CN112653665A - Data isolation interaction method and system based on cloud service - Google Patents

Abstract

The invention discloses a data isolation interaction method and system based on cloud service, and belongs to the technical field of data security. The method comprises the following steps: storing basic information of a user or a tenant into a central library, and storing service information of the user or the tenant into an enterprise library; after the login request is acquired, basic information of the user or the tenant stored in the central library is called, and the identity of the user or the tenant is verified according to the basic information and the login request; if the identity verification of the user or the tenant is successful, returning the user or tenant number of the user or the tenant; after the business information is acquired, establishing connection between the user or the tenant and the enterprise library, and caching the established connection in a link form; and acquiring a service request of a user or a tenant, acquiring service data according to the cached link, and returning the service data to the user or the tenant to finish the isolated interaction of the data. The invention aims at the problem that the data interaction can be carried out only by adding an enterprise library mirror image and configuration to a newly added user.

Description

Data isolation interaction method and system based on cloud service

Technical Field

The invention relates to the technical field of data security, in particular to a data isolation interaction method and system based on cloud service.

Background

With the development of internet technology, more and more enterprises begin to develop SaaS services, or expect that their business systems can be developed into public cloud services to create revenue, many enterprises and technology companies cooperate to develop SaaS products in the field, many projects are pursuing multi-tenant business models, SaaS models, which refer to a software service provided by a service provider, the application is uniformly deployed on a server of the service provider, customers can pay as needed according to their actual needs, users purchase WEB-based software instead of installing the software on their computers, users do not need to regularly maintain and manage the software, a common data center is needed to be used in a SaaS platform to provide services with a single system architecture which is the same as or even customized as that of most clients, and the normal use of data of the customers can still be guaranteed.

Therefore, a new challenge is brought to how to design application data to support multiple tenants, and the idea of the design is to balance data sharing, security isolation and performance.

However, from the current practice, in the field of enterprise internet services, no uniform scheme has been formed for how tenants implement data isolation of tenant services.

The invention aims to solve the problems of tenants and how to realize data isolation of tenant services in the field of enterprise internet services so as to support the realization of service products of different levels.

Disclosure of Invention

The invention aims to solve the problem how tenants and users realize data isolation of services in the field of enterprise internet services and support the realization of service products of different levels, and provides a data isolation interaction method based on cloud services, which comprises the following steps:

acquiring basic information and business information of a user or a tenant, storing the basic information of the user or the tenant into a central library, and storing the business information of the user or the tenant into an enterprise library;

when a user or a tenant accesses the cloud service platform through a client, the cloud service platform returns a normally running service to the tenant or the user according to load configuration, a login request of the user or the tenant is obtained through the normally running service, basic information of the user or the tenant stored in a central library is called after the login request is obtained, and the identity of the user or the tenant is verified according to the basic information and the login request;

if the identity verification of the user or the tenant is successful, returning the user or tenant number of the user or the tenant;

searching and acquiring the service information of the user or the tenant stored in the enterprise library through the user or the tenant number of the user or the tenant, establishing the connection between the user or the tenant and the enterprise library after acquiring the service information, and caching the established connection in a link form;

and acquiring a service request of a user or a tenant, acquiring service data according to the cached link, and returning the service data to the user or the tenant to finish the isolated interaction of the data.

Optionally, the basic information includes number information of the user or the tenant, and account opening information of the user or lease information of the tenant.

Optionally, the enterprise library and the central library, the enterprise library includes a plurality of enterprise libraries, and the business information of each user or tenant is stored in one enterprise library;

the central warehouse is built by adopting a double main framework.

Optionally, the connection between the user or the tenant and the enterprise library is established by establishing connection between the user or the tenant and the enterprise library storing the service information of the user or the tenant.

Optionally, the load configuration is configured according to the number of times that the user or the tenant accesses the cloud service platform or requests the service data, and the standard configuration or the load balancing configuration is performed according to the size of the access or request amount.

The invention also provides a data isolation interaction system based on the cloud service, which comprises:

the information acquisition module is used for acquiring basic information and business information of the user or the tenant, storing the basic information of the user or the tenant into the central library and storing the business information of the user or the tenant into the enterprise library;

the verification module is used for returning a normally running service to the tenant or the user according to the load configuration when the user or the tenant accesses the cloud service platform through the client, acquiring a login request of the user or the tenant through the normally running service, calling basic information of the user or the tenant stored in the central library after acquiring the login request, and verifying the identity of the user or the tenant according to the basic information and the login request;

the information return module is used for returning the user or tenant number of the user or tenant when the identity verification of the user or tenant is successful;

the business request module is used for searching and acquiring the business information of the user or the tenant stored in the enterprise library through the user or the tenant number of the user or the tenant, establishing the connection between the user or the tenant and the enterprise library after the business information is acquired, and caching the established connection in a link form;

and the data interaction module is used for acquiring the service request of the user or the tenant, acquiring service data according to the cached link, returning the service data to the user or the tenant and finishing the isolated interaction of the data.

Optionally, the basic information includes number information of the user or the tenant, and account opening information of the user or lease information of the tenant.

Optionally, the enterprise library and the central library, the enterprise library includes a plurality of enterprise libraries, and the business information of each user or tenant is stored in one enterprise library;

the central warehouse is built by adopting a double main framework.

Optionally, the connection between the user or the tenant and the enterprise library is established by establishing connection between the user or the tenant and the enterprise library storing the service information of the user or the tenant.

Optionally, the load configuration is configured according to the number of times that the user or the tenant accesses the cloud service platform or requests the service data, and the standard configuration or the load balancing configuration is performed according to the size of the access or request amount.

The invention aims at that the data interaction can be carried out only by adding an enterprise library mirror image and configuration to a newly added user;

the central library is used as a double-main framework, the two frameworks provide services at the same time, and load balancing configuration is used, so that the influence on the services due to the paralysis of the main library is avoided, the central library is transparent to a service layer, codes or configuration does not need to be modified, and the read-write performance is improved compared with that of a single service;

the enterprise library used in the invention adopts independent mirror image examples, which are not affected each other and are convenient for later maintenance.

Drawings

FIG. 1 is a flow chart of a data isolation interaction method based on cloud services according to the present invention;

FIG. 2 is a schematic diagram illustrating a data isolation interaction method based on cloud services according to the present invention;

fig. 3 is a structural diagram of a data isolation interaction system based on cloud services according to the present invention.

Detailed Description

The exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, however, the present invention may be embodied in many different forms and is not limited to the embodiments described herein, which are provided for complete and complete disclosure of the present invention and to fully convey the scope of the present invention to those skilled in the art. The terminology used in the exemplary embodiments illustrated in the accompanying drawings is not intended to be limiting of the invention. In the drawings, the same units/elements are denoted by the same reference numerals.

Unless otherwise defined, terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Further, it will be understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and will not be interpreted in an idealized or overly formal sense.

The invention provides a data isolation interaction method based on cloud service, as shown in fig. 1, comprising the following steps:

acquiring basic information and business information of a user or a tenant, storing the basic information of the user or the tenant into a central library, and storing the business information of the user or the tenant into an enterprise library;

when a user or a tenant accesses the cloud service platform through a client, the cloud service platform returns a normally running service to the tenant or the user according to load configuration, a login request of the user or the tenant is obtained through the normally running service, basic information of the user or the tenant stored in a central library is called after the login request is obtained, and the identity of the user or the tenant is verified according to the basic information and the login request;

if the identity verification of the user or the tenant is successful, returning the user or tenant number of the user or the tenant;

searching and acquiring the service information of the user or the tenant stored in the enterprise library through the user or the tenant number of the user or the tenant, establishing the connection between the user or the tenant and the enterprise library after acquiring the service information, and caching the established connection in a link form;

and acquiring a service request of a user or a tenant, acquiring service data according to the cached link, and returning the service data to the user or the tenant to finish the isolated interaction of the data.

The basic information comprises user or tenant number information, and account opening information of the user or lease information of the tenant.

The system comprises an enterprise library and a central library, wherein the enterprise library comprises a plurality of enterprise libraries, and business information of each user or tenant is stored in one enterprise library;

the central warehouse is built by adopting a double main framework.

The connection between the user or the tenant and the enterprise library is established by the user or the tenant and the enterprise library for storing the service information of the user or the tenant.

The load configuration is configured according to the times of accessing the cloud service platform or requesting service data by a user or a tenant, and standard configuration or load balancing configuration is performed according to the size of the access or request quantity.

The principle of the implementation of the method of the present invention is described below with reference to fig. 2;

as shown in fig. 2, a user accesses a cloud service platform through a client (step 1), the cloud service platform returns a service which can normally run according to the configuration of a load (step 2) (step 3), the user clicks a login button to initiate a login request (step 4), the cloud service platform acquires user data of a central repository and verifies login information of the user (step 5), then returns a verification result and zhbh of the user (step 6), if the verification is successful (step 7), enterprise repository information is acquired in the central repository through zhbh of the user (step 8) (step 9) (step 10), a connection is established between enterprise repositories corresponding to the user (step 11), the link is cached (step 12), the user can send a service request to the cloud service platform through operation on the cloud service platform (step 13), the cloud service platform acquires service data through the cached database link and then returns the data (step 14) (step 15), and completing normal service interaction.

Now, the central warehouse, the enterprise warehouse and the load balance are introduced in detail;

a central library: the method is mainly used for storing user information, tenant lease information and some common configuration information, such as: the user information table must have a field tenant number (zhbh) except a user basic information field, and the database connection information table must also have a field zhbh except a basic field of database connection, and zhbh is mainly used for distinguishing enterprises and providing guarantee for business operation by connecting to a corresponding enterprise library later.

Multi-enterprise library: the enterprise database is used for storing business information data of each enterprise, the enterprise database needs to establish a corresponding database for each enterprise/tenant, namely anenterprise 1 database, anenterprise 2 database, … and an enterprise N database, a user logs in through a client, acquires corresponding zhbh from a user table of the central database, acquires a database connection string of an enterprise to which the current user belongs from a database connection information table according to the zhbh, and connects the database to perform business operation on the enterprise.

Server load balancing: according to the demands of tenants and users on access capacity, whether a plurality of server clusters are needed or not is judged, so that load balance is considered, access requests are distributed among server groups, and load imbalance among servers is eliminated, so that the response speed and the overall performance of the system are improved;

the load balancing can monitor the operation state of the server, discover the server with abnormal operation in time, and transfer the access request to other servers which can normally work, thereby improving the reliability of the server group, flexibly increasing the servers according to the development condition of the traffic after adopting the negative balancer, improving the expansion capability of the system, and simplifying the management.

The invention further provides a dataisolation interaction system 200 based on cloud service, as shown in fig. 3, including:

the information acquisition module 201 is used for acquiring basic information and service information of a user or a tenant, storing the basic information of the user or the tenant into a central library, and storing the service information of the user or the tenant into an enterprise library;

the verification module 202 is used for returning a normally running service to the tenant or the user according to the load configuration when the user or the tenant accesses the cloud service platform through the client, acquiring a login request of the user or the tenant through the normally running service, calling basic information of the user or the tenant stored in the central repository after acquiring the login request, and verifying the identity of the user or the tenant according to the basic information and the login request;

the information returning module 203 is used for returning the user or tenant number of the user or tenant when the identity verification of the user or tenant is successful;

the service request module 204 searches and acquires service information of the user or the tenant stored in the enterprise library through the user or the tenant number of the user or the tenant, establishes connection between the user or the tenant and the enterprise library after acquiring the service information, and caches the established connection in a link form;

and the data interaction module 205 acquires the service request of the user or the tenant, acquires the service data according to the cached link, and returns the service data to the user or the tenant to complete the isolated interaction of the data.

The basic information comprises user or tenant number information, and account opening information of the user or lease information of the tenant.

The system comprises an enterprise library and a central library, wherein the enterprise library comprises a plurality of enterprise libraries, and business information of each user or tenant is stored in one enterprise library;

the central warehouse is built by adopting a double main framework.

The connection between the user or the tenant and the enterprise library is established by the user or the tenant and the enterprise library for storing the service information of the user or the tenant.

The load configuration is configured according to the times of accessing the cloud service platform or requesting service data by a user or a tenant, and standard configuration or load balancing configuration is performed according to the size of the access or request quantity.

The invention aims at that the data interaction can be carried out only by adding an enterprise library mirror image and configuration to a newly added user;

the central library is used as a double-main framework, the two frameworks provide services at the same time, and load balancing configuration is used, so that the influence on the services due to the paralysis of the main library is avoided, the central library is transparent to a service layer, codes or configuration does not need to be modified, and the read-write performance is improved compared with that of a single service;

the enterprise library used in the invention adopts independent mirror image examples, which are not affected each other and are convenient for later maintenance.

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein. The scheme in the embodiment of the application can be implemented by adopting various computer languages, such as object-oriented programming language Java and transliterated scripting language JavaScript.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.

It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims (10)

1. A data isolation interaction method based on cloud services, the method comprising:

acquiring basic information and business information of a user or a tenant, storing the basic information of the user or the tenant into a central library, and storing the business information of the user or the tenant into an enterprise library;

when a user or a tenant accesses the cloud service platform through a client, the cloud service platform returns a normally running service to the tenant or the user according to load configuration, a login request of the user or the tenant is obtained through the normally running service, basic information of the user or the tenant stored in a central library is called after the login request is obtained, and the identity of the user or the tenant is verified according to the basic information and the login request;

if the identity verification of the user or the tenant is successful, returning the user or tenant number of the user or the tenant;

searching and acquiring the service information of the user or the tenant stored in the enterprise library through the user or the tenant number of the user or the tenant, establishing the connection between the user or the tenant and the enterprise library after acquiring the service information, and caching the established connection in a link form;

and acquiring a service request of a user or a tenant, acquiring service data according to the cached link, and returning the service data to the user or the tenant to finish the isolated interaction of the data.

2. The method of claim 1, wherein the basic information comprises number information of the user or the tenant, and account opening information of the user or lease information of the tenant.

3. The method of claim 1, the enterprise repository and the central repository, the enterprise repository comprising a plurality of, the business information of each user or tenant being stored in one enterprise repository;

the central warehouse is built by adopting a double main framework.

4. The method of claim 1, wherein the establishing of the connection between the user or the tenant and the enterprise library is that the user or the tenant establishes a connection with the enterprise library storing business information of the user or the tenant.

5. The method of claim 1, wherein the load configuration is configured according to the number of times that a user or a tenant accesses a cloud service platform or requests service data, and standard configuration or load balancing configuration is performed according to the size of access or request amount.

6. A cloud service based data isolation interaction system, the system comprising:

the information acquisition module is used for acquiring basic information and business information of the user or the tenant, storing the basic information of the user or the tenant into the central library and storing the business information of the user or the tenant into the enterprise library;

the verification module is used for returning a normally running service to the tenant or the user according to the load configuration when the user or the tenant accesses the cloud service platform through the client, acquiring a login request of the user or the tenant through the normally running service, calling basic information of the user or the tenant stored in the central library after acquiring the login request, and verifying the identity of the user or the tenant according to the basic information and the login request;

the information return module is used for returning the user or tenant number of the user or tenant when the identity verification of the user or tenant is successful;

the business request module is used for searching and acquiring the business information of the user or the tenant stored in the enterprise library through the user or the tenant number of the user or the tenant, establishing the connection between the user or the tenant and the enterprise library after the business information is acquired, and caching the established connection in a link form;

and the data interaction module is used for acquiring the service request of the user or the tenant, acquiring service data according to the cached link, returning the service data to the user or the tenant and finishing the isolated interaction of the data.

7. The system of claim 6, wherein the basic information comprises number information of the user or the tenant, and account opening information of the user or lease information of the tenant.

8. The system of claim 6, the enterprise repository and the central repository, the enterprise repository comprising a plurality of, the business information of each user or tenant being stored in one enterprise repository;

the central warehouse is built by adopting a double main framework.

9. The system of claim 6, wherein the connection between the user or the tenant and the enterprise library is established between the user or the tenant and the enterprise library storing business information of the user or the tenant.

10. The system of claim 6, wherein the load configuration is configured according to the number of times that a user or a tenant accesses a cloud service platform or requests service data, and the load configuration is configured according to the size of access or request amount.

Images