to be added exist in the original query field list, the field names are not added; and then adding a filter condition of a field needing to be added into the where condition, such as adding tenant _ id =10100, if the same condition exists in the where condition, the filter condition is not added, and then replacing the original sql statement by the modified sql statement and inserting the modified sql statement into the sql request.
7) The interceptor prepareIntecretector is used for assigning values to parameters tend _ id and business _ id aiming at the condition that parameters of the mapper method have tenant identification or/and state identification, and the codes do not need to be modified to transmit values to the parameters of the mapper method.
For example, the mapper method is: list < Sku > selecting SkuByCondition (Conditioning Condition, stringTentId), the method adds a parameter tenatId, and in general, the caller who needs to call the method passes the value of the parameter tenatId. The interceptor can directly provide a value for the tenant _ id without changing codes of all calling parties calling the mapper method, and the value of the tenant _ id or the business _ id is obtained from the thread.
The realization mode is that whether the method is a method needing interception is judged firstly, if not, no setting is carried out; if the method needs to be intercepted, the tenant identification or/and the state identification acquired from the thread is assigned to the corresponding fields tenttid and businessId through the setadditionparameter () method of BoundSql.
The technical solution of the present application will be described in detail with specific examples. Several of the following embodiments may be combined with each other and some details of the same or similar concepts or processes may not be repeated in some embodiments.
In another embodiment of the present application, there is also provided an electronic device including: a processor; a memory storing a program configured to implement, when executed by the processor, a data isolation method of a multi-tenant SaaS platform as described above.
In another embodiment of the present application, a non-transitory computer readable storage medium is provided that stores instructions that, when executed by a processor, cause the processor to perform a data isolation method of a multi-tenant SaaS platform of the foregoing embodiments.
Fig. 11 is a schematic diagram of an electronic device according to another embodiment of the present application. As shown in fig. 11, another embodiment of the present application further provides an electronic device, which may include a processor 1101, where the processor 1101 is configured to execute the steps of the above-mentioned data isolation method for a multi-tenant SaaS platform. As can also be seen from fig. 11, the electronic device provided in the foregoing embodiment further includes a non-transitory computer-readable storage medium 1102, where the non-transitory computer-readable storage medium 1102 stores a computer program, and the computer program is executed by the processor 1101 to perform the steps of the data isolation method for the multi-tenant SaaS platform.
In particular, the non-transitory computer readable storage medium 1102 can be a general-purpose storage medium, such as a removable disk, a hard disk, a FLASH, a read-only memory (ROM), an erasable programmable read-only memory (EPROM or FLASH), or a portable compact disc read-only memory (CD-ROM), and the like, and when the computer program on the non-transitory computer readable storage medium 1002 is executed by the processor 1001, the processor 1101 can be caused to perform the steps of the data isolation method of the SaaS platform of the multi-tenant described above.
In practical applications, the non-transitory computer readable storage medium 1102 may be included in the device/apparatus/system described in the above embodiments, or may exist separately without being assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, enable execution of the steps of the data isolation method for the multi-tenant SaaS platform.
Yet another embodiment of the present application further provides a computer program product, which includes a computer program or instructions, and when the computer program or instructions are executed by a processor, the computer program or instructions implement the steps in the data isolation method for the multi-tenant SaaS platform.
The flowchart and block diagrams in the figures of the present application illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments disclosed herein. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
It will be appreciated by those skilled in the art that various combinations and/or combinations of features recited in the various embodiments of the disclosure and/or in the claims may be made even if such combinations or combinations are not explicitly recited in the present application. In particular, various combinations and/or combinations of features recited in the various embodiments and/or claims of the present application may be made without departing from the spirit and teachings of the present application, and all such combinations and/or combinations are intended to fall within the scope of the present disclosure.
The principles and embodiments of the present application are explained herein using specific examples, which are provided only for the purpose of facilitating understanding of the method and the core idea of the present application and are not intended to limit the present application. It will be appreciated by those skilled in the art that changes may be made in this embodiment and its broader aspects and without departing from the principles, spirit and scope of the invention, and that all such modifications, equivalents, improvements and equivalents as may be included within the scope of the invention are intended to be protected by the claims.

Claims (10)

1. A data isolation method for a multi-tenant-oriented software as a service (SaaS) platform is characterized by comprising the following steps:
an application layer of the SaaS platform intercepts a hypertext transfer protocol http request, analyzes a tenant identification or/and an enterprise identification carried by the http request, and caches the tenant identification or/and the enterprise identification in a thread of the SaaS platform;
and intercepting a structured query language (sql) request by a data layer of the SaaS platform, calling the tenant identification or/and the state identification from a thread, and placing the sql request to access data corresponding to the tenant identification or/and the state identification in a database table.
2. The method of claim 1, wherein an application layer of the SaaS platform intercepts an http request, and analyzing a tenant identifier or/and a state identifier carried in the http request comprises:
intercepting by an http request interceptor arranged in an application layer of the SaaS platform, and analyzing a tenant identifier or/and an enterprise identifier carried in the head of the http request;
the method for intercepting the sql request by the data layer of the SaaS platform comprises the following steps:
and intercepting the sql request by a mybatis interceptor arranged in a data layer of the SaaS platform.
3. The method of claim 2, wherein the invoking of the tenant identity or/and the state identity from a thread, placing the sql request comprises:
and taking the tenant identification or/and the state identification called from the thread as a filter condition of the tenant identification or/and the state identification in the sql request.
4. The method of claim 1, wherein the method further comprises:
an application layer of the SaaS platform intercepts a remote call RPC request, wherein the RPC request is used for calling data in a database table in a micro-service platform of cross-service;
and the application layer of the SaaS platform calls the tenant identification or/and the business status identification from the thread, generates an http request carrying the tenant identification or/and the business status identification based on an RPC request, and transmits the http request to the micro service platform so as to access data in a database table in the micro service platform.
5. The method of claim 4, wherein intercepting RPC requests by an application layer of the SaaS platform comprises:
an application layer of the SaaS platform sets a feign call interceptor, and the set feign call interceptor is adopted to intercept the RPC request;
the method comprises the following steps of calling the tenant identification or/and the state identification from a thread, and generating an http request carrying the tenant identification or/and the state identification based on an RPC request, wherein the http request comprises the following steps:
and the tenant identification or/and the state identification called from the thread are/is placed into the head of the http request.
6. The method of claim 1, wherein the accessing data corresponding to the tenant identity or/and the state identity in a database table comprises:
presetting attributes of a tenant identifier or/and an attitude identifier aiming at stored data in the database table;
and accessing data with the attribute of the tenant identification or/and the state identification in the database table based on the tenant identification or/and the state identification which are/is arranged in the sql request.
7. A data isolation system of a software as a service (SaaS) platform oriented to multi-tenancy is characterized by comprising an http request interceptor, a thread unit and a mybatis interceptor,
the http request interceptor is used for intercepting an http request on an application layer of the SaaS platform, analyzing a tenant identifier or/and an enterprise identifier carried by the http request, and caching the tenant identifier or/and the enterprise identifier in a thread unit of the SaaS platform;
the mybatis interceptor is used for intercepting an sql request at a data layer of the SaaS platform, calling the tenant identifier or/and the business identifier from a thread unit, and embedding the sql request to access data corresponding to the tenant identifier or/and the business identifier in a database table.
8. The system of claim 7, further comprising a feign call interceptor, further configured to intercept a remote call RPC request, generate an http request carrying the tenant identity or/and the state identity based on the RPC request, and pass the http request to the microservice platform for accessing data in a database table in the microservice platform.
9. An electronic device, comprising:
a processor;
a memory storing a program configured to implement the data isolation method of the multi-tenant SaaS platform of any one of claims 1 to 6 when executed by the processor.
10. A non-transitory computer readable storage medium storing instructions that, when executed by a processor, cause the processor to perform the data isolation method of the multi-tenant SaaS platform of any one of claims 1 to 6.
CN202210888854.2A 2022-07-27 2022-07-27 Data isolation method and system for multi-tenant software-as-a-service platform Pending CN115396152A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210888854.2A CN115396152A (en) 2022-07-27 2022-07-27 Data isolation method and system for multi-tenant software-as-a-service platform

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210888854.2A CN115396152A (en) 2022-07-27 2022-07-27 Data isolation method and system for multi-tenant software-as-a-service platform

Publications (1)

Publication Number Publication Date
CN115396152A true CN115396152A (en) 2022-11-25

Family

ID=84116594

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210888854.2A Pending CN115396152A (en) 2022-07-27 2022-07-27 Data isolation method and system for multi-tenant software-as-a-service platform

Country Status (1)

Country Link
CN (1) CN115396152A (en)

Similar Documents

Publication Publication Date Title
US11860821B2 (en) Generating target application packages for groups of computing devices
US9996333B2 (en) Apparatus and method for automating the installation and configuration of infrastructure
US20080162509A1 (en) Methods for updating a tenant space in a mega-tenancy environment
US10447553B2 (en) Systems and methods for service-aware mapping of a system infrastructure
CN103810196A (en) Method for testing performance of database on basis of business model
US20020004853A1 (en) Interface device and method
US11176173B2 (en) Arrangement for enriching data stream in a communications network and related method
CN115309566B (en) Dynamic management method and system for service interface
CN108763960A (en) Access authorization for resource management method and device
US11405328B2 (en) Providing on-demand production of graph-based relationships in a cloud computing environment
CN111381820A (en) Method and device for automatically generating API based on GUI
CN115934855A (en) Full-link field level blood margin analysis method, system, equipment and storage medium
CN104461531A (en) Implementing method for self-defined functions of reporting system
CN112579124A (en) Application program interface management method and device, computer equipment and storage medium
CN111984505A (en) Operation and maintenance data acquisition engine and acquisition method
US7720872B1 (en) Software interface mapping tool
CN108415998A (en) Using dependence update method, terminal, equipment and storage medium
CN113067886B (en) Database three-layer correlation auditing method and device, computer equipment and storage medium
CN114546563A (en) Multi-tenant page access control method and system
CN110018835B (en) YANG model configuration data processing method and device, terminal device and storage medium
US11570183B2 (en) Tenant grouping for secure transport of content
US20150234867A1 (en) System, method and computing apparatus to isolate a database in a database system
CN115396152A (en) Data isolation method and system for multi-tenant software-as-a-service platform
US20140149540A1 (en) Decentralized administration of access to target systems in identity management
CN102148755A (en) Mainframe injection component and method for manipulating data packets communicated between emulators and mainframes

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination