CN111259378B - Multi-tenant management system and implementation method thereof - Google Patents
Multi-tenant management system and implementation method thereofDownload PDFInfo
- Publication number
- CN111259378B CN111259378BCN202010017855.0ACN202010017855ACN111259378BCN 111259378 BCN111259378 BCN 111259378BCN 202010017855 ACN202010017855 ACN 202010017855ACN 111259378 BCN111259378 BCN 111259378B
- Authority
- CN
- China
- Prior art keywords
- tenant
- user
- information
- opentsdb
- cluster
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
- G06F21/46—Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/10—Office automation; Time management
- G06Q10/103—Workflow collaboration or project management
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q30/00—Commerce
- G06Q30/06—Buying, selling or leasing transactions
- G06Q30/0645—Rental transactions; Leasing transactions
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/104—Grouping of entities
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Strategic Management (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Human Resources & Organizations (AREA)
- General Physics & Mathematics (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Accounting & Taxation (AREA)
- Finance (AREA)
- Computing Systems (AREA)
- Entrepreneurship & Innovation (AREA)
- Marketing (AREA)
- Economics (AREA)
- General Business, Economics & Management (AREA)
- Development Economics (AREA)
- Data Mining & Analysis (AREA)
- Operations Research (AREA)
- Quality & Reliability (AREA)
- Tourism & Hospitality (AREA)
- Software Systems (AREA)
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
Description
Technical Field
The invention relates to the technical field of computers, in particular to a multi-tenant management system and an implementation method of the multi-tenant management system.
Background
The multi-tenant technology is a software architecture technology, and is a software architecture technology for realizing how to share the same system or program components in a multi-user environment, and can ensure the isolation of data among users. Along with the development of economic society and the improvement of information understanding of people, the personalized requirements of tenants on the system are more and more universal, and the requirements on the safety of the system are more and more high. In addition, most tenants belong to middle and small enterprises and face urgent requirements for cost reduction and efficiency promotion, so that the multi-tenant technology is more important for the middle and small enterprises, and the OpenTSDB cluster has functions related to the multi-tenants, so that the resource isolation capability is provided for multiple users to share the same OpenTSDB cluster.
Considering that the bottom storage of the OpenTSDB cluster is HBase storage, in the prior art, the OpenTSDB cluster-based multi-tenant technology implements isolation through capabilities of HBase itself, and a specific manner may be that resource isolation may be implemented through three manners, namely, namespace & ACL, quote, and RSGroup.
In the process of implementing the invention, the inventor finds that at least the following problems exist in the prior art: the resource isolation of the cluster comprises the isolation of storage resources and computing resources, but in the prior art, the resource isolation is only for the bottom-layer storage HBase, the resource isolation of the OpenTSDB cluster cannot be completely realized, and the user experience is poor.
Disclosure of Invention
In view of this, embodiments of the present invention provide a multi-tenant management system and an implementation method of the multi-tenant management system, which can optimize data storage, greatly improve data query efficiency and reduce the use of storage space, achieve the effect of completely implementing resource isolation of an OpenTSDB cluster, and improve user experience.
To achieve the above object, according to a first aspect of an embodiment of the present invention, a multi-tenant management system is provided.
The multi-tenant management system of the embodiment of the invention comprises: the OpenTSDB comprises an OpenTSDB cluster, a management module and a verification module; the OpenTSDB cluster is used for deploying at least one application program; the management module is arranged on the OpenTSDB cluster and used for receiving a tenant creating request and creating the tenant and a user, a user group and a role corresponding to the tenant; the authentication module is used for receiving a user login request and authenticating a user to be logged in according to the user login request.
Optionally, the creating of the tenant and the user, the user group, and the role corresponding to the tenant includes: creating a unique identification of the tenant on a management interface, and setting resource information, permission information and storage information of the tenant according to the unique identification of the tenant; after the tenant is created, the user group and the role corresponding to the tenant are created on a tenant control interface corresponding to the tenant.
Optionally, the management module is further configured to: and modifying the resource information, the permission information and the storage information on a tenant control interface corresponding to the tenant according to the specific setting requirement corresponding to the tenant.
Optionally, the resource information includes: maximum resource information corresponding to the tenant, minimum resource information corresponding to the tenant, and resource pool weight information corresponding to the tenant; the authority information includes: the method comprises the steps that the number information of running application programs corresponding to tenants and queue identification information corresponding to the tenants are obtained; and the storage information includes: the method comprises the steps of storing space quota information corresponding to the tenant, storing path information corresponding to the tenant and storing file quantity information corresponding to the tenant.
Optionally, the management module is further configured to: and when the user corresponding to the tenant is created, generating a password file corresponding to the user based on a computer network authorization protocol.
Optionally, the verification module is further configured to: inquiring a password file corresponding to the user to be logged in, and performing identity authentication on the user to be logged in by using the inquired password file; and if the identity authentication is passed, confirming that the user to be logged in successfully logs in the OpenTSDB cluster.
Optionally, the management module is further configured to: receiving a task request, and performing authority verification on the user to be logged in; if the authority passes the verification, determining the target data authority and the target resource authority of the user to be logged in relative to the task to be executed; and executing the task to be executed on the OpenTSDB cluster according to the target data authority and the target resource authority.
Optionally, the management module is further configured to: and viewing the running state of the OpenTSDB cluster in real time through the management interface, and monitoring the OpenTSDB cluster.
To achieve the above object, according to a second aspect of the embodiments of the present invention, an implementation method of a multi-tenant management system is provided.
The implementation method of the multi-tenant management system of the embodiment of the invention is applied to the multi-tenant management system, and the multi-tenant management system comprises the following steps: the OpenTSDB comprises an OpenTSDB cluster, a management module and a verification module; the implementation method comprises the following steps: receiving a user login request through the verification module, and performing identity verification on a user to be logged in according to the user login request; if the identity authentication is passed, confirming that the user to be logged in successfully logs in the OpenTSDB cluster; sending a task request to the management module, and performing authority verification on the user to be logged in through the management module; if the authority verification is passed, determining the target data authority and the target resource authority of the user to be logged in relative to the task to be executed; and executing the task to be executed on the OpenTSDB cluster according to the target data authority and the target resource authority.
Optionally, the implementation method further includes: the management module receives a tenant creating request, and creates a tenant and a user, a user group and a role corresponding to the tenant.
Optionally, the creating, by the management module, a tenant and a user, a user group, and a role corresponding to the tenant includes: creating a unique identification of the tenant on a management interface, and setting resource information, permission information and storage information of the tenant according to the unique identification of the tenant; after the tenant is created, the user group and the role corresponding to the tenant are created on a tenant control interface corresponding to the tenant.
Optionally, the resource information includes: maximum resource information corresponding to the tenant, minimum resource information corresponding to the tenant, and resource pool weight information corresponding to the tenant; the authority information includes: the method comprises the steps that the number information of running application programs corresponding to tenants and queue identification information corresponding to the tenants are obtained; and the storage information includes: the method comprises the steps of storing space quota information corresponding to the tenant, storing path information corresponding to the tenant and storing file quantity information corresponding to the tenant.
Optionally, the implementation method further includes: and the management module modifies the resource information, the permission information and the storage information on a tenant control interface corresponding to the tenant according to the specific setting requirement corresponding to the tenant.
Optionally, the implementation method further includes: and when the management module creates the user corresponding to the tenant, generating a password file corresponding to the user based on a computer network authorization protocol.
Optionally, the performing identity authentication on the user to be logged in according to the user login request includes: inquiring a password file corresponding to the user to be logged in, and performing identity authentication on the user to be logged in by using the inquired password file; and if the identity authentication is passed, confirming that the user to be logged in successfully logs in the OpenTSDB cluster.
One embodiment of the above invention has the following advantages or benefits: the multi-tenant management system provided by the embodiment of the invention has the OpenTSDB cluster, can optimize data storage, can greatly improve the efficiency of data query and reduce the use of storage space, and has the management module which can create tenants by users, specifically sets the resource information, the permission information and the storage information of the tenants, so that the effect of completely realizing the resource isolation of the OpenTSDB cluster is achieved. And on the basis of the open source OpenTSDB level right, a password file is generated by using a computer network authorization protocol, which is equivalent to increasing authentication and strengthening the security of an OpenTSDB cluster. In addition, the multi-tenant management system of the embodiment of the invention integrates Ambari, HDFS, YARN and OpenTSDB, forms a complete multi-tenant cluster mode, is suitable for large-scale use of enterprises, and improves user experience.
Further effects of the above-mentioned non-conventional alternatives will be described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
FIG. 1 is a block diagram of a multi-tenant management system according to an embodiment of the invention;
FIG. 2 is a schematic diagram of a multi-tenant schema;
fig. 3 is a schematic diagram of a main flow of an implementation method of a multi-tenant management system according to an embodiment of the present invention;
fig. 4 is a schematic diagram of the main steps of the method for themanagement module 102 to create the tenant and the user, user group and role corresponding to the tenant according to the embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention are described below with reference to the accompanying drawings, in which various details of embodiments of the invention are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
In the multi-tenant technology, a tenant refers to a client using a system or a computer computing resource, but in the multi-tenant technology, the tenant includes all data recognizable in the system as a designated user, for example, all accounts and statistical information, various data built in the system by the user, and a customized application program environment of the user, which all belong to the scope of the tenant, and the tenant uses the application system or the computing resource, which is developed or built by a supplier, based on the supplier, the application system designed by the supplier can accommodate more than one user to use in the same environment, and in order to allow the environments of multiple users to use in the same application program and computing environment, the application program and the computing environment must be specially designed, except that the system platform can allow multiple identical application programs to run simultaneously, and the protection of privacy and security of tenant data is also one of the keys of the multi-tenant technology.
The multi-tenant technology is mainly realized by the isolation of application program environments among different tenants and the isolation of data so as to prevent the application programs among the different tenants from interfering with each other and ensure the security of the data to be strong enough. Along with the development of economic society and the improvement of information understanding of people, the individual requirements of tenants on a system are more and more common, the safety requirements on the system are more and more high, and in addition, the tenants belong to small and medium-sized enterprises and face urgent requirements on cost reduction and effect promotion. Considering that the OpenTSDB cluster is a time-series database based on Hbase (that is, hbase is a distributed and column-oriented open source database), optimization of data storage is performed, which can greatly improve the efficiency of data query and reduce the use of storage space, so that more and more enterprises adopt the OpenTSDB cluster to perform data processing. In addition, the OpenTSDB cluster has a plurality of functions related to multiple tenants, and the OpenTSDB cluster provides resource isolation capability for a plurality of users to share the same OpenTSDB cluster. OpenTSDB is an HBase-based distributed, scalable, open source temporal database. OpenTSDB consists of TSD (timeseries daemon) and a series of command line tools. The TSD is used to receive user requests and store time series data in the HBase. The TSDs are independent of each other and have no shared state, so that the expansion can be arbitrarily carried out according to the load condition of the system.
The OpenTSDB database is provided for users as a cluster, and some problems inevitably occur in the using process, mainly in the following two aspects. (1) More and more users are used by the same OpenTSDB cluster, the read-write operation between different users or the association of different tables and other operations may interfere, and the advantage of storing all the service tables in one cluster is that the resources of the whole cluster can be well utilized and only one set of operation and maintenance system is needed. (2) If a service or a department uses an OpenTSDB cluster, this will result in an increasing number of OpenTSDB clusters, which directly results in an increase in operation and maintenance costs. In addition, the separation of the clusters also causes resource waste, some cluster resources are excessive, and some cluster resources are insufficient, which results in that the resources of the clusters cannot be fully utilized. The advantage of separating clusters according to service or department is that the influence between different tables and different users can be well isolated.
The OpenTSDB bottom layer storage is HBase storage, and the isolation is realized through the capability of the HBase in the current technical scheme. In HBase, creating namespace is a very light operation, and isolating tables of different services in different namespaces is the simplest method for isolating resources. Meanwhile, common resource isolation modes such as ACL, quato, RSGroup and the like are supported to be arranged on namespace. The resource isolation can be realized through three modes of Namespace & ACL, quota and RSGroup.
In the prior art, the multi-tenant technology based on the OpenTSDB cluster is only the resource isolation of the bottom storage HBase, the resource isolation of the OpenTSDB cluster cannot be completely realized, and the user experience is not good. In order to solve the above problem, embodiments of the present invention provide a multi-tenant management system and an implementation method of the multi-tenant management system. Fig. 1 is a schematic block diagram of a multi-tenant management system according to an embodiment of the present invention, and as shown in fig. 1, amulti-tenant management system 100 according to an embodiment of the present invention may include: an OpenTSDBcluster 101, amanagement module 102, and averification module 103.
Wherein the OpenTSDB cluster can be used to deploy at least one application; themanagement module 102 is disposed on the OpenTSDBcluster 101, and may be configured to receive a tenant creation request, create a tenant, and create a user, a user group, and a role corresponding to the tenant; theauthentication module 103 may be configured to receive a user login request, and authenticate a user to be logged in according to the user login request.
In the embodiment of the present invention, at least one application may be deployed on theOpenTSDB cluster 101, and each application may be regarded as one service, that is, at least one service is equivalently deployed on theOpenTSDB cluster 101, so that different requirements of multiple tenants may be met. The plurality of services may be a plurality of operation manners, or a plurality of services, and the like, which is not limited in the embodiment of the present invention. Since at least one application is deployed on theOpenTSDB cluster 101, tasks may be performed on theOpenTSDB cluster 101.
The multi-tenant technology based on the OpenTSDB cluster mainly considers the problem of resource permissions, and if a user acquires the resource permissions of the OpenTSDB cluster, the user can execute tasks on the OpenTSDB cluster. Therefore, themanagement module 102 of themulti-tenant management system 100 according to the embodiment of the present invention is disposed on theOpenTSDB cluster 101, and may be configured to receive a tenant creation request, and create a tenant and a user, a user group, and a role corresponding to the tenant. Specifically, after themanagement module 102 receives the tenant creation request, it creates the tenant and the user, user group and role corresponding to the tenant. For ease of understanding, the structure of the next multi-tenant schema is first introduced, and fig. 2 is a schematic diagram of the multi-tenant schema. As can be seen from fig. 2, one tenant may have multiple roles and users, and one user may have multiple roles and tenants, where the roles give the user the authority to operate functions. The tenants represent the resource sets owned by the account, the total resources occupied by all the tenants do not exceed the total resources of the cluster, a plurality of user groups and users can be opened under the tenants, and the authority is controlled by roles.
In the embodiment of the present invention, a tenant may refer to a user enterprise accessing an OpenTSDB cluster-based multi-tenant management system in which information is independent between tenants. The tenant information includes the name, address and other relevant information of the tenant enterprise, is mainly used for distinguishing each tenant, manages the account state of the tenant, and then introduces the tenant information in detail. In addition, each tenant can select the functional module of the multi-tenant management system based on the OpenTSDB cluster according to the needs and pay accordingly.
And the user, also called a tenant user, performs related service management according to the distributed authority and the role of the user. Each tenant user can only access the functional module of the OpenTSDB cluster-based multi-tenant management system selected by the tenant. If a system user has a plurality of roles, the user can only see the data under the current role, and can view the data information under other roles through role switching.
And the roles, also called tenant roles, are divided according to the service functions, and after the roles are divided, authority can be distributed to the corresponding roles. The roles have a relationship of upper and lower levels, the upper level can check the data of the lower level, the lower level cannot access the data of the upper level, and the levels cannot access each other. A grouping layer can be added on the role upper layer, such as departments or teams, and the like, the data range of different groups is different, and resources and operations can be shared or isolated.
Taking the example that a certain employee of the company needs to apply for the reimbursement of business expenses to the financial department of the company, the relationship among the tenant, the user and the role is explained. The user representative is employee a who holds relevant information such as name, job number, email, etc., and the project groups belong to different tenants. Employee a may belong to several different project groups simultaneously. When employee a makes a request for a business allowance, he must specify a project group to which he belongs. The role defines the authority the employee has in a certain project group, such as what fee can be reimbursed and what cannot be reimbursed.
Themanagement module 102 of the embodiment of the present invention may be configured to receive a tenant creation request, and create a tenant and a user, a user group, and a role corresponding to the tenant. The concrete implementation is as follows: creating a unique identification of the tenant on a management interface, and setting resource information, permission information and storage information of the tenant according to the unique identification of the tenant; after the tenant is created, the user group and the role corresponding to the tenant are created on the tenant control interface corresponding to the tenant. In the embodiment of the present invention, ambari (i.e., a web-based tool that supports supply, management, and monitoring of a cluster) may be used as a management page of the cluster in an OpenTSDB cluster, where when a tenant is newly created on the management page, a unique identifier (e.g., a tenant name) of the tenant needs to be set, and then resource information, permission information, and storage information of the tenant are set according to the set unique identifier of the tenant. After a tenant is newly created, a user group and a role under the tenant can be created on a tenant control interface corresponding to the tenant.
In this embodiment of the present invention, the resource information may include: maximum resource information (including the number of CPU cores and the memory) corresponding to the tenant, minimum resource information (including the number of CPU cores and the memory) corresponding to the tenant, and resource pool weight information (i.e., used priority information) corresponding to the tenant; the rights information may include: the number information of the running application programs corresponding to the tenants (namely, the maximum number of tasks submitted by the users) and the queue identification information corresponding to the tenants (namely, the queue names with permission for use); and storing the information may include: the storage space quota information corresponding to the tenant (i.e., the storage space maximum value information), the storage path information corresponding to the tenant (equivalent to the directory information with permission to be stored), and the storage file number information corresponding to the tenant (i.e., the maximum number of stored files).
Specifically, in the embodiment of the present invention, the Yarn and the HDFS may be used to respectively implement isolation of the computing resource and the storage resource. The yarnfair schedule divides the available resources of the whole Yarn into a plurality of resource pools, and each resource pool can be configured with minimum resource information and maximum resource information (memory and CPU), quantity information of running Application programs (namely, the maximum quantity of simultaneously running applications), weight information of resources, available users submitting and managing the Application programs, and the like.
HDFSQuota includes namequota and spacekuota. namequota is a limit on the number of file and directory names in the current directory tree. If the quota is exceeded, file and directory creation will fail. Quota and rename directory operation binding; if the operation would result in a quota violation, the rename operation will fail. spaceequota is a limit on the number of bytes used by a file in the directory tree. If the quota does not allow writing to a complete block, the block allocation fails. Each copy of a chunk will be credited with quota. Quota renaming directory; if the operation would result in a quota violation, the rename operation would fail.
It should be further noted that, after a tenant is newly created, themanagement module 102 in the embodiment of the present invention may also modify the set information according to the specific requirements of the tenant. Thus, as a reference embodiment, themanagement module 102 may further be configured to: and according to the specific setting requirement corresponding to the tenant, modifying the resource information, the authority information and the stored information on a tenant control interface corresponding to the tenant. The specific setting requirement is equivalent to the personalized setting requirement of the tenant, and the tenant information is modified on the tenant control page corresponding to the tenant, so that the practicability of the multi-tenant management system is improved, and the user experience is increased.
After creating the tenant, users under the tenant may be created, wherein in an embodiment of the present invention, themanagement module 102 may be further configured to: when a user corresponding to the tenant is created, a password file corresponding to the user is generated based on a computer network authorization protocol. The computer network authorization protocol may be Kerberos, and machine-level security authentication, that is, service-to-service authentication, may be implemented. The machines determined in the cluster are manually added into a Kerberos database by an administrator in advance, password files (namely, keytals) of the host and the nodes are respectively generated on the KDC, and the keytals are distributed to the corresponding nodes. Through the keytab files, the nodes can obtain the key communicated with the target node from the KDC, and then the key is authenticated by the target node, so that corresponding services are provided, and the possibility of impersonation is prevented. In the embodiment of the invention, after a new user is created in the OpenTSDB cluster, a corresponding keytab file is generated immediately, and the user can have the cluster using authority after the keytab file is authenticated. Specifically, the Kerberos authentication tool provides a keytab file and executes the authentication statement.
Themanagement module 102 in the embodiment of the present invention generates the password file corresponding to the user based on the computer network authorization protocol when the user corresponding to the tenant is created. Therefore, theverification module 103 may also be configured to: inquiring a password file corresponding to a user to be logged in, and performing identity authentication on the user to be logged in by using the inquired password file; and if the identity authentication is passed, confirming that the user to be logged in successfully logs in the OpenTSDB cluster. That is to say, in the embodiment of the present invention, since the Kerberos authentication tool is configured, when the user is created, the keytab file corresponding to the user is generated. Therefore, after receiving a user login request, a keytab file corresponding to the user can be queried, then the queried keytab file is used for carrying out identity verification on the login user, and if the verification is passed, the user successfully logs in the OpenTSDB cluster.
In the embodiment of the present invention, the OpenTSDB cluster-based multi-tenant management system may also verify the permission of the user, that is, after the user submits a task request, determine whether the user specifically executes the permission of the task. Therefore, themanagement module 102 may also be configured to: receiving a task request, and performing authority verification on a user to be logged in; if the authority passes the verification, determining the target data authority and the target resource authority of the user to be logged in relative to the task to be executed; and executing the task to be executed on the OpenTSDB cluster according to the target data authority and the target resource authority.
In addition, in this embodiment of the present invention, themanagement module 102 may further be configured to: and through a management interface, the running state of the OpenTSDB cluster is checked in real time, and the OpenTSDB cluster is monitored. Therefore, the running state of the cluster can be detected in real time, and the problems of the cluster can be detected.
To summarize, from the perspective of the management end, first login Ambari management interface, click to create tenant. When a tenant is created, the name of the tenant, the maximum resource information of the YARN queue, the maximum number information of the applications running at the same time, the minimum resource information, the queue name information, the resource pool weight information, the storage space quota information of the HDFS, the storage path information and the file upper limit information need to be filled. After the tenant is newly built, the YARN resource queue and the size can be selected to be modified on the tenant control page, and parameters such as an HDFS storage path and a storage space can be modified. Users, groups of users, and roles can then be created under this tenant. Multiple users and user groups can be created on the creation page for use by different users within the enterprise. When a user is created, keryos is configured, so that the keylab corresponding to the user can be automatically generated, the user can use the keylab for authentication and then has the authority to use the cluster, the use authority of each user can be limited through roles, and operation and maintenance of managers are facilitated. In the embodiment of the invention, the technologies can be packaged and displayed in a visualized form on an Ambari management page. Meanwhile, the running state of the cluster can be checked in real time on a monitoring page, the problems of the cluster are monitored, and a query account can be provided for a user so that the user can query relevant information conveniently.
In the angle of user use, firstly, the keytab file generated when the user is created is used for identity authentication, then the cluster use permission of the user is judged according to the specific task request, and the specific task permission corresponding to the user is further searched, so that the user can directly enter a command line mode for use or directly submit the task. Meanwhile, because the monitoring log is generated in the process of executing the task, the log information can be inquired on the management interface to judge the execution condition of the task.
The multi-tenant management system provided by the embodiment of the invention has the OpenTSDB cluster, can optimize data storage, can greatly improve the efficiency of data query and reduce the use of storage space, and has the management module which can create tenants by users, specifically sets the resource information, the permission information and the storage information of the tenants, so that the effect of completely realizing the resource isolation of the OpenTSDB cluster is achieved. And on the basis of the open source OpenTSDB level right, a password file is generated by using a computer network authorization protocol, which is equivalent to increasing authentication and strengthening the security of an OpenTSDB cluster. In addition, the multi-tenant management system of the embodiment of the invention integrates Ambari, HDFS, YARN and OpenTSDB, forms a complete multi-tenant cluster mode, is suitable for large-scale use of enterprises, and improves user experience.
Fig. 3 is a schematic diagram of a main flow of an implementation method of the multi-tenant management system according to an embodiment of the present invention. The implementation method of the multi-tenant management system of the embodiment of the invention can be applied to the multi-tenant management system, wherein the multi-tenant management system can comprise the following steps: theOpenTSDB cluster 101, themanagement module 102 and theverification module 103. As shown in fig. 3, a main flow of an implementation method of a multi-tenant management system according to an embodiment of the present invention may include:
step S301, receiving a user login request through theverification module 103, and performing identity verification on a user to be logged in according to the user login request;
step S302, if the identity authentication is passed, theauthentication module 103 confirms that the user to be logged in successfully logs in the OpenTSDB cluster;
step S303, theverification module 103 sends a task request to themanagement module 102, and the authority of the user to be logged in is verified through themanagement module 102;
step S304, if the authority passes the verification, themanagement module 102 determines the target data authority and the target resource authority of the user to be logged in relative to the task to be executed;
in step S305, themanagement module 102 executes the task to be executed on the OpenTSDB cluster according to the target data permission and the target resource permission.
In this embodiment of the present invention, the method for implementing the multi-tenant management system may further include: themanagement module 102 receives a tenant creating request, and creates a tenant and a user, a user group and a role corresponding to the tenant.
In the embodiment of the present invention, the creating, by themanagement module 102, the tenant and the user, user group, and role corresponding to the tenant may include: creating a unique identification of the tenant on a management interface, and setting resource information, permission information and storage information of the tenant according to the unique identification of the tenant; after the tenant is created, the user group and the role corresponding to the tenant are created on the tenant control interface corresponding to the tenant.
In this embodiment of the present invention, the resource information may include: maximum resource information corresponding to the tenant, minimum resource information corresponding to the tenant, and resource pool weight information corresponding to the tenant; the rights information may include: the method comprises the steps that the number information of running application programs corresponding to tenants and queue identification information corresponding to the tenants are obtained; and storing the information may include: the method comprises the steps of storing space quota information corresponding to the tenant, storing path information corresponding to the tenant and storing file quantity information corresponding to the tenant.
In this embodiment of the present invention, the method for implementing the multi-tenant management system may further include: themanagement module 102 modifies the resource information, the permission information and the storage information in a tenant control interface corresponding to the tenant according to the specific setting requirement corresponding to the tenant.
In this embodiment of the present invention, the method for implementing the multi-tenant management system may further include: when creating a user corresponding to a tenant, themanagement module 102 generates a password file corresponding to the user based on a computer network authorization protocol.
It can be seen that in the implementation method of the embodiment of the present invention, the management module creates tenant machine corresponding information as a main part. Fig. 4 is a schematic diagram of main steps of a method for creating a tenant and a user, a user group and a role corresponding to the tenant by themanagement module 102 according to an embodiment of the present invention. As shown in fig. 4, the main steps of the method for creating a tenant and a user, a user group, and a role corresponding to the tenant by themanagement module 102 according to the embodiment of the present invention may include:
step S401, themanagement module 102 creates a unique identification of the tenant on the management interface, and sets resource information, permission information and storage information of the tenant according to the unique identification of the tenant;
step S402, themanagement module 102 determines whether the tenant has a specific setting requirement, if yes, step S403 is executed, and if no, step S404 is executed;
step S403, themanagement module 102 modifies the resource information, the permission information, and the storage information in the tenant control interface corresponding to the tenant according to the specific setting requirement corresponding to the tenant;
step S404, themanagement module 102 creates a user corresponding to the tenant on a tenant control interface corresponding to the tenant, and generates a password file corresponding to the user based on a computer network authorization protocol;
in step S405, themanagement module 102 creates a user group and a role corresponding to the tenant on the tenant control interface corresponding to the tenant.
In addition, in the embodiment of the present invention, the performing identity authentication on the user to be logged in according to the user login request may include: inquiring a password file corresponding to a user to be logged in, and performing identity authentication on the user to be logged in by using the inquired password file; and if the identity authentication is passed, confirming that the user to be logged in successfully logs in the OpenTSDB cluster.
In the implementation method of the multi-tenant management system in the embodiment of the present invention, because the system has the OpenTSDB cluster, the optimization of data storage can be performed, the efficiency of data query can be greatly improved, and the use of storage space can be reduced, and the management module can create the tenant by the user, including specifically setting the resource information, permission information, and storage information of the tenant, so as to achieve the effect of completely implementing the resource isolation of the OpenTSDB cluster. And on the basis of the open source OpenTSDB cluster, a password file is generated by using a computer network authorization protocol, which is equivalent to increasing authentication and enhancing the security of the OpenTSDB cluster. In addition, the multi-tenant management system of the embodiment of the invention integrates Ambari, HDFS, YARN and OpenTSDB, can form a complete multi-tenant cluster mode, is suitable for large-scale use of enterprises, and improves user experience.
The above-described embodiments should not be construed as limiting the scope of the invention. Those skilled in the art will appreciate that various modifications, combinations, sub-combinations, and substitutions can occur, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (11)
1. A multi-tenant management system, the system comprising: the OpenTSDB comprises an OpenTSDB cluster, a management module and a verification module;
the OpenTSDB cluster is used for deploying at least one application program;
the management module is arranged on the OpenTSDB cluster and used for receiving a tenant creating request, creating a unique identification of the tenant on a management interface, and setting resource information, permission information and storage information of the tenant according to the unique identification of the tenant; the resources comprise computing resources and storage resources, the Yarn and the HDFS are respectively used for realizing the isolation of the computing resources and the storage resources, the available resources of the Yarn are divided into a plurality of resource pools, corresponding information is configured for each resource pool, and the HDFS comprises the limitation on the number of files and directory names in the current directory tree and the limitation on the number of bytes used by the files in the directory tree;
after the tenant is created, creating a user, a user group and a role corresponding to the tenant on a tenant control interface corresponding to the tenant; the roles specify the authority of the user in the tenant, the roles have a relationship between upper and lower levels, the upper level can view the data of the lower level, the lower level cannot access the data of the upper level, and the lower level cannot access each other;
the verification module is used for receiving a user login request and verifying a user to be logged in according to the user login request.
2. The system of claim 1, wherein the management module is further configured to: and modifying the resource information, the permission information and the storage information on a tenant control interface corresponding to the tenant according to the specific setting requirement corresponding to the tenant.
3. The system of claim 1, wherein the resource information comprises: maximum resource information corresponding to the tenant, minimum resource information corresponding to the tenant, and resource pool weight information corresponding to the tenant;
the authority information includes: the method comprises the steps that the number information of running application programs corresponding to tenants and queue identification information corresponding to the tenants are obtained; and
the storage information includes: the method comprises the steps of storing space quota information corresponding to the tenant, storing path information corresponding to the tenant and storing file quantity information corresponding to the tenant.
4. The system of claim 1, wherein the management module is further configured to: and when the user corresponding to the tenant is created, generating a password file corresponding to the user based on a computer network authorization protocol.
5. The system of claim 4, wherein the verification module is further configured to: inquiring a password file corresponding to the user to be logged in, and performing identity authentication on the user to be logged in by using the inquired password file; and if the identity authentication is passed, confirming that the user to be logged in successfully logs in the OpenTSDB cluster.
6. The system of claim 1, wherein the management module is further configured to:
receiving a task request, and performing authority verification on the user to be logged in;
if the authority passes the verification, determining the target data authority and the target resource authority of the user to be logged in relative to the task to be executed;
and executing the task to be executed on the OpenTSDB cluster according to the target data authority and the target resource authority.
7. The system of claim 1, wherein the management module is further configured to: and viewing the running state of the OpenTSDB cluster in real time through the management interface, and monitoring the OpenTSDB cluster.
8. An implementation method of a multi-tenant management system is applied to the multi-tenant management system, and is characterized in that the multi-tenant management system comprises the following steps: the OpenTSDB comprises an OpenTSDB cluster, a management module and a verification module;
the implementation method comprises the following steps:
the management module receives a tenant establishing request, and establishes a tenant and a user, a user group and a role corresponding to the tenant; the method comprises the following steps of establishing a tenant and a user, a user group and a role corresponding to the tenant, wherein the user, the user group and the role comprise: creating a unique identification of the tenant on a management interface, and setting resource information, permission information and storage information of the tenant according to the unique identification of the tenant; the resources comprise computing resources and storage resources, the Yarn and the HDFS are respectively used for realizing the isolation of the computing resources and the storage resources, the available resources of the Yarn are divided into a plurality of resource pools, corresponding information is configured for each resource pool, and the HDFS comprises the limitation on the number of files and directory names in the current directory tree and the limitation on the number of bytes used by the files in the directory tree;
after the tenant is created, the user group and the role corresponding to the tenant are created on a tenant control interface corresponding to the tenant; the roles specify the authority of the user on the tenant, the roles have a relationship between an upper level and a lower level, the upper level can check the data of the lower level, the lower level cannot access the data of the upper level, and the levels cannot access each other;
receiving a user login request through the verification module, and verifying the identity of a user to be logged in according to the user login request;
if the identity authentication is passed, confirming that the user to be logged in successfully logs in the OpenTSDB cluster;
sending a task request to the management module, and performing authority verification on the user to be logged in through the management module;
if the authority passes the verification, determining the target data authority and the target resource authority of the user to be logged in relative to the task to be executed;
and executing the task to be executed on the OpenTSDB cluster according to the target data authority and the target resource authority.
9. The method of claim 8, further comprising: and the management module modifies the resource information, the permission information and the storage information on a tenant control interface corresponding to the tenant according to the specific setting requirement corresponding to the tenant.
10. The method of claim 8, further comprising: and when the management module creates the user corresponding to the tenant, the management module generates a password file corresponding to the user based on a computer network authorization protocol.
11. The method according to claim 10, wherein the authenticating the user to be logged in according to the user login request includes: inquiring a password file corresponding to the user to be logged in, and performing identity authentication on the user to be logged in by using the inquired password file; and if the identity authentication is passed, confirming that the user to be logged in successfully logs in the OpenTSDB cluster.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010017855.0ACN111259378B (en) | 2020-01-08 | 2020-01-08 | Multi-tenant management system and implementation method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010017855.0ACN111259378B (en) | 2020-01-08 | 2020-01-08 | Multi-tenant management system and implementation method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111259378A CN111259378A (en) | 2020-06-09 |
| CN111259378Btrue CN111259378B (en) | 2023-04-07 |
Family
ID=70945094
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010017855.0AActiveCN111259378B (en) | 2020-01-08 | 2020-01-08 | Multi-tenant management system and implementation method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111259378B (en) |
Families Citing this family (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111950866B (en)* | 2020-07-24 | 2023-11-07 | 合肥森亿智能科技有限公司 | Role-based multi-tenant organizational structure management systems, methods, devices and media |
| CN112019543A (en)* | 2020-08-27 | 2020-12-01 | 四川长虹电器股份有限公司 | Multi-tenant permission system based on BRAC model |
| CN112241313B (en)* | 2020-10-27 | 2022-04-12 | 浪潮云信息技术股份公司 | Hadoop cluster multi-tenant management service method and system based on Ambari |
| CN112487378B (en)* | 2020-12-11 | 2024-12-17 | 宝付网络科技(上海)有限公司 | Tenant authority management system suitable for big data platform |
| CN113467817B (en)* | 2021-07-14 | 2022-11-15 | 广域铭岛数字科技有限公司 | Application management method, system, medium and electronic terminal |
| CN113839942A (en)* | 2021-09-22 | 2021-12-24 | 上海妙一生物科技有限公司 | User authority management method, device, equipment and storage medium |
| CN113986528A (en)* | 2021-09-29 | 2022-01-28 | 济南浪潮数据技术有限公司 | Method, system, equipment and storage medium for multi-tenant space resource management |
| CN114331359A (en)* | 2021-12-29 | 2022-04-12 | 北京合思信息技术有限公司 | Multi-tenant management method |
| CN114461231A (en)* | 2022-02-17 | 2022-05-10 | 携程商旅信息服务(上海)有限公司 | Travel right management method, system, device and medium |
| CN114650170B (en)* | 2022-02-24 | 2024-02-02 | 京东科技信息技术有限公司 | Cross-cluster resource management method, device, equipment and storage medium |
| CN115695427A (en)* | 2022-10-31 | 2023-02-03 | 中国农业银行股份有限公司 | Method and device for multi-tenant resource management on cloud |
| CN116264576A (en)* | 2022-11-17 | 2023-06-16 | 中移(苏州)软件技术有限公司 | Multi-tenant isolation method, device, equipment and storage medium |
| CN116132176B (en)* | 2023-02-16 | 2024-08-13 | 安徽安联云服务有限公司 | Multi-tenant intelligent cloud security management system |
| CN120017721A (en)* | 2025-04-16 | 2025-05-16 | 深圳市智慧城市科技发展集团有限公司 | Data source management method, device and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105183820A (en)* | 2015-08-28 | 2015-12-23 | 广东创我科技发展有限公司 | Multi-tenant supported large data platform and tenant access method |
| CN108132775A (en)* | 2016-11-30 | 2018-06-08 | 新华三技术有限公司 | A kind of tenant manages system and method |
| CN109643242A (en)* | 2016-05-23 | 2019-04-16 | 摩根大通国家银行 | Security design and architecture for multi-tenant HADOOP cluster |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104270349A (en)* | 2014-09-17 | 2015-01-07 | 广州中国科学院软件应用技术研究所 | A method and device for isolating cloud computing multi-tenant applications |
| CN110519361B (en)* | 2019-08-22 | 2022-07-29 | 北京宝兰德软件股份有限公司 | Container cloud platform multi-tenant construction method and device based on kubernets |
- 2020
- 2020-01-08CNCN202010017855.0Apatent/CN111259378B/enactiveActive
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105183820A (en)* | 2015-08-28 | 2015-12-23 | 广东创我科技发展有限公司 | Multi-tenant supported large data platform and tenant access method |
| CN109643242A (en)* | 2016-05-23 | 2019-04-16 | 摩根大通国家银行 | Security design and architecture for multi-tenant HADOOP cluster |
| CN108132775A (en)* | 2016-11-30 | 2018-06-08 | 新华三技术有限公司 | A kind of tenant manages system and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111259378A (en) | 2020-06-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111259378B (en) | Multi-tenant management system and implementation method thereof | |
| JP5623271B2 (en) | Information processing apparatus, authority management method, program, and recording medium | |
| US9432350B2 (en) | System and method for intelligent workload management | |
| US8782762B2 (en) | Building data security in a networked computing environment | |
| CN104123616A (en) | Cloud computing system towards multiple tenants | |
| CN113094055B (en) | Maintaining control over restricted data during deployment to a cloud computing environment | |
| CN105184144A (en) | Multi-system privilege management method | |
| CN114450685A (en) | System and method for tag-based resource limits or quotas in a cloud infrastructure environment | |
| US8819231B2 (en) | Domain based management of partitions and resource groups | |
| US11695777B2 (en) | Hybrid access control model in computer systems | |
| Won et al. | Advanced resource management with access control for multitenant Hadoop | |
| US20240168972A1 (en) | Data Distribution and Access within a Multi-Zone Computing Platform | |
| JP5980421B2 (en) | Access control apparatus, access control method and program | |
| Wei et al. | Integrating local job scheduler–LSF TM with Gfarm TM | |
| CN117332430A (en) | A user dynamic data permission control method and system | |
| CN114070856A (en) | Data processing method, device and system, operation and maintenance auditing equipment and storage medium | |
| CN119293821B (en) | Multi-module software hierarchical authorization management method and device and computer equipment | |
| CN117828626A (en) | International data space connector authority management method and related device | |
| Yang et al. | Virtual organization management in XtreemOS: an overview | |
| CN116881316A (en) | A permission query method, device, equipment and medium for chart access | |
| CN120030525A (en) | System authority configuration method, resource management system, equipment, media and product | |
| JP5707214B2 (en) | File management system and file management method | |
| CN118368079A (en) | Multi-tenant management system and method | |
| CN118170493A (en) | Cloud desktop system and cloud desktop creation, reservation, authorization and pre-authorization method | |
| CN114153902A (en) | Management method and system of credit card big data interactive data insight platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | Effective date of registration:20220921 Address after:12 / F, 15 / F, 99 Yincheng Road, China (Shanghai) pilot Free Trade Zone, Pudong New Area, Shanghai, 200120 Applicant after:Jianxin Financial Science and Technology Co.,Ltd. Address before:25 Financial Street, Xicheng District, Beijing 100033 Applicant before:CHINA CONSTRUCTION BANK Corp. Applicant before:Jianxin Financial Science and Technology Co.,Ltd. | |
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |