[go: up one dir, main page]

CN117389684A - A SaaS multi-tenant data isolation method and system - Google Patents

A SaaS multi-tenant data isolation method and system Download PDF

Info

Publication number
CN117389684A
CN117389684A CN202311330551.XA CN202311330551A CN117389684A CN 117389684 A CN117389684 A CN 117389684A CN 202311330551 A CN202311330551 A CN 202311330551A CN 117389684 A CN117389684 A CN 117389684A
Authority
CN
China
Prior art keywords
data
tenant
database
access
isolation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311330551.XA
Other languages
Chinese (zh)
Inventor
李志明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hebei Yunzai Information Technology Service Co ltd
Original Assignee
Hebei Yunzai Information Technology Service Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hebei Yunzai Information Technology Service Co ltd filed Critical Hebei Yunzai Information Technology Service Co ltd
Priority to CN202311330551.XA priority Critical patent/CN117389684A/en
Publication of CN117389684A publication Critical patent/CN117389684A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • G06F11/1446Point-in-time backing up or restoration of persistent data
    • G06F11/1448Management of the data involved in backup or backup restore
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/25Integrating or interfacing systems involving database management systems
    • G06F16/252Integrating or interfacing systems involving database management systems between a Database Management System and a front-end application
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45562Creating, deleting, cloning virtual machine instances
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Mining & Analysis (AREA)
  • Quality & Reliability (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a SaaS multi-tenant data isolation method and system, comprising the following steps: creating a database cluster, configuring a dynamic storage volume, setting tenant identification rules, creating a data source in a software service, acquiring a data operation request, screening the database by using the identification rules, and completing data source switching. The invention has the advantages that: and switching database connection by utilizing the tenant identification in the data operation request by acquiring the data operation request sent by the current tenant. The method has the advantages that complete isolation is achieved in the aspect of data isolation, meanwhile, the kubernetes container management platform is utilized to improve the development efficiency of SaaS products, and meanwhile, the operation and maintenance cost is reduced.

Description

一种SaaS多租户数据隔离方法和系统A SaaS multi-tenant data isolation method and system

技术领域Technical field

本发明涉及计算机技术领域,特别涉及一种基于租户属性的多租户数据隔离的方法及系统。The present invention relates to the field of computer technology, and in particular to a method and system for multi-tenant data isolation based on tenant attributes.

背景技术Background technique

SaaS是Software-as-a-Service(软件即服务)的简称,它是一种通过Internet提供软件的模式,厂商将应用软件统一部署在自己的服务器上,租户按需租用。在常规情况下采用单租户架构厂商需要为不同的租户部署多个软件服务以及各自的数据库,增加了运维成本,同时也不能做到快速的交付使用。SaaS is the abbreviation of Software-as-a-Service (Software as a Service). It is a model of providing software through the Internet. Manufacturers uniformly deploy application software on their own servers and tenants rent it on demand. Under normal circumstances, vendors that adopt a single-tenant architecture need to deploy multiple software services and their own databases for different tenants, which increases operation and maintenance costs and cannot achieve rapid delivery.

发明内容Contents of the invention

本发明针对现有技术的缺陷,提供了一种SaaS多租户数据隔离方法和系统。能够通过获取当前租户发送的数据操作请求,利用数据操作请求中的租户标识切换数据库连接。在数据隔离方面做到了完全隔离,同时利用kubernetes容器管理平台提高SaaS产品开发效率同时降低运维成本。In view of the shortcomings of the existing technology, the present invention provides a SaaS multi-tenant data isolation method and system. You can obtain the data operation request sent by the current tenant and use the tenant ID in the data operation request to switch the database connection. In terms of data isolation, complete isolation is achieved, and the kubernetes container management platform is used to improve the efficiency of SaaS product development and reduce operation and maintenance costs.

为了实现以上发明目的,本发明采取的技术方案如下:In order to achieve the above object of the invention, the technical solutions adopted by the present invention are as follows:

一种SaaS多租户数据隔离方法,包括以下步骤:A SaaS multi-tenant data isolation method, including the following steps:

1)创建数据库集群:使用Kubernetes的StatefulSet来创建数据库集群。StatefulSet确保每个租户的数据库都有唯一的名称和IP地址,以确保数据库的隔离性和可靠性。1) Create a database cluster: Use Kubernetes' StatefulSet to create a database cluster. StatefulSet ensures that each tenant's database has a unique name and IP address to ensure database isolation and reliability.

2)配置动态存储卷:使用Kubernetes的动态存储卷功能,将数据存储在外部存储系统中,以提高数据库的可扩展性和可用性。2) Configure dynamic storage volumes: Use the dynamic storage volume function of Kubernetes to store data in an external storage system to improve the scalability and availability of the database.

3)设置租户标识规则:定义租户标识规则,用于将租户与其数据库进行关联。这可以基于域名、帐户登录名称或其他唯一标识符来定义。3) Set tenant identification rules: Define tenant identification rules to associate tenants with their databases. This can be defined based on a domain name, account login name, or other unique identifier.

4)在软件服务中创建数据源:在软件服务启动时,创建所有租户的数据源。数据源应包含租户的数据库名称、IP地址和端口号等信息。4) Create data sources in the software service: When the software service starts, create data sources for all tenants. The data source should contain information such as the tenant's database name, IP address, and port number.

5)获取数据操作请求:软件服务从客户端获取数据操作请求。数据操作请求可以是查询、更新或删除数据,同时还需要获取客户端类型、标识、请求路径、用户属性等相关信息。5) Obtain data operation request: The software service obtains data operation request from the client. Data operation requests can be to query, update or delete data, and also need to obtain client type, identification, request path, user attributes and other related information.

6)使用标识规则筛选数据库:使用租户标识规则来筛选数据库,以确保只有租户可以访问其自己的数据库。根据请求中的租户标识,将请求路由到相应的数据库。6) Filter the database using identification rules: Use tenant identification rules to filter the database to ensure that only tenants can access their own databases. Route the request to the appropriate database based on the tenant ID in the request.

7)完成数据源切换:根据数据操作请求,将数据源切换到相应的数据库。确保数据操作请求被发送到正确的数据库,以进行数据读取、写入或删除操作。7) Complete data source switching: Switch the data source to the corresponding database according to the data operation request. Ensure that data operation requests are sent to the correct database for data read, write, or delete operations.

进一步地,所述SaaS多租户数据隔离方法中还包括数据加密:使用加密技术来保护数据的安全性,包括:对称加密、非对称加密和哈希函数。Furthermore, the SaaS multi-tenant data isolation method also includes data encryption: using encryption technology to protect data security, including: symmetric encryption, asymmetric encryption and hash functions.

进一步地,所述SaaS多租户数据隔离方法中还包括数据库审计:实施数据库审计来跟踪对数据库的访问,以便识别异常活动并防止数据泄露。Further, the SaaS multi-tenant data isolation method also includes database auditing: implementing database auditing to track access to the database in order to identify abnormal activities and prevent data leakage.

进一步地,所述SaaS多租户数据隔离方法中还包括数据备份:定期进行数据备份,以防止数据丢失或损坏。包括物理备份、镜像和复制技术来实现数据备份。Further, the SaaS multi-tenant data isolation method also includes data backup: perform data backup regularly to prevent data loss or damage. Includes physical backup, mirroring and replication technologies to achieve data backup.

本发明公开了一种SaaS多租户数据隔离系统,该系统能够用于实施上述的一种SaaS多租户数据隔离方法,具体的,包括:The invention discloses a SaaS multi-tenant data isolation system, which can be used to implement the above-mentioned SaaS multi-tenant data isolation method. Specifically, it includes:

租户管理模块,包括以下功能:Tenant management module, including the following functions:

用户注册和认证:允许用户注册和认证,获取访问租户系统的权限。User registration and authentication: Allow users to register and authenticate to gain access to tenant systems.

租户创建和配置:允许管理员创建和配置租户,包括设置租户的名称、标识符、访问权限。Tenant creation and configuration: Allows administrators to create and configure tenants, including setting the tenant's name, identifier, and access permissions.

租户权限管理:允许管理员分配和管理租户的权限,限制其访问和操作系统的范围。Tenant permission management: Allows administrators to assign and manage tenant permissions, restricting their access and operating system scope.

租户数据隔离:确保每个租户的数据在系统中是隔离的,只能由其本身访问和操作。Tenant data isolation: Ensure that each tenant's data is isolated in the system and can only be accessed and manipulated by itself.

数据库管理模块,包括以下功能:Database management module, including the following functions:

数据库集群管理:创建和管理多个数据库集群,每个集群用于存储一个或多个租户的数据。Database cluster management: Create and manage multiple database clusters, each cluster is used to store data for one or more tenants.

数据库分配和维护:将每个租户分配到一个独立的数据库,确保数据的隔离性和可靠性。Database allocation and maintenance: Assign each tenant to an independent database to ensure data isolation and reliability.

数据库备份和恢复:定期备份数据库,并提供恢复机制以防止数据丢失或损坏。Database backup and recovery: Back up your database regularly and provide a recovery mechanism to prevent data loss or corruption.

数据隔离和访问控制模块,包括以下功能:Data isolation and access control module, including the following functions:

数据分区和隔离:使用多租户的数据分区技术,将每个租户的数据存储在单独的数据库中,确保数据之间的隔离。Data partitioning and isolation: Use multi-tenant data partitioning technology to store each tenant's data in a separate database to ensure isolation between data.

访问控制和权限管理:为每个租户设置访问权限,限制其可以访问和操作的数据范围。Access control and permission management: Set access permissions for each tenant to limit the scope of data they can access and operate.

数据加密和安全性:使用加密技术来保护数据的安全性,在数据传输和存储过程中进行加密。Data encryption and security: Use encryption technology to protect the security of data, encrypting it during data transmission and storage.

数据操作和查询模块,包括以下功能:Data manipulation and query module, including the following functions:

数据查询和过滤:允许租户执行数据查询和过滤操作,根据其权限和访问级别来获取和操作数据。Data query and filtering: Allow tenants to perform data query and filtering operations to obtain and manipulate data based on their permissions and access levels.

数据更新和删除:允许租户更新和删除其拥有的数据,确保数据的完整性和一致性。Data update and deletion: Allow tenants to update and delete data they own, ensuring data integrity and consistency.

数据操作日志和审计:记录所有的数据操作和查询日志,以便审计和追踪数据的访问和变更历史。Data operation logs and audits: Record all data operations and query logs to audit and track data access and change history.

系统监控和报告模块,包括以下功能:System monitoring and reporting module, including the following functions:

系统性能监控:监控系统的性能和资源使用情况,确保系统的稳定性和可靠性。System performance monitoring: Monitor system performance and resource usage to ensure system stability and reliability.

错误和异常处理:捕获和处理系统中出现的错误和异常情况,确保系统的可用性和稳定性。Error and exception handling: Capture and handle errors and exceptions that occur in the system to ensure system availability and stability.

高可用和故障转移:实施高可用性架构,确保系统的连续性和可靠性,即使在硬件故障或网络中断的情况下也能正常运行。High availability and failover: Implement a high-availability architecture to ensure system continuity and reliability, even in the event of hardware failure or network outage.

报告和分析:生成和提供各种报告和分析,包括租户使用情况、系统性能和数据访问统计。Reporting and Analysis: Generate and deliver a variety of reports and analytics, including tenant usage, system performance, and data access statistics.

本发明还公开了一种计算机设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述程序时实现上述SaaS多租户数据隔离方法。The invention also discloses a computer device, which includes a memory, a processor and a computer program stored in the memory and executable on the processor. When the processor executes the program, it implements the above SaaS multi-tenant data isolation method.

本发明还公开了一种计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时实现上述SaaS多租户数据隔离方法。The invention also discloses a computer-readable storage medium on which a computer program is stored. When the program is executed by a processor, the above-mentioned SaaS multi-tenant data isolation method is implemented.

与现有技术相比,本发明的优点在于:Compared with the prior art, the advantages of the present invention are:

实现了各个租户数据之间的物理隔离,各个租户的数据完全分开,提高了较高的数据安全性。利用容器编排技术部署数据库实例,大大减少了运维成本,方便进行数据管理、备份。自定义动态数据源能通过用户租户标识完成自动切换,在业务软件开发过程中无需额外处理,提升了应用研发、迭代效率。Physical isolation between each tenant's data is achieved, and the data of each tenant is completely separated, which improves high data security. Using container orchestration technology to deploy database instances greatly reduces operation and maintenance costs and facilitates data management and backup. Customized dynamic data sources can be automatically switched through user tenant identification. No additional processing is required during business software development, which improves application development and iteration efficiency.

附图说明Description of the drawings

图1是本发明实施例SaaS多租户数据隔离流程图。Figure 1 is a flow chart of SaaS multi-tenant data isolation according to an embodiment of the present invention.

具体实施方式Detailed ways

为使本发明的目的、技术方案及优点更加清楚明白,以下根据附图并列举实施例,对本发明做进一步详细说明。In order to make the purpose, technical solutions and advantages of the present invention more clear, the present invention will be further described in detail below based on the accompanying drawings and examples.

如图1所示,本发明提供一种SaaS多租户数据隔离方法,包括以下步骤:As shown in Figure 1, the present invention provides a SaaS multi-tenant data isolation method, which includes the following steps:

1)创建数据库;1) Create a database;

使用Kubernetes的StatefulSet可以简化数据库安装工作。StatefulSet是一种特殊类型的Kubernetes部署,它确保每个租户的数据库都有一个唯一的名称和IP地址。这有助于确保数据库的隔离性和可靠性。Database installation can be simplified using Kubernetes' StatefulSet. StatefulSet is a special type of Kubernetes deployment that ensures that each tenant's database has a unique name and IP address. This helps ensure database isolation and reliability.

2)配置动态存储卷;2) Configure dynamic storage volumes;

动态存储卷是一种Kubernetes功能,它允许将数据存储在外部存储系统中。这有助于提高数据库的可扩展性和可用性。Dynamic Storage Volumes are a Kubernetes feature that allows data to be stored in external storage systems. This helps improve database scalability and availability.

3)设置租户标识规则;3) Set tenant identification rules;

租户标识规则是一种方法,用于将租户与其数据库进行关联。租户标识规则可以基于域名、帐户登录名称或其他唯一标识符。Tenant identification rules are a method used to associate tenants with their databases. Tenant identification rules can be based on domain names, account login names, or other unique identifiers.

4)在软件服务中创建数据源;4) Create data sources in software services;

软件服务在启动时应创建所有租户的数据源。数据源应包含租户的数据库名称、IP地址和端口号。The software service should create data sources for all tenants when started. The data source should contain the tenant's database name, IP address, and port number.

5)获取数据操作请求;5) Get data operation request;

软件服务应从客户端获取数据操作请求。数据操作请求可以是查询、更新或删除数据,同时需要获取客户端类型,标识,请求路径,用户属性等关联信息。The software service should obtain data operation requests from the client. Data operation requests can be to query, update or delete data. At the same time, it is necessary to obtain client type, identification, request path, user attributes and other related information.

6)通过标识规则筛选数据库;6) Filter the database through identification rules;

软件服务应使用租户标识规则来筛选数据库。这有助于确保只有租户才能访问其自己的数据库。The software service should use tenant identification rules to filter the database. This helps ensure that only tenants have access to their own databases.

7)完成数据源的切换;7) Complete the data source switching;

软件服务应根据数据操作请求完成数据源的切换。这有助于确保数据操作请求被发送到正确的数据库。The software service should complete the switching of data sources according to the data operation request. This helps ensure that data manipulation requests are sent to the correct database.

以下是一些额外的考虑因素:Here are some additional considerations:

数据加密data encryption

数据加密可以用来保护数据免受未经授权的访问。数据加密可以通过使用各种技术来实现,例如对称加密、非对称加密和哈希函数。Data encryption can be used to protect data from unauthorized access. Data encryption can be achieved by using various techniques such as symmetric encryption, asymmetric encryption and hash functions.

数据库审计Database audit

数据库审计可以用来跟踪对数据库的访问。数据库审计可以用来识别异常活动并防止数据泄露。Database auditing can be used to track access to the database. Database auditing can be used to identify unusual activity and prevent data breaches.

数据备份data backup

数据备份可以用来保护数据免受丢失或损坏。数据备份可以通过使用各种技术来实现,例如物理备份、镜像和复制。Data backup can be used to protect data from loss or damage. Data backup can be achieved through the use of various technologies such as physical backup, mirroring and replication.

通过使用上述方法和技术,可以确保SaaS环境中的数据安全并防止数据泄露。By using the above methods and technologies, data security in the SaaS environment can be ensured and data leakage prevented.

本发明再一个实施例中,提供了一种SaaS多租户数据隔离系统,该系统能够用于实施上述的一种SaaS多租户数据隔离方法,具体的,包括:In yet another embodiment of the present invention, a SaaS multi-tenant data isolation system is provided. The system can be used to implement the above-mentioned SaaS multi-tenant data isolation method. Specifically, it includes:

租户管理模块,包括以下功能:Tenant management module, including the following functions:

用户注册和认证:允许用户注册和认证,获取访问租户系统的权限。User registration and authentication: Allow users to register and authenticate to gain access to tenant systems.

租户创建和配置:允许管理员创建和配置租户,包括设置租户的名称、标识符、访问权限等。Tenant creation and configuration: Allows administrators to create and configure tenants, including setting the tenant's name, identifier, access permissions, etc.

租户权限管理:允许管理员分配和管理租户的权限,限制其访问和操作系统的范围。Tenant permission management: Allows administrators to assign and manage tenant permissions, restricting their access and operating system scope.

租户数据隔离:确保每个租户的数据在系统中是隔离的,只能由其本身访问和操作。Tenant data isolation: Ensure that each tenant's data is isolated in the system and can only be accessed and manipulated by itself.

数据库管理模块,包括以下功能:Database management module, including the following functions:

数据库集群管理:创建和管理多个数据库集群,每个集群用于存储一个或多个租户的数据。Database cluster management: Create and manage multiple database clusters, each cluster is used to store data for one or more tenants.

数据库分配和维护:将每个租户分配到一个独立的数据库,确保数据的隔离性和可靠性。Database allocation and maintenance: Assign each tenant to an independent database to ensure data isolation and reliability.

数据库备份和恢复:定期备份数据库,并提供恢复机制以防止数据丢失或损坏。Database backup and recovery: Back up your database regularly and provide a recovery mechanism to prevent data loss or corruption.

数据隔离和访问控制模块,包括以下功能:Data isolation and access control module, including the following functions:

数据分区和隔离:使用多租户的数据分区技术,将每个租户的数据存储在单独的数据库中,确保数据之间的隔离。Data partitioning and isolation: Use multi-tenant data partitioning technology to store each tenant's data in a separate database to ensure isolation between data.

访问控制和权限管理:为每个租户设置访问权限,限制其可以访问和操作的数据范围。Access control and permission management: Set access permissions for each tenant to limit the scope of data they can access and operate.

数据加密和安全性:使用加密技术来保护数据的安全性,在数据传输和存储过程中进行加密。Data encryption and security: Use encryption technology to protect the security of data, encrypting it during data transmission and storage.

数据操作和查询模块,包括以下功能:Data manipulation and query module, including the following functions:

数据查询和过滤:允许租户执行数据查询和过滤操作,根据其权限和访问级别来获取和操作数据。Data query and filtering: Allow tenants to perform data query and filtering operations to obtain and manipulate data based on their permissions and access levels.

数据更新和删除:允许租户更新和删除其拥有的数据,确保数据的完整性和一致性。Data update and deletion: Allow tenants to update and delete data they own, ensuring data integrity and consistency.

数据操作日志和审计:记录所有的数据操作和查询日志,以便审计和追踪数据的访问和变更历史。Data operation logs and audits: Record all data operations and query logs to audit and track data access and change history.

系统监控和报告模块,包括以下功能:System monitoring and reporting module, including the following functions:

系统性能监控:监控系统的性能和资源使用情况,确保系统的稳定性和可靠性。System performance monitoring: Monitor system performance and resource usage to ensure system stability and reliability.

错误和异常处理:捕获和处理系统中出现的错误和异常情况,确保系统的可用性和稳定性。Error and exception handling: Capture and handle errors and exceptions that occur in the system to ensure system availability and stability.

高可用和故障转移:实施高可用性架构,确保系统的连续性和可靠性,即使在硬件故障或网络中断的情况下也能正常运行。High availability and failover: Implement a high-availability architecture to ensure system continuity and reliability, even in the event of hardware failure or network outage.

报告和分析模块,包括以下功能:生成和提供各种报告和分析,包括租户使用情况、系统性能和数据访问统计等。Reporting and analysis module, including the following functions: Generate and provide a variety of reports and analysis, including tenant usage, system performance and data access statistics, etc.

这些功能模块共同工作,确保SaaS多租户数据隔离系统能够安全、可靠地存储、访问和操作不同租户的数据。These functional modules work together to ensure that the SaaS multi-tenant data isolation system can safely and reliably store, access and operate data from different tenants.

本发明再一个实施例中,提供了一种终端设备,该终端设备包括处理器以及存储器,所述存储器用于存储计算机程序,所述计算机程序包括程序指令,所述处理器用于执行所述计算机存储介质存储的程序指令。处理器可能是中央处理单元(Central ProcessingUnit,CPU),还可以是其他通用处理器、数字信号处理器(Digital Signal Processor、DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现成可编程门阵列(Field-Programmable GateArray,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等,其是终端的计算核心以及控制核心,其适于实现一条或一条以上指令,具体适于加载并执行一条或一条以上指令从而实现相应方法流程或相应功能;本发明实施例所述的处理器可以用于SaaS多租户数据隔离方法的操作。In yet another embodiment of the present invention, a terminal device is provided. The terminal device includes a processor and a memory. The memory is used to store a computer program. The computer program includes program instructions. The processor is used to execute the computer program. A storage medium stores program instructions. The processor may be a Central Processing Unit (CPU), or other general-purpose processor, Digital Signal Processor (DSP), Application Specific Integrated Circuit (ASIC), or off-the-shelf programmable gate Array (Field-Programmable GateArray, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc., which are the computing core and control core of the terminal, are suitable for implementing one or more instructions, and are specifically suitable for To load and execute one or more instructions to implement the corresponding method flow or corresponding functions; the processor described in the embodiment of the present invention can be used to operate the SaaS multi-tenant data isolation method.

本发明再一个实施例中,本发明还提供了一种存储介质,具体为计算机可读存储介质(Memory),所述计算机可读存储介质是终端设备中的记忆设备,用于存放程序和数据。可以理解的是,此处的计算机可读存储介质既可以包括终端设备中的内置存储介质,当然也可以包括终端设备所支持的扩展存储介质。计算机可读存储介质提供存储空间,该存储空间存储了终端的操作系统。并且,在该存储空间中还存放了适于被处理器加载并执行的一条或一条以上的指令,这些指令可以是一个或一个以上的计算机程序(包括程序代码)。需要说明的是,此处的计算机可读存储介质可以是高速RAM存储器,也可以是非不稳定的存储器(non-volatile memory),例如至少一个磁盘存储器。In yet another embodiment of the present invention, the present invention also provides a storage medium, specifically a computer-readable storage medium (Memory). The computer-readable storage medium is a memory device in a terminal device and is used to store programs and data. . It can be understood that the computer-readable storage medium here may include a built-in storage medium in the terminal device, and of course may also include an extended storage medium supported by the terminal device. The computer-readable storage medium provides storage space, and the storage space stores the operating system of the terminal. Furthermore, one or more instructions suitable for being loaded and executed by the processor are also stored in the storage space. These instructions may be one or more computer programs (including program codes). It should be noted that the computer-readable storage medium here may be a high-speed RAM memory or a non-volatile memory (non-volatile memory), such as at least one disk memory.

可由处理器加载并执行计算机可读存储介质中存放的一条或一条以上指令,以实现上述实施例中有关SaaS多租户数据隔离方法的相应步骤;计算机可读存储介质中的一条或一条以上指令由处理器加载并执行SaaS多租户数据隔离方法。One or more instructions stored in the computer-readable storage medium can be loaded and executed by the processor to implement the corresponding steps of the SaaS multi-tenant data isolation method in the above embodiment; one or more instructions in the computer-readable storage medium are provided by The processor loads and executes the SaaS multi-tenant data isolation method.

本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art will appreciate that embodiments of the present invention may be provided as methods, systems, or computer program products. Thus, the invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each process and/or block in the flowchart illustrations and/or block diagrams, and combinations of processes and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine, such that the instructions executed by the processor of the computer or other programmable data processing device produce a use A device for realizing the functions specified in one process or multiple processes of the flowchart and/or one block or multiple blocks of the block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory that causes a computer or other programmable data processing apparatus to operate in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction means, the instructions The device implements the functions specified in a process or processes of the flowchart and/or a block or blocks of the block diagram.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions may also be loaded onto a computer or other programmable data processing device, causing a series of operating steps to be performed on the computer or other programmable device to produce computer-implemented processing, thereby executing on the computer or other programmable device. Instructions provide steps for implementing the functions specified in a process or processes of a flowchart diagram and/or a block or blocks of a block diagram.

本领域的普通技术人员将会意识到,这里所述的实施例是为了帮助读者理解本发明的实施方法,应被理解为本发明的保护范围并不局限于这样的特别陈述和实施例。本领域的普通技术人员可以根据本发明公开的这些技术启示做出各种不脱离本发明实质的其它各种具体变形和组合,这些变形和组合仍然在本发明的保护范围内。Those of ordinary skill in the art will realize that the embodiments described here are to help readers understand the implementation methods of the present invention, and it should be understood that the protection scope of the present invention is not limited to such specific statements and embodiments. Those of ordinary skill in the art can make various other specific modifications and combinations based on the technical teachings disclosed in the present invention without departing from the essence of the present invention, and these modifications and combinations are still within the protection scope of the present invention.

Claims (7)

1.一种SaaS多租户数据隔离方法,其特征在于:包括以下步骤:1. A SaaS multi-tenant data isolation method, characterized by: including the following steps: 1)创建数据库集群:使用Kubernetes的StatefulSet来创建数据库集群;1) Create a database cluster: Use Kubernetes' StatefulSet to create a database cluster; StatefulSet确保每个租户的数据库都有唯一的名称和IP地址,以确保数据库的隔离性和可靠性;StatefulSet ensures that each tenant's database has a unique name and IP address to ensure database isolation and reliability; 2)配置动态存储卷:使用Kubernetes的动态存储卷功能,将数据存储在外部存储系统中,以提高数据库的可扩展性和可用性;2) Configure dynamic storage volumes: Use the dynamic storage volume function of Kubernetes to store data in an external storage system to improve the scalability and availability of the database; 3)设置租户标识规则:定义租户标识规则,用于将租户与其数据库进行关联;这可以基于域名、帐户登录名称或其他唯一标识符来定义;3) Set tenant identification rules: Define tenant identification rules to associate tenants with their databases; this can be defined based on domain names, account login names, or other unique identifiers; 4)在软件服务中创建数据源:在软件服务启动时,创建所有租户的数据源;数据源应包括租户的数据库名称、IP地址和端口号信息;4) Create data sources in the software service: When the software service is started, create data sources for all tenants; the data sources should include the tenant's database name, IP address and port number information; 5)获取数据操作请求:软件服务从客户端获取数据操作请求;数据操作请求包括查询、更新或删除数据,同时还需要获取包括:客户端类型、标识、请求路径和用户属性;5) Obtain data operation requests: The software service obtains data operation requests from the client; data operation requests include querying, updating or deleting data, and also need to obtain: client type, identification, request path and user attributes; 6)使用标识规则筛选数据库:使用租户标识规则来筛选数据库,以确保只有租户可以访问其自己的数据库;根据请求中的租户标识,将请求路由到相应的数据库;6) Use identification rules to filter databases: Use tenant identification rules to filter databases to ensure that only tenants can access their own databases; route requests to the corresponding database based on the tenant identification in the request; 7)完成数据源切换:根据数据操作请求,将数据源切换到相应的数据库;确保数据操作请求被发送到正确的数据库,以进行数据读取、写入或删除操作。7) Complete data source switching: According to the data operation request, switch the data source to the corresponding database; ensure that the data operation request is sent to the correct database for data reading, writing or deletion operations. 2.根据权利要求1所述的一种SaaS多租户数据隔离方法,其特征在于:所述SaaS多租户数据隔离方法中还包括数据加密:使用加密技术来保护数据的安全性,包括:对称加密、非对称加密和哈希函数。2. A SaaS multi-tenant data isolation method according to claim 1, characterized in that: the SaaS multi-tenant data isolation method also includes data encryption: using encryption technology to protect the security of data, including: symmetric encryption , asymmetric encryption and hash functions. 3.根据权利要求1所述的一种SaaS多租户数据隔离方法,其特征在于:所述SaaS多租户数据隔离方法中还包括数据库审计:实施数据库审计来跟踪对数据库的访问,以便识别异常活动并防止数据泄露。3. A SaaS multi-tenant data isolation method according to claim 1, characterized in that: the SaaS multi-tenant data isolation method also includes database auditing: implementing database auditing to track access to the database in order to identify abnormal activities. and prevent data breaches. 4.根据权利要求1所述的一种SaaS多租户数据隔离方法,其特征在于:所述SaaS多租户数据隔离方法中还包括数据备份:定期进行数据备份,以防止数据丢失或损坏;包括物理备份、镜像和复制技术来实现数据备份。4. A SaaS multi-tenant data isolation method according to claim 1, characterized in that: the SaaS multi-tenant data isolation method also includes data backup: regular data backup to prevent data loss or damage; including physical Backup, mirroring and replication technologies to achieve data backup. 5.一种SaaS多租户数据隔离系统,其特征在于:该系统能够用于实施权利要求1至4其中一项所述的SaaS多租户数据隔离方法,具体的,包括:5. A SaaS multi-tenant data isolation system, characterized in that: the system can be used to implement the SaaS multi-tenant data isolation method described in one of claims 1 to 4. Specifically, it includes: 租户管理模块,包括以下功能:Tenant management module, including the following functions: 用户注册和认证:允许用户注册和认证,获取访问租户系统的权限;User registration and authentication: Allow users to register and authenticate to gain access to tenant systems; 租户创建和配置:允许管理员创建和配置租户,包括设置租户的名称、标识符、访问权限;Tenant creation and configuration: allows administrators to create and configure tenants, including setting the tenant's name, identifier, and access rights; 租户权限管理:允许管理员分配和管理租户的权限,限制其访问和操作系统的范围;Tenant permission management: allows administrators to assign and manage tenant permissions, restrict their access and operating system scope; 租户数据隔离:确保每个租户的数据在系统中是隔离的,只能由其本身访问和操作;Tenant data isolation: Ensure that each tenant’s data is isolated in the system and can only be accessed and operated by itself; 数据库管理模块,包括以下功能:Database management module, including the following functions: 数据库集群管理:创建和管理多个数据库集群,每个集群用于存储一个或多个租户的数据;Database cluster management: Create and manage multiple database clusters, each cluster is used to store data of one or more tenants; 数据库分配和维护:将每个租户分配到一个独立的数据库,确保数据的隔离性和可靠性;Database allocation and maintenance: assign each tenant to an independent database to ensure data isolation and reliability; 数据库备份和恢复:定期备份数据库,并提供恢复机制以防止数据丢失或损坏;Database backup and recovery: Back up the database regularly and provide a recovery mechanism to prevent data loss or damage; 数据隔离和访问控制模块,包括以下功能:Data isolation and access control module, including the following functions: 数据分区和隔离:使用多租户的数据分区技术,将每个租户的数据存储在单独的数据库中,确保数据之间的隔离;Data partitioning and isolation: Use multi-tenant data partitioning technology to store each tenant's data in a separate database to ensure isolation between data; 访问控制和权限管理:为每个租户设置访问权限,限制其可以访问和操作的数据范围;Access control and permission management: Set access permissions for each tenant to limit the range of data they can access and operate; 数据加密和安全性:使用加密技术来保护数据的安全性,在数据传输和存储过程中进行加密;Data encryption and security: Use encryption technology to protect the security of data and encrypt it during data transmission and storage; 数据操作和查询模块,包括以下功能:Data manipulation and query module, including the following functions: 数据查询和过滤:允许租户执行数据查询和过滤操作,根据其权限和访问级别来获取和操作数据;Data query and filtering: Allow tenants to perform data query and filtering operations to obtain and operate data according to their permissions and access levels; 数据更新和删除:允许租户更新和删除其拥有的数据,确保数据的完整性和一致性;Data update and deletion: Allow tenants to update and delete data they own, ensuring data integrity and consistency; 数据操作日志和审计:记录所有的数据操作和查询日志,以便审计和追踪数据的访问和变更历史;Data operation logs and audits: record all data operations and query logs to audit and track data access and change history; 系统监控和报告模块,包括以下功能:System monitoring and reporting module, including the following functions: 系统性能监控:监控系统的性能和资源使用情况,确保系统的稳定性和可靠性;System performance monitoring: monitor system performance and resource usage to ensure system stability and reliability; 错误和异常处理:捕获和处理系统中出现的错误和异常情况,确保系统的可用性和稳定性;Error and exception handling: Capture and handle errors and exceptions that occur in the system to ensure system availability and stability; 高可用和故障转移:实施高可用性架构,确保系统的连续性和可靠性,即使在硬件故障或网络中断的情况下也能正常运行;High availability and failover: Implement a high-availability architecture to ensure system continuity and reliability, even in the event of hardware failure or network outage; 报告和分析:生成和提供各种报告和分析,包括租户使用情况、系统性能和数据访问统计。Reporting and Analysis: Generate and deliver a variety of reports and analytics, including tenant usage, system performance, and data access statistics. 6.一种计算机设备,其特征在于:包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述程序时实现权利要求1至4其中一项所述的SaaS多租户数据隔离方法。6. A computer device, characterized in that it includes a memory, a processor and a computer program stored in the memory and executable on the processor. When the processor executes the program, one of claims 1 to 4 is implemented. The described SaaS multi-tenant data isolation method. 7.一种计算机可读存储介质,其特征在于:其上存储有计算机程序,该程序被处理器执行时实现权利要求1至4其中一项所述的SaaS多租户数据隔离方法。7. A computer-readable storage medium, characterized in that a computer program is stored thereon, and when the program is executed by a processor, the SaaS multi-tenant data isolation method according to one of claims 1 to 4 is implemented.
CN202311330551.XA 2023-10-13 2023-10-13 A SaaS multi-tenant data isolation method and system Pending CN117389684A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311330551.XA CN117389684A (en) 2023-10-13 2023-10-13 A SaaS multi-tenant data isolation method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311330551.XA CN117389684A (en) 2023-10-13 2023-10-13 A SaaS multi-tenant data isolation method and system

Publications (1)

Publication Number Publication Date
CN117389684A true CN117389684A (en) 2024-01-12

Family

ID=89471454

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311330551.XA Pending CN117389684A (en) 2023-10-13 2023-10-13 A SaaS multi-tenant data isolation method and system

Country Status (1)

Country Link
CN (1) CN117389684A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117692871A (en) * 2024-01-31 2024-03-12 江西掌中无限网络科技股份有限公司 A system and method for multi-tenant access and multi-protocol push 5G messages
CN118484796A (en) * 2024-07-15 2024-08-13 宁波安得智联科技有限公司 Tenant rights management method, system, device and medium for SaaS platform
CN120849499A (en) * 2025-09-24 2025-10-28 北京纷扬科技有限责任公司 SaaS multi-tenant observability platform, observation methods and computing equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108737325A (en) * 2017-04-13 2018-11-02 华为技术有限公司 A kind of multi-tenant data partition method, apparatus and system
CN110163002A (en) * 2019-05-29 2019-08-23 上海有谱网络科技有限公司 A kind of method of SaaS software tenant data isolation
CN112100262A (en) * 2020-09-16 2020-12-18 南京智数云信息科技有限公司 Method and system for quickly building and dynamically expanding multi-tenant software as a service (SaaS) platform
CN115878361A (en) * 2022-12-29 2023-03-31 山石网科通信技术股份有限公司 Node management method and device for database cluster and electronic equipment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108737325A (en) * 2017-04-13 2018-11-02 华为技术有限公司 A kind of multi-tenant data partition method, apparatus and system
CN110163002A (en) * 2019-05-29 2019-08-23 上海有谱网络科技有限公司 A kind of method of SaaS software tenant data isolation
CN112100262A (en) * 2020-09-16 2020-12-18 南京智数云信息科技有限公司 Method and system for quickly building and dynamically expanding multi-tenant software as a service (SaaS) platform
CN115878361A (en) * 2022-12-29 2023-03-31 山石网科通信技术股份有限公司 Node management method and device for database cluster and electronic equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"《Kubernetes微服务实战[M]》", 30 June 2020, 机械工业出版社, pages: 168 - 169 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117692871A (en) * 2024-01-31 2024-03-12 江西掌中无限网络科技股份有限公司 A system and method for multi-tenant access and multi-protocol push 5G messages
CN118484796A (en) * 2024-07-15 2024-08-13 宁波安得智联科技有限公司 Tenant rights management method, system, device and medium for SaaS platform
CN120849499A (en) * 2025-09-24 2025-10-28 北京纷扬科技有限责任公司 SaaS multi-tenant observability platform, observation methods and computing equipment
CN120849499B (en) * 2025-09-24 2025-11-21 北京纷扬科技有限责任公司 SaaS multi-tenant observable platform, observation methods and computing devices

Similar Documents

Publication Publication Date Title
US11954220B2 (en) Data protection for container storage
US12367487B2 (en) Efficient and secure blockchains using cloud resource primitives
US10540173B2 (en) Version control of applications
US11954238B1 (en) Role-based access control for a storage system
US12153679B2 (en) Automatic ransomware detection with an on-demand file system lock down and automatic repair function
CN117389684A (en) A SaaS multi-tenant data isolation method and system
US11256815B2 (en) Object storage system with secure object replication
JP2021518705A (en) Runtime self-modification for blockchain ledger
US10013560B1 (en) Securely exchanging information during application startup
US11693963B2 (en) Automatic ransomware detection with an on-demand file system lock down and automatic repair function
US12470564B2 (en) Federated login mechanisms for multi tenant role based access control
US10341298B1 (en) Security rules for application firewalls
US11593498B2 (en) Distribution of user specific data elements in a replication environment
WO2022121673A1 (en) Decentralized broadcast encryption and key generation facility
US20220067170A1 (en) Automated code analysis tool
US11650975B2 (en) Online file system consistency check for container data on a clustered filesystem
US20240291670A1 (en) Selecting, authenticating, and installing individual components of agent software stacks
TWM597904U (en) Servo host configuration setting management system
US12339748B2 (en) Template-based configuration for backup and restore applications in public clouds
US12367110B2 (en) Multi-tenancy for large scale data management
Lonzer et al. IBM Storage FlashSystem 9500 Product Guide for IBM Storage Virtualize 8.6
US20250258813A1 (en) Sensitive data discovery for databases
US12164390B2 (en) Agent lifecycle management for backup and restore applications
US11526534B2 (en) Replicating data changes through distributed invalidation
US20260039668A1 (en) Federated login mechanisms for multi tenant role based access control

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20240112

RJ01 Rejection of invention patent application after publication