CN114826738B - Multi-tenant implementation method, processor and device based on SSO user system - Google Patents
Multi-tenant implementation method, processor and device based on SSO user system Download PDFInfo
- Publication number
- CN114826738B CN114826738B CN202210448360.2A CN202210448360A CN114826738B CN 114826738 B CN114826738 B CN 114826738B CN 202210448360 A CN202210448360 A CN 202210448360A CN 114826738 B CN114826738 B CN 114826738B
- Authority
- CN
- China
- Prior art keywords
- user
- tenant
- login request
- sso
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 36
- 101001072091 Homo sapiens ProSAAS Proteins 0.000 claims abstract description 61
- 102100036366 ProSAAS Human genes 0.000 claims abstract description 61
- 238000002955 isolation Methods 0.000 claims abstract description 17
- 238000004590 computer program Methods 0.000 claims description 16
- 238000004458 analytical method Methods 0.000 claims description 2
- 239000000945 filler Substances 0.000 claims description 2
- 238000007726 management method Methods 0.000 description 19
- 238000010586 diagram Methods 0.000 description 16
- 238000005516 engineering process Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- 230000008520 organization Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000013523 data management Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
Abstract
The application relates to a multi-tenant implementation method, a processor and a device based on an SSO user system. The method comprises the following steps: acquiring a first login request of a user through an SSO background management system; acquiring a first login request of a user through an SSO background management system; determining a tenant identifier corresponding to the user according to the first login request; creating a second login request of the user for the SAAS system based on the tenant identification, wherein the second login request carries the tenant identification; the SAAS system determines the data authority of the user according to the second login request, and returns the data corresponding to the data authority to the user so as to realize data isolation.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method, a processor, an apparatus, a computer device, and a storage medium for implementing multiple tenants based on an SSO user system.
Background
Multi-tenant refers to a single instance and even dynamic scalable capacity expansion, so as to provide system services for multiple enterprises. Multi-tenant technology provides the same or even customizable services as multiple clients within a common data center in a single system architecture and service, and still can guarantee data isolation for enterprise clients. A system supporting multi-tenant technology requires virtual partitioning of its data and configuration in design, so that each tenant or organization of the system can use a single system instance, and each tenant can individually configure the rented system instance according to its own needs.
In the system of the B/S architecture in the prior art, most of system developers cannot simultaneously provide services for a plurality of users, the services are independently customized according to the requirements of different users, each new development of a client needs to independently deploy a set of codes and initialize customization, and the flow is complex and long.
Disclosure of Invention
The embodiment of the application aims to provide a multi-tenant implementation method, device, computer equipment and storage medium based on an SSO user system.
To achieve the above object, a first aspect of the present application provides a multi-tenant implementation method based on an SSO user system, including:
Acquiring a first login request of a user through an SSO background management system;
determining a tenant identifier corresponding to the user according to the first login request;
Creating a second login request of the user for the SAAS system based on the tenant identification, wherein the second login request carries the tenant identification;
The SAAS system determines the data authority of the user according to the second login request, and returns the data corresponding to the data authority to the user so as to realize data isolation.
In an embodiment of the present application, further comprising: a field for tenant identification is added for each data table in the SAAS system database.
In an embodiment of the application, the method further comprises: adding tenants through an SSO background management system, and generating tenant identifications of each tenant; for each tenant identification, associating and binding a corresponding system, and adding resources under the system; for each tenant identity, a user and a user identity corresponding to the tenant identity are added and associated.
In an embodiment of the present application, determining, according to a first login request, a tenant identifier corresponding to a user includes: the call request interceptor acquires the first login request, and analyzes the first login request through the user information analyzer to acquire user information carried by the first login request, wherein the user information comprises tenant identifications corresponding to users.
In an embodiment of the present application, creating a second login request for the SAAS system by the user based on the tenant identity comprises: the tenant identity is added to each SQL statement by an autopopulator to automatically create a second login request by the user for the SAAS system.
In an embodiment of the present application, creating a second login request for the SAAS system by the user based on the tenant identity comprises: for each user, an independent thread is created, and the threads corresponding to different users are isolated from each other.
In an embodiment of the present application, the SAAS system determines a data authority of a user according to a second login request, and returns data corresponding to the data authority to the user, so as to implement data isolation, including: after the SAAS system receives the second login request, userToken of the user is created, a session is generated, and the tenant identification of the user is stored in the user information of the user.
A second aspect of the present application provides a processor configured to perform a multi-tenant implementation method based on an SSO user architecture as described above.
The third aspect of the present application provides a multi-tenant implementation apparatus based on an SSO user system, the apparatus comprising a processor for a multi-tenant implementation method based on an SSO user system.
A fourth aspect of the present application provides a computer device, including a memory and a processor, where the memory stores a computer program, and the processor implements a multi-tenant implementation method based on an SSO user architecture when executing the computer program.
According to the multi-tenant implementation method, the device, the computer equipment and the storage medium based on the SSO user system, a first login request of a user is obtained through an SSO background management system; determining a tenant identifier corresponding to the user according to the first login request; creating a second login request of the user for the SAAS system based on the tenant identification, wherein the second login request carries the tenant identification; the SAAS system determines the data authority of the user according to the second login request, and returns the data corresponding to the data authority to the user so as to realize data isolation. On the system level, the functions are modularized, the resources are configured, and the data are privateized; the system safety is improved, and the technical implementation complexity is reduced.
Drawings
The accompanying drawings are included to provide a further understanding of embodiments of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain, without limitation, the embodiments of the application. In the accompanying drawings
FIG. 1 schematically illustrates a flow diagram of a multi-tenant implementation method based on an SSO user hierarchy, in accordance with an embodiment of the present application;
FIG. 2 schematically illustrates a SAAS service architecture diagram according to an embodiment of the present application;
FIG. 3 schematically illustrates a schematic diagram of a multi-tenant implementation method based on an SSO user hierarchy, according to an embodiment of the application;
FIG. 4 schematically illustrates a timing diagram of a multi-tenant implementation method based on an SSO user hierarchy, in accordance with an embodiment of the application;
FIG. 5 schematically illustrates a SAAS multi-tenant architecture diagram in accordance with an embodiment of the present application;
fig. 6 schematically shows an internal structural view of a computer device according to an embodiment of the present application.
Detailed Description
The following describes the detailed implementation of the embodiments of the present application with reference to the drawings. It should be understood that the detailed description and specific examples, while indicating and illustrating the application, are not intended to limit the application.
Fig. 1 schematically shows a flow diagram of a multi-tenant implementation method based on SSO user architecture according to an embodiment of the application. As shown in fig. 1, in an embodiment of the present application, there is provided a multi-tenant implementation method based on SSO user system, including the following steps:
step 101, obtaining a first login request of a user through an SSO background management system.
Step 102, determining a tenant identifier corresponding to the user according to the first login request.
Step 103, creating a second login request of the user for the SAAS system based on the tenant identification, wherein the second login request carries the tenant identification.
And 104, the SAAS system determines the data authority of the user according to the second login request and returns the data corresponding to the data authority to the user so as to realize data isolation.
The SSO background management system refers to a single sign-on background management system, and is used for one-time authentication login by a user. When a user logs in the identity authentication server once, the authority of accessing other related systems and application software in the single sign-on system can be obtained, and meanwhile, the realization does not need an administrator to modify the login state or other information of the user, which means that the user can access all mutually trusted application systems in a plurality of application systems by only logging in once. Tenant may be added in the SSO system, where tenant may be understood as a project, team or organization, where the addition of tenant in the SSO system creates a unique identity of the tenant in the database. That is, each tenant has its own unique tenant ID, after the tenant is added successfully, the user can be added under the tenant, the user is in binding relation with the tenant, a plurality of users can be added under one tenant, and the users bound under the tenant all have unique identifications of the tenant. The binding system can be configured in the tenant, the resources can be added in the binding system, and the rights of the users can be independently configured by the users added in the SSO tenant. When a user logs in an SSO system, a login request is triggered, an SSO background management system acquires a first login request of the user, and a tenant identification corresponding to the user is determined in the information of the login request.
As shown in the architecture diagram shown in fig. 2 and the flowchart shown in fig. 3, the service system may create a second login request for the SAAS system by the user based on the tenant identifier corresponding to the user, where the service system may be an SSO background management system. The second login request carries the tenant identification. The SAAS system may be a software service system, and the SAAS system may determine the data authority of the user according to the second login request initiated by the service system, that is, search the service database for the resource corresponding to the tenant identifier of the user, and return the resource that the tenant can view to the SSO background management system for the user to review or operate, for example, the resource may be a service table or the like. Thus, data isolation for different tenants can be realized. For example, assume that the SAAS system is a financial system. The financial system comprises report management, enterprise data management, credential management and the like, a tenant is added in the SSO system, the financial system is bound with the added tenant, report management, enterprise data management and credential management resources are added in the financial system, a plurality of users are added under the added tenant, when the user under the tenant logs in the financial system, the system acquires the tenant identification of the logged-in user, the authority of the user is determined through the tenant identification, the data authority of the user is returned, and the user can operate the resources in the financial system. Further, each tenant corresponds to an organization, and each organization contains a plurality of users. Each tenant also corresponds to a different system under which different resources are stored to enable data management and isolation for each tenant.
In one embodiment, further comprising: a field for tenant identification is added for each data table in the SAAS system database.
A field of tenant identity is added for each data table in the SAAS system database, the SAAS system being a software service system. The service system takes an SSO system as an example, a tenant is added in the SSO system, a unique identifier of the tenant is created in a database after the tenant is added in the SSO system, resources which bind an SAAS system are configured in the tenant, a unique identifier field of the tenant is added in the SAAS system database, when a user logs in the SAAS system, the unique identifier of the tenant of the user is obtained, and the authority of the user logging in the SAAS system can be queried through the unique identifier of the tenant.
In one embodiment, the method further comprises: adding tenants through an SSO background management system, and generating tenant identifications of each tenant; for each tenant identification, associating and binding a corresponding system, and adding resources under the system; for each tenant identity, a user and a user identity corresponding to the tenant identity are added and associated.
Adding tenants through an SSO background management system, and generating tenant identifications of each tenant; storing the unique identification of the tenant into a database, and then for each tenant identification, associating and binding a corresponding system, wherein the system can be a financial system, an order system and the like, and adding resources under the system; the added resources are functional modules in the system, and users and user identifications corresponding to the tenant identifications are added and associated for each tenant identification. When a user logs in, the unique identification of the tenant of the user is obtained, and the authority of the user is obtained through the unique identification of the tenant.
As shown in the timing diagram of fig. 4, first, a user may log into the SSO background management system to trigger logging into the SAAS system. The SAAS system verifies the login information input by the user to verify whether the login information of the user can pass the verification. After the login information of the user is verified, the login success information can be returned to the login interface of the user. Checking whether the logged-in user comprises a plurality of tenants or not, if not, indicating that only one tenant exists in the user, directly acquiring the tenant id of the user and inquiring the resource corresponding to the tenant id of the user in the database. If yes, the fact that a plurality of tenants are bound under the user is indicated, at the moment, the user can select the tenant ids by himself, data query is conducted according to the tenant ids selected by the user, and resources corresponding to the tenant ids selected by the user are returned to the user.
In one embodiment, determining, according to the first login request, a tenant identity corresponding to the user includes: the call request interceptor acquires the first login request, and analyzes the first login request through the user information analyzer to acquire user information carried by the first login request, wherein the user information comprises tenant identifications corresponding to users.
After the user inputs the user login information in the login page, the user obtains a first login request of the user through the SSO background management system, and determining the tenant identification corresponding to the user according to the first login request comprises the following steps: the call request interceptor acquires a first login request, wherein the request interceptor is used for intercepting login information input by a user when the user logs in, performing login judgment on the user according to the login information of the user, inquiring basic data of the user in a user table, analyzing the first login request through the user information analyzer, splitting and analyzing the user login information by the user information analyzer to acquire user information carried by the first login request, wherein the user information comprises tenant identifications corresponding to the user, and acquiring authority of the user through the tenant identifications.
In one embodiment, creating a second login request for the SAAS system by the user based on the tenant identity comprises: the tenant identity is added to each SQL statement by an autopopulator to automatically create a second login request by the user for the SAAS system.
Creating a second login request for the SAAS system by the user based on the tenant identity comprises: the tenant identity is added to each SQL statement by an auto-populator, where the auto-populator is operated upon by a user to automatically create a second login request by the user for the SAAS system. After the user request thread obtains the tenant id, carrying out SQL semantic analysis and interception on the database through an SQL analyzer, adding a tenant unique identification condition into each SQL sentence through an automatic filler, thereby achieving multi-tenant data isolation of a shared database, a shared schema and a shared data table mode in the system, wherein the schema is a framework of the database and is equivalent to one database service after the database system is installed, and finally, a service processor returns the database data corresponding to the tenant according to the user request.
In one embodiment, creating a second login request for the SAAS system by the user based on the tenant identity comprises: for each user, an independent thread is created, and the threads corresponding to different users are isolated from each other.
Creating a second login request for the SAAS system by the user based on the tenant identity comprises: for each user, an independent thread is created, and the threads corresponding to different users are isolated from each other. The user information obtained after the user logs in contains the unique tenant identifier and is stored in the local thread, the user requests to create an independent thread each time, and the thread is isolated from the thread, so that the user requests to carry out multi-tenant data isolation according to the unique tenant identifier variable in the local thread.
In one embodiment, the SAAS system determines the data authority of the user according to the second login request, and returns the data corresponding to the data authority to the user, so as to realize data isolation, including: after the SAAS system receives the second login request, userToken of the user is created, a session is generated, and the tenant identification of the user is stored in the user information of the user.
As shown in the schematic diagram in fig. 5, when a user logs in to the SAAS system, the user obtains user information carried by a login request, the user information includes a tenant identifier corresponding to the user, the SAAS system determines a data authority of the user according to a second login request, determines the authority of the user, queries authority data of the tenant in the SAAS database through the tenant identifier, and returns data corresponding to the data authority to the user, so as to realize data isolation, including: after the SAAS system receives the second login request, userToken of the user is created, a session is generated, and the tenant identification of the user is stored in the user information of the user. UserToken is a unique user identifier generated according to user login, and stores the tenant identifier and the user identifier of the user into user information of the user, and the user information can be queried through the unique user identifier.
The embodiment of the invention provides a processor for running a program, wherein the program runs to execute the multi-tenant implementation method based on an SSO user system.
In one embodiment, a multi-tenant implementation device based on an SSO user architecture is provided, the device including the processor described above.
In one embodiment, a computer device is provided that includes a memory storing a computer program and a processor that when executing the computer program implements a multi-tenant implementation method based on an SSO user architecture. The computer device may be a terminal, and its internal structure may be as shown in fig. 6. The computer apparatus includes a processor a01, a network interface a02, a display screen a04, an input device a05, and a memory (not shown in the figure) which are connected through a system bus. Wherein the processor a01 of the computer device is adapted to provide computing and control capabilities. The memory of the computer device includes an internal memory a03 and a nonvolatile storage medium a06. The nonvolatile storage medium a06 stores an operating system B01 and a computer program B02. The internal memory a03 provides an environment for the operation of the operating system B01 and the computer program B02 in the nonvolatile storage medium a06. The network interface a02 of the computer device is used for communication with an external terminal through a network connection. The computer program, when executed by processor a01, implements a multi-tenant implementation method based on SSO user architecture. The display screen a04 of the computer device may be a liquid crystal display screen or an electronic ink display screen, and the input device a05 of the computer device may be a touch layer covered on the display screen, or may be a key, a track ball or a touch pad arranged on a casing of the computer device, or may be an external keyboard, a touch pad or a mouse.
It will be appreciated by those skilled in the art that the structure shown in FIG. 6 is merely a block diagram of some of the structures associated with the present inventive arrangements and is not limiting of the computer device to which the present inventive arrangements may be applied, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.
The embodiment of the invention provides equipment, which comprises a processor, a memory and a program stored in the memory and capable of running on the processor, wherein the processor realizes the following steps when executing the program: acquiring a first login request of a user according to an SSO background management system, and determining a tenant identification corresponding to the user according to the first login request; creating a second login request of the user for the SAAS system based on the tenant identification, wherein the second login request carries the tenant identification; the SAAS system determines the data authority of the user according to the second login request, and returns the data corresponding to the data authority to the user so as to realize data isolation.
In one embodiment, further comprising: a field for tenant identification is added for each data table in the SAAS system database.
In one embodiment, the method further comprises: adding tenants through an SSO background management system, and generating tenant identifications of each tenant; for each tenant identification, associating and binding a corresponding system, and adding resources under the system; for each tenant identity, a user and a user identity corresponding to the tenant identity are added and associated.
In one embodiment, determining, according to the first login request, a tenant identity corresponding to the user includes: the call request interceptor acquires the first login request, and analyzes the first login request through the user information analyzer to acquire user information carried by the first login request, wherein the user information comprises tenant identifications corresponding to users.
In one embodiment, creating a second login request for the SAAS system by the user based on the tenant identity comprises: the tenant identity is added to each SQL statement by an autopopulator to automatically create a second login request by the user for the SAAS system.
In one embodiment, creating a second login request for the SAAS system by the user based on the tenant identity comprises: for each user, an independent thread is created, and the threads corresponding to different users are isolated from each other.
In one embodiment, the SAAS system determines the data authority of the user according to the second login request, and returns the data corresponding to the data authority to the user, so as to realize data isolation, including: after the SAAS system receives the second login request, userToken of the user is created, a session is generated, and the tenant identification of the user is stored in the user information of the user.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, etc., such as Read Only Memory (ROM) or flash RAM. Memory is an example of a computer-readable medium.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises an element.
The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and variations of the present application will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. which come within the spirit and principles of the application are to be included in the scope of the claims of the present application.
Claims (3)
1. A multi-tenant implementation method based on an SSO user architecture, the method comprising:
Acquiring a first login request of a user through an SSO background management system; adding tenants through the SSO background management system, and generating tenant identifications of each tenant;
for each tenant identification, associating and binding a corresponding system, and adding resources under the system;
Adding and associating a user and a user identifier corresponding to the tenant identifier for each tenant identifier;
determining a tenant identifier corresponding to the user according to the first login request; comprising the following steps:
After a user inputs user login information in a login page, a first login request of the user is acquired through an SSO background management system, a request interceptor is called to acquire the first login request, wherein the request interceptor is used for intercepting the login information input by the user when the user logs in, login judgment is carried out on the user according to the login information of the user, basic data of the user is inquired in a user table, the first login request is analyzed through a user information analyzer, the user information analyzer is used for splitting and analyzing the user login information to acquire user information carried by the first login request, and the user information comprises tenant identifications corresponding to the user; the authority of the user can be obtained through the tenant identification;
Creating a second login request of the user for the SAAS system based on the tenant identification, wherein the second login request carries the tenant identification; adding a field of tenant identification for each data table in the SAAS system database; adding a tenant into an SSO system, creating a unique identifier of the tenant in a database after the tenant is added into the SSO system, configuring and binding resources of an SAAS system in the tenant, adding a unique identifier field of the tenant into the SAAS system database, acquiring the unique identifier of the tenant of the user when the user logs in the SAAS system, and inquiring the authority of the user logging in the SAAS system through the unique identifier of the tenant;
The SAAS system determines the data authority of the user according to the second login request and returns the data corresponding to the data authority to the user so as to realize data isolation;
the creating a second login request for the SAAS system by the user based on the tenant identity includes:
adding the tenant identity to each SQL statement by an automatic populator to automatically create a second login request by the user for the SAAS system;
after the user request thread obtains the tenant id, carrying out SQL semantic analysis and interception of a database through an SQL analyzer, adding a tenant unique identification condition into each SQL sentence through an automatic filler, thereby achieving multi-tenant data isolation of a shared database, a shared schema and a shared data table mode in the system, wherein the schema is a framework of the database and is equivalent to one database service after the database system is installed, and finally, a service processor returns database data corresponding to the tenant according to the user request;
the creating a second login request for the SAAS system by the user based on the tenant identity includes:
For each user, an independent thread is created, and threads corresponding to different users are isolated from each other;
The SAAS system determining the data authority of the user according to the second login request and returning the data corresponding to the data authority to the user so as to realize data isolation comprises:
After the SAAS system receives the second login request, userToken of the user is created, a session is generated, and the tenant identification of the user is stored in the user information of the user.
2. A multi-tenant implementation apparatus based on an SSO user architecture, the apparatus comprising a processor to perform the method of claim 1.
3. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of claim 1 when executing the computer program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210448360.2A CN114826738B (en) | 2022-04-26 | 2022-04-26 | Multi-tenant implementation method, processor and device based on SSO user system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210448360.2A CN114826738B (en) | 2022-04-26 | 2022-04-26 | Multi-tenant implementation method, processor and device based on SSO user system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114826738A CN114826738A (en) | 2022-07-29 |
| CN114826738B true CN114826738B (en) | 2024-06-18 |
Family
ID=82508367
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210448360.2A Active CN114826738B (en) | 2022-04-26 | 2022-04-26 | Multi-tenant implementation method, processor and device based on SSO user system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114826738B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111400676A (en) * | 2020-02-28 | 2020-07-10 | 平安国际智慧城市科技股份有限公司 | Service data processing method, device, equipment and medium based on sharing authority |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103036856A (en) * | 2011-10-09 | 2013-04-10 | 镇江金软计算机科技有限责任公司 | Multi-tenant system achievement based on software as a service (SAAS) application |
| US11323432B2 (en) * | 2019-07-08 | 2022-05-03 | Bank Of America Corporation | Automatic login tool for simulated single sign-on |
| CN111079131A (en) * | 2019-12-20 | 2020-04-28 | 金卡智能集团股份有限公司 | Method and system for authorization and control of authority of cross-company service |
| US11475154B2 (en) * | 2020-02-21 | 2022-10-18 | Raytheon Company | Agent-based file repository indexing and full-text faceted search system |
| CN111641675A (en) * | 2020-04-28 | 2020-09-08 | 深圳壹账通智能科技有限公司 | Multi-tenant access service implementation method, device, equipment and storage medium |
| CN111861140A (en) * | 2020-06-28 | 2020-10-30 | 微民保险代理有限公司 | Service processing method, device, storage medium and electronic device |
-
2022
- 2022-04-26 CN CN202210448360.2A patent/CN114826738B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111400676A (en) * | 2020-02-28 | 2020-07-10 | 平安国际智慧城市科技股份有限公司 | Service data processing method, device, equipment and medium based on sharing authority |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114826738A (en) | 2022-07-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10346625B2 (en) | Automated mechanism to analyze elevated authority usage and capability | |
| US10691816B2 (en) | Applying host access control rules for data used in application containers | |
| US9614875B2 (en) | Scaling a trusted computing model in a globally distributed cloud environment | |
| US11044257B1 (en) | One-time access to protected resources | |
| US10972540B2 (en) | Requesting storage performance models for a configuration pattern of storage resources to deploy at a client computing environment | |
| US10581970B2 (en) | Providing information on published configuration patterns of storage resources to client systems in a network computing environment | |
| US9830469B1 (en) | Automated mechanism to secure customer data | |
| US11334686B2 (en) | Comprehensive system wide cross-reference mechanism using runtime data collection | |
| US9928365B1 (en) | Automated mechanism to obtain detailed forensic analysis of file access | |
| US9189643B2 (en) | Client based resource isolation with domains | |
| US11374832B2 (en) | Integration and customization of third-party services with remote computing infrastructure | |
| US10944827B2 (en) | Publishing configuration patterns for storage resources and storage performance models from client systems to share with client systems in a network computing environment | |
| CN114726632A (en) | Login method, device, storage medium and processor | |
| US20230142148A1 (en) | Automated Deployment of Enterprise Archive with Dependency on Application Server Via Script | |
| US11093477B1 (en) | Multiple source database system consolidation | |
| US11526379B2 (en) | Application building in a distributed computing environment | |
| CN114826738B (en) | Multi-tenant implementation method, processor and device based on SSO user system | |
| CN115827589A (en) | Authority verification method and device, electronic equipment and storage medium | |
| CN113591126B (en) | Data authority processing method and computer readable storage medium | |
| US20220058291A1 (en) | Secure ingress and egress for data engines | |
| US20240231849A1 (en) | Workflow authorization management | |
| CN116707869A (en) | Application login method and device, electronic equipment and computer readable storage medium | |
| CN112580018A (en) | User management mode switching method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20230413 Address after: Room 1501, No. 108, Dingxin Road, Haizhu District, Guangzhou City, Guangdong Province, 510000 Applicant after: Guangzhou Xinjing Information Technology Service Co.,Ltd. Address before: 510000 room B338, No. 364, middle Industrial Avenue, Haizhu District, Guangzhou, Guangdong Province Applicant before: Tiangong Xinchuang (Guangzhou) Information Technology Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |