[go: up one dir, main page]

CN114417300A - Multi-tenant user access control system and method - Google Patents

Multi-tenant user access control system and method Download PDF

Info

Publication number
CN114417300A
CN114417300A CN202210024575.1A CN202210024575A CN114417300A CN 114417300 A CN114417300 A CN 114417300A CN 202210024575 A CN202210024575 A CN 202210024575A CN 114417300 A CN114417300 A CN 114417300A
Authority
CN
China
Prior art keywords
tenant
user
application
database
access control
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210024575.1A
Other languages
Chinese (zh)
Inventor
孙光涛
陈尧
张永皋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Inspur Cloud Information Technology Co Ltd
Original Assignee
Inspur Cloud Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inspur Cloud Information Technology Co Ltd filed Critical Inspur Cloud Information Technology Co Ltd
Priority to CN202210024575.1A priority Critical patent/CN114417300A/en
Publication of CN114417300A publication Critical patent/CN114417300A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/41User authentication where a single sign-on provides access to a plurality of computers
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Automation & Control Theory (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a multi-tenant user access control system and a method, belonging to the technical field of web, aiming at solving the technical problems of realizing tenant isolation among application systems and tenant user access authority control and ensuring the safety of the application systems, and adopting the technical scheme that: the system comprises a tenant management module, a multi-application system and a user authentication module, wherein an independent database is adopted between the tenant management module and the multi-application system; single sign-on can be realized among multiple application systems, and each application system has a unique application identifier; the tenant management module is used for tenant management of the multi-application system; the tenant management of the multi-application system comprises the creation of the tenant and the application access authorization of the tenant; the multi-application system is used for providing services for tenant users; the user authentication module is used for being embedded into each application system, and data isolation of different tenants and authority control of different users are achieved by adopting Keycoak. The invention also discloses a multi-tenant user access control method.

Description

多租户用户访问控制系统及方法Multi-tenant user access control system and method

技术领域technical field

本发明涉及Web应用技术领域,具体地说是一种多租户用户访问控制系统及方法。The invention relates to the technical field of Web applications, in particular to a multi-tenant user access control system and method.

背景技术Background technique

随着互联网技术的飞速发展,越来越多的应用软件厂商提供SaaS服务。目前安全问题层出不穷,且随着大家安全意识的增强,人们对应用系统的安全性要求越来越高。多租户技术是一种实现租户隔离,提高应用系统安全性的措施。通常多租户的实现方式包括在应用系统数据表中增加租户属性字段或者为不同租户部署不同的应用系统等。前者对应用系统侵入性较高,且由于共享数据库资源,对于高数据库资源占用型的应用系统,租户之间的性能会受到相互影响。对于为不同租户部署单独应用系统的实现方式具有较高的成本。With the rapid development of Internet technology, more and more application software manufacturers provide SaaS services. At present, security problems emerge in an endless stream, and with the enhancement of everyone's security awareness, people have higher and higher requirements for the security of application systems. Multi-tenancy technology is a measure to achieve tenant isolation and improve application system security. Usually, the implementation of multi-tenancy includes adding a tenant attribute field in the application system data table or deploying different application systems for different tenants. The former is more intrusive to the application system, and due to the shared database resources, for the application system with high database resource consumption, the performance of tenants will be affected by each other. The implementation of deploying separate application systems for different tenants has higher costs.

故如何实现各应用系统之间的租户隔离以及租户用户访问权限控制,保障各应用系统的安全性是目前亟待解决的技术问题。Therefore, how to realize tenant isolation between application systems and control of access rights of tenant users to ensure the security of each application system is a technical problem that needs to be solved urgently at present.

发明内容SUMMARY OF THE INVENTION

本发明的技术任务是提供一种多租户用户访问控制系统及方法,来解决如何实现各应用系统之间的租户隔离以及租户用户访问权限控制,保障各应用系统的安全性的问题。The technical task of the present invention is to provide a multi-tenant user access control system and method to solve the problem of how to implement tenant isolation between application systems and control of tenant user access rights to ensure the security of each application system.

本发明的技术任务是按以下方式实现的,一种多租户用户访问控制系统,该系统包括租户管理模块、多应用系统和用户鉴权模块,租户管理模块与多应用系统之间采用独立的数据库;多应用系统之间能够实现单点登录,且各应用系统具有唯一应用标识;The technical task of the present invention is achieved in the following manner: a multi-tenant user access control system, the system includes a tenant management module, a multi-application system and a user authentication module, and an independent database is used between the tenant management module and the multi-application system ;Single sign-on can be realized between multiple application systems, and each application system has a unique application ID;

其中,租户管理模块用于多应用系统的租户管理;多应用系统的租户管理包括租户的创建以及租户的应用访问授权;Among them, the tenant management module is used for the tenant management of the multi-application system; the tenant management of the multi-application system includes the creation of the tenant and the application access authorization of the tenant;

多应用系统用于为租户用户提供服务;Multi-application systems are used to provide services to tenant users;

用户鉴权模块用于嵌入各应用系统,采用Keycloak实现对不同租户的数据隔离以及对不同用户的权限控制。The user authentication module is used to embed each application system, and uses Keycloak to realize data isolation for different tenants and permission control for different users.

作为优选,所述租户管理模块创建租户时,在Keycloak的用户属性中添加authorizedApps、tenantCode、tenantId、expiredTime及userType,authorizedApps、tenantCode、tenantId、expiredTime及userType分别表示租户授权访问的应用系统、租户标识、租户唯一ID、租户到期时间及用户类型;Preferably, when the tenant management module creates a tenant, it adds authorizedApps, tenantCode, tenantId, expiredTime and userType to the user attributes of Keycloak, where authorizedApps, tenantCode, tenantId, expiredTime and userType respectively represent the application system, tenant ID, Tenant unique ID, tenant expiration time and user type;

其中,tenantCode为8位唯一随机字符串;tenantId为36为UUID;expiredTime为租户允许访问应用的到期时间;userType为用户类型,对于租户其取值为tenant,对于租户下的用户其取值为user。Among them, tenantCode is an 8-bit unique random string; tenantId is 36, UUID; expiredTime is the expiration time when the tenant is allowed to access the application; userType is the user type, which is tenant for tenants, and the value for users under the tenant is user.

更优地,所述租户管理模块在创建用户时根据其授权访问的应用系统分别为租户创建各应用系统的应用数据库以及租户用户数据库,并初始化应用配置信息和租户配置信息;租户授权访问的多应用系统共享一个租户用户数据库;More preferably, when creating a user, the tenant management module creates an application database of each application system and a tenant user database for the tenant according to the application system authorized to access the user, and initializes the application configuration information and the tenant configuration information; The application system shares a tenant user database;

应用配置信息包括应用字典配置、应用菜单权限及应用接口权限;Application configuration information includes application dictionary configuration, application menu permissions and application interface permissions;

租户配置信息包括租户默认角色;租户默认角色包括各应用系统的管理员角色,各应用系统的管理角色具有对应应用系统的所有菜单和接口权限;The tenant configuration information includes the default role of the tenant; the default role of the tenant includes the administrator role of each application system, and the management role of each application system has all the menu and interface permissions of the corresponding application system;

租户用户数据库用于保存租户用户以及各应用系统的资源访问控制配置信息,保存租户用户以及各应用系统的资源访问控制配置信息包括应用菜单权限、应用接口权限、角色、角色和权限对应关系以及用户和角色对应关系;The tenant user database is used to save the resource access control configuration information of tenant users and each application system, and save the resource access control configuration information of tenant users and each application system, including application menu permissions, application interface permissions, roles, the corresponding relationship between roles and permissions, and user Correspondence with roles;

其中,各租户应用系统的应用数据库各应用系统的应用数据库名是由应用标识和tenantCode两部分组成,应用标识和tenantCode之间通过下划线分割;Wherein, the application database of each tenant application system The application database name of each application system is composed of two parts, an application identifier and a tenantCode, and the application identifier and tenantCode are separated by an underscore;

租户用户数据库名是由固定标识user和tenantCodde两部分组成,固定标识user和tenantCodde之间通过下划线分割。The name of the tenant user database is composed of the fixed identifier user and tenantCodde. The fixed identifier user and tenantCodde are separated by an underscore.

更优地,各应用系统具有租户访问控制过滤器,租户访问控制过滤器用于租户用户访问各应用系统时,切换到该用户对应的租户应用数据库以及用户对应租户的用户数据库及对租户访问鉴权;More preferably, each application system has a tenant access control filter, and the tenant access control filter is used to switch to the tenant application database corresponding to the user and the user database corresponding to the tenant when the tenant user accesses each application system, and to authenticate the tenant access. ;

租户访问控制过滤器利用Spring的Filter实现,具体如下:The tenant access control filter is implemented using Spring's Filter, as follows:

(1)、租户访问控制过滤器从用户请求的Authorization请求头获取用户登录Token;(1) The tenant access control filter obtains the user login Token from the Authorization request header requested by the user;

(2)、解析Token中的authorizedApps属性;(2), parse the authorizedApps attribute in Token;

(3)、判断该属性中是否包含当前应用标识:(3), determine whether the attribute contains the current application ID:

①、若无,则禁止用户访问;①, if not, the user is prohibited from accessing;

②、若有,则执行步骤(4);②, if yes, execute step (4);

(4)、检查token中的expiredTime属性是否位于当前时间之后:(4), check whether the expiredTime attribute in the token is after the current time:

①、若否,则拒绝访问;①, if not, deny access;

②、若是,则执行步骤(5);②, if yes, then execute step (5);

(5)、判断当前请求路径是否包含sys前缀:(5), determine whether the current request path contains the sys prefix:

①、若是,则将数据源切换为租户用户数据库;①, if so, switch the data source to the tenant user database;

②、若否,则将数据源切换为租户应用数据库。②. If not, switch the data source to the tenant application database.

更优地,各应用系统在创建用户时,从token中获取authorizedApps、tenantCode、tenantId、expiredTime及userType属性:More preferably, when creating a user, each application system obtains the attributes authorizedApps, tenantCode, tenantId, expiredTime and userType from the token:

若userType为user,则创建用户的tenantId设置为token中的tenantId;If userType is user, the tenantId of the created user is set to the tenantId in the token;

若userType为tenant,则创建用户的tenantId设置为当前登录用户的ID;If userType is tenant, the tenantId of the created user is set to the ID of the currently logged in user;

当前创建用户的userType设置为user,用户属性authorizedApps、tenantCode、tenantId及expiredTime和token中的相应解析值保持一致。The userType of the currently created user is set to user, and the user attributes authorizedApps, tenantCode, tenantId and expiredTime are consistent with the corresponding parsed values in the token.

更优地,各应用系统采用前端页面和应用后端分离的架构;用户访问前端页面时,前端页面调用应用后端接口获取用户当前应用的菜单和接口授权权限,并保存在全局变量中;More preferably, each application system adopts a structure in which the front-end page and the back-end of the application are separated; when the user accesses the front-end page, the front-end page calls the application back-end interface to obtain the menu and interface authorization rights of the user's current application, and saves it in a global variable;

前端页面包括路由控制,用户请求任一个菜单路径时,先检查前端全局变量中用户授权菜单中是否包含当前访问路径:The front-end page includes routing control. When the user requests any menu path, first check whether the user authorization menu in the front-end global variable contains the current access path:

若是,则允许访问;If yes, allow access;

若否,则跳转到默认禁止访问页面;If not, jump to the default forbidden access page;

接口授权权限利用SpringSecurity实现,在所有Controller上添加PreAuthorize注解,通过注解中的Spel表达式调用自定义接口权限校验方法,接口权限校验方法参数为该接口对应的接口权限标识。The interface authorization authority is implemented by SpringSecurity. The PreAuthorize annotation is added to all Controllers, and the custom interface authority verification method is called through the Spel expression in the annotation. The interface authority verification method parameter is the interface authority identifier corresponding to the interface.

一种多租户用户访问控制方法,该方法具体如下:A multi-tenant user access control method, the method is as follows:

S1、创建租户:指定租户授权访问的应用以及授权到期时间;S1. Create a tenant: specify the applications that the tenant authorizes to access and the authorization expiration time;

S2、对每一个租户创建用户;S2. Create a user for each tenant;

S3、前端页面加载初始化以及前端路由控制;S3, front-end page loading initialization and front-end routing control;

S4、执行租户访问控制过滤器:S4. Execute the tenant access control filter:

作为优选,所述步骤S1中的创建租户具体如下:Preferably, the creation of the tenant in the step S1 is as follows:

S101、为租户生成一个8为唯一的tenantCode,即租户编码,在创建租户应用数据库和用户数据库时会将tenantCode作为数据库名称的后缀;S101. Generate a unique tenantCode of 8 for the tenant, that is, the tenant code. When creating the tenant application database and user database, the tenantCode will be used as the suffix of the database name;

S102、设置租户属性userType为tenant;S102. Set the tenant attribute userType to tenant;

S103、设置租户授权应用属性authorizedApps和expiredTime;S103. Set tenant authorized application attributes authorizedApps and expiredTime;

S104、调用keycloak的用户创建接口完成用户的创建;S104, calling the user creation interface of keycloak to complete the creation of the user;

S105、初始化租户用户数据库;S105, initialize the tenant user database;

S106、根据authorizedApps依次为授权的应用初始化好相应的应用数据库和用户数据库;应用数据库和用户数据库初始化过程通过执行预先设置好的DDL语句脚本(数据定义语言)和DML(数据操作语言)语句脚本完成,执行脚本采用Mybatis的ScriptRunner;S106, initialize the corresponding application database and user database for the authorized applications in turn according to authorizedApps; the initialization process of the application database and the user database is completed by executing the preset DDL statement script (Data Definition Language) and DML (Data Manipulation Language) statement script , the execution script adopts Mybatis' ScriptRunner;

所述步骤S2中对每一个租户创建用户具体如下:The details of creating a user for each tenant in the step S2 are as follows:

S201、获取登录用户解析token;S201. Obtain a login user resolution token;

S202、判断tenantType是否为tenant:S202. Determine whether the tenantType is tenant:

①、若是,则执行步骤S203;①, if yes, execute step S203;

②、若否,则用户tenantId属性设置为token中的tenantId,并跳转至步骤S204;②. If not, set the user tenantId attribute to the tenantId in the token, and jump to step S204;

S203、用户tenantId属性设置为token中的用户的ID;S203, the user tenantId attribute is set to the ID of the user in the token;

S204、用户属性authorizedApps、tenantCode、tenantId及expiredTime和token中的相应解析值保持一致;S204, the user attributes authorizedApps, tenantCode, tenantId and expiredTime are consistent with the corresponding parsed values in the token;

S205、用户userType属性设置为user。S205, the user userType attribute is set to user.

作为优选,所述步骤S3前端页面加载初始化以及前端路由控制具体如下:Preferably, the step S3 front-end page loading initialization and front-end routing control are as follows:

S301、用户访问前端页面时,前端页面调用应用后端接口获取用户当前应用的菜单和接口授权权限,并保存在全局变量中,完成页面初始化;其中,前端框架采用angular时,定义service,将授权菜单保存在service的属性里实现全局变量的保存,避免保存在cookie里或者web storage里,如session storage或localstorage时的用户篡改风险;S301. When the user accesses the front-end page, the front-end page calls the application back-end interface to obtain the menu and interface authorization permissions of the user's current application, and saves them in a global variable to complete the page initialization; wherein, when the front-end framework adopts angular, define a service to authorize The menu is stored in the properties of the service to realize the preservation of global variables, avoiding the risk of user tampering when stored in cookies or web storage, such as session storage or localstorage;

S302、用户请求某个菜单路径时,从全局变量中获取授权菜单路径;S302, when the user requests a certain menu path, obtain the authorized menu path from the global variable;

S303、检查前端全局变量中用户授权菜单中是否包含当前访问路径:S303. Check whether the user authorization menu in the front-end global variable contains the current access path:

①、若是,则允许访问,跳转到请求菜单页面;①, if yes, allow access and jump to the request menu page;

②、若否,则跳转到默认禁止访问页面。②. If not, jump to the default forbidden access page.

其中,对于angular项目,路由控制通过路由守卫实现;用户定义一个类实现CanActivateChild和CanActivate接口即可,再配置路由时配置canActivateChild和canActivate属性。Among them, for the angular project, routing control is implemented through routing guards; the user can define a class to implement the CanActivateChild and CanActivate interfaces, and then configure the canActivateChild and canActivate attributes when configuring the routing.

作为优选,所述步骤S4中的执行租户访问控制过滤器具体如下:Preferably, the execution of the tenant access control filter in the step S4 is as follows:

S401、租户访问控制过滤器从用户请求的Authorization请求头获取用户登录token;S401, the tenant access control filter obtains the user login token from the Authorization request header requested by the user;

S402、解析token;S402, parsing token;

S403、判断解析token中的authorizedApps属性判中是否包含当前应用标识:S403. Determine whether the authorizedApps attribute in the parsing token contains the current application identifier:

①、若否,则禁止用户访问;①, if not, the user is prohibited from accessing;

②、若是,则执行步骤S404;②, if yes, then execute step S404;

S404、检查token中的expiredTime属性是否位于当前时间之后:S404. Check whether the expiredTime attribute in the token is after the current time:

①、若否,则禁止用户访问;①, if not, the user is prohibited from accessing;

②、若是,则执行步骤S405;②, if yes, then execute step S405;

S405、判断当前请求路径是否包含sys前缀:S405. Determine whether the current request path contains the sys prefix:

①、若否,则将数据源切换为租户应用数据库;①. If not, switch the data source to the tenant application database;

②、若是,则将数据源切换为租户用户数据库;②, if so, switch the data source to the tenant user database;

其中,数据源切换利用多数据源库dynamic-datasource-spring-boot-sta rter实现,在build.gradle中引入compile group:'com.baomidou',name:'dynamic-datasource-spring-boot-starter',version:'2.5.4'依赖即可;Among them, the data source switching is implemented by the multi-data source library dynamic-datasource-spring-boot-starter, and compile group:'com.baomidou',name:'dynamic-datasource-spring-boot-starter' is introduced in build.gradle ,version:'2.5.4' depends on it;

执行DynamicDataSourceContextHolder.push(datasourceName)命令切换数据源;Execute the DynamicDataSourceContextHolder.push(datasourceName) command to switch the data source;

执行DynamicDataSourceContextHolder.poll()命令取消数据源设置;Execute the DynamicDataSourceContextHolder.poll() command to cancel the data source setting;

其中,dataSourceName为数据源名称,对于应用数据库其数据源名称为appa_tenant01;对于用户数据库其数据源名称为user_tenant01;其中appa为应用标识,tenant01为租户编码即tenantCode。Among them, dataSourceName is the data source name. For the application database, the data source name is appa_tenant01; for the user database, the data source name is user_tenant01; where appa is the application ID, and tenant01 is the tenant code or tenantCode.

本发明的多租户用户访问控制系统及方法具有以下优点:The multi-tenant user access control system and method of the present invention has the following advantages:

(一)本发明实现了各应用系统之间的租户隔离以及访问权限控制,通过前端菜单权限控制以及后端接口权限控制,实现了灵活的租户用户访问权限控制,保障了系统的安全性;(1) The present invention realizes tenant isolation and access authority control between application systems, and realizes flexible tenant user access authority control through front-end menu authority control and back-end interface authority control, and ensures the security of the system;

(二)本发明通过为不同租户创建不同的租户应用数据库和租户用户数据库实现租户之前的隔离,各应用系统之间共享租户用户数据库,通过前端菜单权限和后端接口权限控制,提高了系统的安全性。(2) The present invention realizes the isolation before tenants by creating different tenant application databases and tenant user databases for different tenants, sharing the tenant user database among the application systems, and improving the system performance through the control of front-end menu authority and back-end interface authority. safety.

附图说明Description of drawings

下面结合附图对本发明进一步说明。The present invention will be further described below with reference to the accompanying drawings.

附图1为多租户用户访问控制系统的架构图;Accompanying drawing 1 is the architecture diagram of multi-tenant user access control system;

附图2为租户访问控制过滤器执行的流程框图;Accompanying drawing 2 is the flow chart of tenant access control filter execution;

附图3为前端页面加载初始化的流程框图;Accompanying drawing 3 is the flow chart of front-end page loading initialization;

附图4为前端路由控制执行的流程框图;Accompanying drawing 4 is the flow chart of front-end routing control execution;

附图5为创建租户的流程框图;Accompanying drawing 5 is the flow chart of creating tenant;

附图6为创建租户用户的流程框图。FIG. 6 is a flowchart of creating a tenant user.

具体实施方式Detailed ways

参照说明书附图和具体实施例对本发明的一种多租户用户访问控制系统及方法作以下详细地说明。With reference to the drawings and specific embodiments of the description, a multi-tenant user access control system and method of the present invention will be described in detail below.

实施例1:Example 1:

如附图1所示,本发明的多租户用户访问控制系统,该系统包括租户管理模块、多应用系统和用户鉴权模块,租户管理模块与多应用系统之间采用独立的数据库;多应用系统之间能够实现单点登录,且各应用系统具有唯一应用标识;As shown in FIG. 1, the multi-tenant user access control system of the present invention includes a tenant management module, a multi-application system and a user authentication module, and an independent database is used between the tenant management module and the multi-application system; the multi-application system Single sign-on can be achieved between applications, and each application system has a unique application identifier;

其中,租户管理模块用于多应用系统的租户管理;多应用系统的租户管理包括租户的创建以及租户的应用访问授权;Among them, the tenant management module is used for the tenant management of the multi-application system; the tenant management of the multi-application system includes the creation of the tenant and the application access authorization of the tenant;

多应用系统用于为租户用户提供服务;Multi-application systems are used to provide services to tenant users;

用户鉴权模块用于嵌入各应用系统,采用Keycloak实现对不同租户的数据隔离以及对不同用户的权限控制。The user authentication module is used to embed each application system, and uses Keycloak to realize data isolation for different tenants and permission control for different users.

本实施例中的租户管理模块创建租户时,在Keycloak的用户属性中添加authorizedApps、tenantCode、tenantId、expiredTime及userType,authorizedApps、tenantCode、tenantId、expiredTime及userType分别表示租户授权访问的应用系统、租户标识、租户唯一ID、租户到期时间及用户类型;When the tenant management module in this embodiment creates a tenant, it adds authorizedApps, tenantCode, tenantId, expiredTime, and userType to the user attributes of Keycloak, where authorizedApps, tenantCode, tenantId, expiredTime, and userType represent the application system, tenant ID, Tenant unique ID, tenant expiration time and user type;

其中,tenantCode为8位唯一随机字符串;tenantId为36为UUID;expiredTime为租户允许访问应用的到期时间;userType为用户类型,对于租户其取值为tenant,对于租户下的用户其取值为user。Among them, tenantCode is an 8-bit unique random string; tenantId is 36, UUID; expiredTime is the expiration time when the tenant is allowed to access the application; userType is the user type, which is tenant for tenants, and the value for users under the tenant is user.

本实施例中的租户管理模块在创建用户时根据其授权访问的应用系统分别为租户创建各应用系统的应用数据库以及租户用户数据库,并初始化应用配置信息和租户配置信息;租户授权访问的多应用系统共享一个租户用户数据库;When creating a user, the tenant management module in this embodiment creates an application database of each application system and a tenant user database for the tenant according to the application system authorized to access the user, and initializes the application configuration information and the tenant configuration information; The system shares a tenant user database;

应用配置信息包括应用字典配置、应用菜单权限及应用接口权限;Application configuration information includes application dictionary configuration, application menu permissions and application interface permissions;

租户配置信息包括租户默认角色;租户默认角色包括各应用系统的管理员角色,各应用系统的管理角色具有对应应用系统的所有菜单和接口权限;The tenant configuration information includes the default role of the tenant; the default role of the tenant includes the administrator role of each application system, and the management role of each application system has all the menu and interface permissions of the corresponding application system;

租户用户数据库用于保存租户用户以及各应用系统的资源访问控制配置信息,保存租户用户以及各应用系统的资源访问控制配置信息包括应用菜单权限、应用接口权限、角色、角色和权限对应关系以及用户和角色对应关系;The tenant user database is used to save the resource access control configuration information of tenant users and each application system, and save the resource access control configuration information of tenant users and each application system, including application menu permissions, application interface permissions, roles, the corresponding relationship between roles and permissions, and user Correspondence with roles;

其中,各租户应用系统的应用数据库各应用系统的应用数据库名是由应用标识和tenantCode两部分组成,应用标识和tenantCode之间通过下划线分割;Wherein, the application database of each tenant application system The application database name of each application system is composed of two parts, an application identifier and a tenantCode, and the application identifier and tenantCode are separated by an underscore;

租户用户数据库名是由固定标识user和tenantCodde两部分组成,固定标识user和tenantCodde之间通过下划线分割。The name of the tenant user database is composed of the fixed identifier user and tenantCodde. The fixed identifier user and tenantCodde are separated by an underscore.

应用数据库和用户数据库可根据应用业务数据量的大小创建在不同数据库实例上或者同一个数据库实例上。The application database and user database can be created on different database instances or on the same database instance according to the size of the application business data.

本实施例中的各应用系统具有租户访问控制过滤器,租户访问控制过滤器用于租户用户访问各应用系统时,切换到该用户对应的租户应用数据库以及用户对应租户的用户数据库及对租户访问鉴权;Each application system in this embodiment has a tenant access control filter. When a tenant user accesses each application system, the tenant access control filter is used to switch to the tenant application database corresponding to the user and the user database corresponding to the user, and to authenticate the tenant access. right;

如附图2所示,本实施例中的租户访问控制过滤器利用Spring的Filter实现,具体如下:As shown in Figure 2, the tenant access control filter in this embodiment is implemented by using Spring's Filter, as follows:

(1)、租户访问控制过滤器从用户请求的Authorization请求头获取用户登录Token;(1) The tenant access control filter obtains the user login Token from the Authorization request header requested by the user;

(2)、解析Token中的authorizedApps属性;(2), parse the authorizedApps attribute in Token;

(3)、判断该属性中是否包含当前应用标识:(3), determine whether the attribute contains the current application ID:

①、若无,则禁止用户访问;①, if not, the user is prohibited from accessing;

②、若有,则执行步骤(4);②, if yes, execute step (4);

(4)、检查token中的expiredTime属性是否位于当前时间之后:(4), check whether the expiredTime attribute in the token is after the current time:

①、若否,则拒绝访问;①, if not, deny access;

②、若是,则执行步骤(5);②, if yes, then execute step (5);

(5)、判断当前请求路径是否包含sys前缀:(5), determine whether the current request path contains the sys prefix:

①、若是,则将数据源切换为租户用户数据库;①, if so, switch the data source to the tenant user database;

②、若否,则将数据源切换为租户应用数据库。②. If not, switch the data source to the tenant application database.

本实施例中的各应用系统在创建用户时,从token中获取authorizedApps、tenantCode、tenantId、expiredTime及userType属性:When creating a user, each application system in this embodiment obtains the attributes authorizedApps, tenantCode, tenantId, expiredTime and userType from the token:

若userType为user,则创建用户的tenantId设置为token中的tenantId;If userType is user, the tenantId of the created user is set to the tenantId in the token;

若userType为tenant,则创建用户的tenantId设置为当前登录用户的ID;If userType is tenant, the tenantId of the created user is set to the ID of the currently logged in user;

当前创建用户的userType设置为user,用户属性authorizedApps、tenantCode、tenantId及expiredTime和token中的相应解析值保持一致。The userType of the currently created user is set to user, and the user attributes authorizedApps, tenantCode, tenantId and expiredTime are consistent with the corresponding parsed values in the token.

本实施例中的各应用系统采用前端页面和应用后端分离的架构;用户访问前端页面时,前端页面调用应用后端接口获取用户当前应用的菜单和接口授权权限,并保存在全局变量中;Each application system in this embodiment adopts a structure in which the front-end page and the application back-end are separated; when the user accesses the front-end page, the front-end page calls the application back-end interface to obtain the menu and interface authorization rights of the user's current application, and saves them in a global variable;

前端页面包括路由控制,用户请求任一个菜单路径时,先检查前端全局变量中用户授权菜单中是否包含当前访问路径:The front-end page includes routing control. When the user requests any menu path, first check whether the user authorization menu in the front-end global variable contains the current access path:

若是,则允许访问;If yes, allow access;

若否,则跳转到默认禁止访问页面;If not, jump to the default forbidden access page;

接口授权权限利用SpringSecurity实现,在所有Controller上添加PreAuthorize注解,通过注解中的Spel表达式调用自定义接口权限校验方法,接口权限校验方法参数为该接口对应的接口权限标识。The interface authorization authority is implemented by SpringSecurity. The PreAuthorize annotation is added to all Controllers, and the custom interface authority verification method is called through the Spel expression in the annotation. The interface authority verification method parameter is the interface authority identifier corresponding to the interface.

实施例2:Example 2:

本发明多租户用户访问控制方法,该方法具体如下:The multi-tenant user access control method of the present invention is specifically as follows:

S1、创建租户:指定租户授权访问的应用以及授权到期时间;S1. Create a tenant: specify the applications that the tenant authorizes to access and the authorization expiration time;

S2、对每一个租户创建用户;S2. Create a user for each tenant;

S3、前端页面加载初始化以及前端路由控制;S3, front-end page loading initialization and front-end routing control;

S4、执行租户访问控制过滤器:S4. Execute the tenant access control filter:

如附图5所示,本实施例中的步骤S1中的创建租户具体如下:As shown in FIG. 5 , the details of creating a tenant in step S1 in this embodiment are as follows:

S101、为租户生成一个8为唯一的tenantCode,即租户编码,在创建租户应用数据库和用户数据库时会将tenantCode作为数据库名称的后缀;S101. Generate a unique tenantCode of 8 for the tenant, that is, the tenant code. When creating the tenant application database and user database, the tenantCode will be used as the suffix of the database name;

S102、设置租户属性userType为tenant;S102. Set the tenant attribute userType to tenant;

S103、设置租户授权应用属性authorizedApps和expiredTime;S103. Set tenant authorized application attributes authorizedApps and expiredTime;

S104、调用keycloak的用户创建接口完成用户的创建;S104, calling the user creation interface of keycloak to complete the creation of the user;

S105、初始化租户用户数据库;S105, initialize the tenant user database;

S106、根据authorizedApps依次为授权的应用初始化好相应的应用数据库和用户数据库;应用数据库和用户数据库初始化过程通过执行预先设置好的DDL语句脚本(数据定义语言)和DML(数据操作语言)语句脚本完成,执行脚本采用Mybatis的ScriptRunner;S106, initialize the corresponding application database and user database for the authorized applications in turn according to authorizedApps; the initialization process of the application database and the user database is completed by executing the preset DDL statement script (Data Definition Language) and DML (Data Manipulation Language) statement script , the execution script adopts Mybatis' ScriptRunner;

如附图6所示,本实施例中的步骤S2中对每一个租户创建用户具体如下:As shown in FIG. 6 , in step S2 in this embodiment, the details of creating a user for each tenant are as follows:

S201、获取登录用户解析token;S201. Obtain a login user resolution token;

S202、判断tenantType是否为tenant:S202. Determine whether the tenantType is tenant:

①、若是,则执行步骤S203;①, if yes, execute step S203;

②、若否,则用户tenantId属性设置为token中的tenantId,并跳转至步骤S204;②. If not, set the user tenantId attribute to the tenantId in the token, and jump to step S204;

S203、用户tenantId属性设置为token中的用户的ID;S203, the user tenantId attribute is set to the ID of the user in the token;

S204、用户属性authorizedApps、tenantCode、tenantId及expiredTime和token中的相应解析值保持一致;S204, the user attributes authorizedApps, tenantCode, tenantId and expiredTime are consistent with the corresponding parsed values in the token;

S205、用户userType属性设置为user。S205, the user userType attribute is set to user.

如附图3和4所示,本实施例中的步骤S3前端页面加载初始化以及前端路由控制具体如下:As shown in FIGS. 3 and 4 , the step S3 front-end page loading initialization and front-end routing control in this embodiment are as follows:

S301、用户访问前端页面时,前端页面调用应用后端接口获取用户当前应用的菜单和接口授权权限,并保存在全局变量中,完成页面初始化;其中,前端框架采用angular时,定义service,将授权菜单保存在service的属性里实现全局变量的保存,避免保存在cookie里或者web storage里,如session storage或localstorage时的用户篡改风险;S301. When the user accesses the front-end page, the front-end page calls the application back-end interface to obtain the menu and interface authorization permissions of the user's current application, and saves them in a global variable to complete the page initialization; wherein, when the front-end framework adopts angular, define a service to authorize The menu is stored in the properties of the service to realize the preservation of global variables, avoiding the risk of user tampering when stored in cookies or web storage, such as session storage or localstorage;

S302、用户请求某个菜单路径时,从全局变量中获取授权菜单路径;S302, when the user requests a certain menu path, obtain the authorized menu path from the global variable;

S303、检查前端全局变量中用户授权菜单中是否包含当前访问路径:S303. Check whether the user authorization menu in the front-end global variable contains the current access path:

①、若是,则允许访问,跳转到请求菜单页面;①, if yes, allow access and jump to the request menu page;

②、若否,则跳转到默认禁止访问页面。②. If not, jump to the default forbidden access page.

其中,对于angular项目,路由控制通过路由守卫实现;用户定义一个类实现CanActivateChild和CanActivate接口即可,再配置路由时配置canActivateChild和canActivate属性。Among them, for the angular project, routing control is implemented through routing guards; the user can define a class to implement the CanActivateChild and CanActivate interfaces, and then configure the canActivateChild and canActivate attributes when configuring the routing.

如附图2所示,本实施例中的步骤S4中的执行租户访问控制过滤器具体如下:As shown in FIG. 2 , the execution of the tenant access control filter in step S4 in this embodiment is as follows:

S401、租户访问控制过滤器从用户请求的Authorization请求头获取用户登录token;S401, the tenant access control filter obtains the user login token from the Authorization request header requested by the user;

S402、解析token;S402, parsing token;

S403、判断解析token中的authorizedApps属性判中是否包含当前应用标识:S403. Determine whether the authorizedApps attribute in the parsing token contains the current application identifier:

①、若否,则禁止用户访问;①, if not, the user is prohibited from accessing;

②、若是,则执行步骤S404;②, if yes, then execute step S404;

S404、检查token中的expiredTime属性是否位于当前时间之后:S404. Check whether the expiredTime attribute in the token is after the current time:

①、若否,则禁止用户访问;①, if not, the user is prohibited from accessing;

②、若是,则执行步骤S405;②, if yes, then execute step S405;

S405、判断当前请求路径是否包含sys前缀:S405. Determine whether the current request path contains the sys prefix:

①、若否,则将数据源切换为租户应用数据库;①. If not, switch the data source to the tenant application database;

②、若是,则将数据源切换为租户用户数据库;②, if so, switch the data source to the tenant user database;

其中,数据源切换利用多数据源库dynamic-datasource-spring-boot-sta rter实现,在build.gradle中引入compile group:'com.baomidou',name:'dynamic-datasource-spring-boot-starter',version:'2.5.4'依赖即可;Among them, the data source switching is implemented by the multi-data source library dynamic-datasource-spring-boot-starter, and compile group:'com.baomidou',name:'dynamic-datasource-spring-boot-starter' is introduced in build.gradle ,version:'2.5.4' depends on it;

执行DynamicDataSourceContextHolder.push(datasourceName)命令切换数据源;Execute the DynamicDataSourceContextHolder.push(datasourceName) command to switch the data source;

执行DynamicDataSourceContextHolder.poll()命令取消数据源设置;Execute the DynamicDataSourceContextHolder.poll() command to cancel the data source setting;

其中,dataSourceName为数据源名称,对于应用数据库其数据源名称为appa_tenant01;对于用户数据库其数据源名称为user_tenant01;其中appa为应用标识,tenant01为租户编码即tenantCode。Among them, dataSourceName is the data source name. For the application database, the data source name is appa_tenant01; for the user database, the data source name is user_tenant01; where appa is the application ID, and tenant01 is the tenant code or tenantCode.

最后应说明的是:以上各实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述各实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分或者全部技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的范围。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, but not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: The technical solutions described in the foregoing embodiments can still be modified, or some or all of the technical features thereof can be equivalently replaced; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the technical solutions of the embodiments of the present invention. scope.

Claims (10)

1. A multi-tenant user access control system is characterized by comprising a tenant management module, a multi-application system and a user authentication module, wherein an independent database is adopted between the tenant management module and the multi-application system; single sign-on can be realized among multiple application systems, and each application system has a unique application identifier;
the tenant management module is used for tenant management of the multi-application system; the tenant management of the multi-application system comprises the creation of the tenant and the application access authorization of the tenant;
the multi-application system is used for providing services for tenant users;
the user authentication module is used for being embedded into each application system, and data isolation of different tenants and authority control of different users are achieved by adopting Keycoak.
2. The multi-tenant user access control system according to claim 1, wherein when the tenant management module creates a tenant, authezedapps, tenatcode, tenantId, expiredTime, and userType are added to user attributes of keylock, and the authezedapps, tenatcode, tenantId, expiredTime, and userType respectively represent an application system, tenant identity, tenant unique ID, tenant expiration time, and user type that the tenant authorizes access;
wherein, the tenantCode is an 8-bit unique random character string; tentId is 36 is UUID; expiredTime is the expiration time that the tenant allows access to the application; the userType is a user type, the value of the userType is tentant for the tenant, and the value of the userType is user for the user under the tenant.
3. The multi-tenant user access control system according to claim 1 or 2, wherein the tenant management module creates an application database of each application system and a tenant user database for the tenant according to the application system to which the tenant is authorized to access when creating the user, and initializes application configuration information and tenant configuration information; the multi-application system which is authorized to be accessed by the tenant shares a tenant user database;
the application configuration information comprises application dictionary configuration, application menu authority and application interface authority;
the tenant configuration information comprises a tenant default role; the default roles of the tenants comprise administrator roles of each application system, and the management roles of each application system have all menus and interface authorities of the corresponding application system;
the tenant user database is used for storing resource access control configuration information of tenant users and each application system, and the resource access control configuration information of the tenant users and each application system comprises application menu authority, application interface authority, roles, role and authority corresponding relations and user and role corresponding relations;
the application database name of each application system of the application database of each tenant application system consists of an application identifier and a tentcode, and the application identifier and the tentcode are divided by underlining;
the tenant user database name is composed of a fixed identifier user and a tentacodde, and the fixed identifier user and the tentacodde are separated through underlining.
4. The multi-tenant user access control system of claim 3, wherein each application system has a tenant access control filter, and the tenant access control filter is used for switching to a tenant application database corresponding to the user and a user database of a tenant corresponding to the user and authenticating the tenant access when the tenant user accesses each application system;
the tenant access control Filter is implemented by using Spring Filter, which specifically includes:
(1) the tenant access control filter acquires a user login Token from an Authorization request header of a user request;
(2) analyzing authorizedApps attribute in Token;
(3) judging whether the attribute contains the current application identifier:
if not, forbidding the user to access;
if yes, executing the step (4);
(4) check if the expiredTime attribute in token is located after the current time:
if not, access is denied;
if yes, executing the step (5);
(5) judging whether the current request path contains sys prefix:
if yes, switching the data source to a tenant user database;
and if not, switching the data source to the tenant application database.
5. The multi-tenant user access control system of claim 4, wherein each application system obtains authezedapps, tenatcode, tenantId, expiredTime, and userType attributes from token when creating a user:
if the userType is the user, setting tenANTId of the creating user as tenANTId in token;
if the userType is tentant, setting tentANTId of the created user as the ID of the current login user;
the userType of the current creation user is set as user, and the corresponding resolution values in the user attributes authzedApps, tenantCode, tenantId, expiredTime and token are kept consistent.
6. The multi-tenant user access control system of claim 5, wherein each application system employs a front-end page and application back-end separated architecture; when a user accesses a front-end page, the front-end page calls an application rear-end interface to obtain a menu and an interface authorization authority of the current application of the user, and the menu and the interface authorization authority are stored in a global variable;
the front-end page comprises routing control, when a user requests any menu path, whether a user authorization menu in the front-end global variable contains a current access path is checked firstly:
if yes, allowing access;
if not, jumping to a default access prohibition page;
the interface authorization authority is realized by using SpringSecurity, PreAuthorize annotations are added to all controllers, a custom interface authority verification method is called through a Spel expression in the annotations, and interface authority verification method parameters are interface authority identifiers corresponding to the interface.
7. A multi-tenant user access control method is characterized by comprising the following specific steps:
s1, creating the tenant: specifying applications authorized for access by the tenant and an authorization expiration time;
s2, creating users for each tenant;
s3, front-end page loading initialization and front-end routing control;
and S4, executing the tenant access control filter.
8. The multi-tenant user access control method according to claim 7, wherein the created tenant in the step S1 is specifically as follows:
s101, generating a 8-unique tentacode for the tenant, namely a tenant code, wherein the tentacode is used as a suffix of a database name when a tenant application database and a user database are created;
s102, setting a tenant attribute userType as a tent;
s103, setting tenant authorization application attributes authazedApps and expiredTime;
s104, calling a user creating interface of the keylog to complete the creation of the user;
s105, initializing a tenant user database;
s106, initializing a corresponding application database and a corresponding user database for authorized applications in sequence according to authazedApps; the initialization process of the application database and the user database is completed by executing a preset DDL statement script and a preset DML statement script, and the executed script adopts script runner of Mybatis;
in step S2, the user creation details for each tenant are as follows:
s201, obtaining a login user analysis token;
s202, judging whether the tentTYPE is tentant:
if yes, executing step S203;
if not, setting the tennantId attribute of the user as tennantId in token, and jumping to the step S204;
s203, setting a tenntid attribute of the user as the ID of the user in the token;
s204, corresponding analysis values in user attributes authazedApps, tenantCode, tenantId, expiredTime and token are kept consistent;
s205, setting the user userType attribute as user.
9. The multi-tenant user access control method according to claim 7, wherein the step S3 is specifically performed as follows:
s301, when a user accesses a front-end page, the front-end page calls an application rear-end interface to obtain a menu and an interface authorization authority of the current application of the user, and the menu and the interface authorization authority are stored in a global variable to complete page initialization; when the front-end framework adopts the angular, defining service, storing the authorization menu in the attribute of the service to realize the storage of the global variable;
s302, when a user requests a certain menu path, obtaining an authorized menu path from the global variable;
s303, checking whether the user authorization menu in the global variable of the front end contains the current access path:
if yes, allowing access and jumping to a request menu page;
and if not, skipping to a default access-forbidden page.
10. The multi-tenant user access control method according to claim 7, wherein the executing tenant access control filter in step S4 is specifically as follows:
s401, a tenant access control filter acquires a user login token from an Authorization request header of a user request;
s402, analyzing token;
s403, judging whether the authazedApps attribute judgment in the token contains the current application identifier:
if not, forbidding the user to access;
if yes, executing step S404;
s404, checking whether the expiredTime attribute in the token is positioned after the current time:
if not, forbidding the user to access;
if yes, executing step S405;
s405, judging whether the current request path contains sys prefix:
if not, switching the data source into a tenant application database;
if yes, switching the data source to the tenant user database;
the data source switching is realized by utilizing a multi-data source library dynamic-data-spring-boot-starter, and a complex group is introduced into the build.
Execute a dynamicdatasourcecontextholder push (datasourceName) command to switch data sources;
execute a dynamicdatasourcecontextholder () command to cancel the data source setting;
wherein, the dataSourceName is a data source name, and the data source name of the application database is apa _ latent 01; its data source name is user _ tent 01 for the user database; where appa is the application identifier and tenant01 is the tenant code, namely tenantCode.
CN202210024575.1A 2022-01-11 2022-01-11 Multi-tenant user access control system and method Pending CN114417300A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210024575.1A CN114417300A (en) 2022-01-11 2022-01-11 Multi-tenant user access control system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210024575.1A CN114417300A (en) 2022-01-11 2022-01-11 Multi-tenant user access control system and method

Publications (1)

Publication Number Publication Date
CN114417300A true CN114417300A (en) 2022-04-29

Family

ID=81271744

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210024575.1A Pending CN114417300A (en) 2022-01-11 2022-01-11 Multi-tenant user access control system and method

Country Status (1)

Country Link
CN (1) CN114417300A (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115208646A (en) * 2022-07-03 2022-10-18 上海妙一生物科技有限公司 SaaS application authority management method and system
CN115766234A (en) * 2022-11-18 2023-03-07 湖南快乐阳光互动娱乐传媒有限公司 A Redis multi-tenant management method, device and server
CN115834216A (en) * 2022-11-28 2023-03-21 招银云创信息技术有限公司 Application authority control method, control device and storage medium
CN116192434A (en) * 2022-12-06 2023-05-30 浪潮云信息技术股份公司 User management method and system realized by utilizing keyloak
WO2023231681A1 (en) * 2022-05-31 2023-12-07 京东方科技集团股份有限公司 Account creation method, internet of things multi-tenant system, device, program, and medium
CN117272382A (en) * 2023-09-28 2023-12-22 珠海飞企耀点科技有限公司 Data management method and system based on multi-tenant architecture dynamic data source
CN117336075A (en) * 2023-10-18 2024-01-02 西安博达软件股份有限公司 Authorization method, system, equipment and storage medium of SaaS platform
CN119210842A (en) * 2024-09-23 2024-12-27 珠海格力电器股份有限公司 A multi-tenant rights management method, device and storage medium
CN119416233A (en) * 2024-10-10 2025-02-11 浪潮云信息技术股份公司 A multi-tenant system permissions protection and vulnerability repair method and system

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130007891A1 (en) * 2011-06-29 2013-01-03 Canon Kabushiki Kaisha Server system, control method, and storage medium for securely executing access to data of a tenant
CN106462423A (en) * 2014-06-17 2017-02-22 谷歌公司 System and method for integrating web and native applications from web-based contexts
CN109818968A (en) * 2019-02-28 2019-05-28 山东浪潮云信息技术有限公司 A method of single-sign-on is realized on the basis of existing WEB application
WO2020038273A1 (en) * 2018-08-20 2020-02-27 中兴通讯股份有限公司 Multi-tenant access control method and device and computer-readable storage medium
CN111586030A (en) * 2020-04-30 2020-08-25 武汉时波网络技术有限公司 Interface authentication and permission verification method and system based on micro-service multi-tenant
CN112100262A (en) * 2020-09-16 2020-12-18 南京智数云信息科技有限公司 Method and system for quickly building and dynamically expanding multi-tenant software as a service (SaaS) platform
CN112487392A (en) * 2020-12-08 2021-03-12 浪潮云信息技术股份公司 Method for realizing authority control of management system by front end
CN112487378A (en) * 2020-12-11 2021-03-12 宝付网络科技(上海)有限公司 Tenant authority management system suitable for big data platform
CN113821531A (en) * 2021-09-28 2021-12-21 山东舜网传媒股份有限公司 Method, system and equipment for separating converged media multi-tenant data

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130007891A1 (en) * 2011-06-29 2013-01-03 Canon Kabushiki Kaisha Server system, control method, and storage medium for securely executing access to data of a tenant
CN106462423A (en) * 2014-06-17 2017-02-22 谷歌公司 System and method for integrating web and native applications from web-based contexts
WO2020038273A1 (en) * 2018-08-20 2020-02-27 中兴通讯股份有限公司 Multi-tenant access control method and device and computer-readable storage medium
CN109818968A (en) * 2019-02-28 2019-05-28 山东浪潮云信息技术有限公司 A method of single-sign-on is realized on the basis of existing WEB application
CN111586030A (en) * 2020-04-30 2020-08-25 武汉时波网络技术有限公司 Interface authentication and permission verification method and system based on micro-service multi-tenant
CN112100262A (en) * 2020-09-16 2020-12-18 南京智数云信息科技有限公司 Method and system for quickly building and dynamically expanding multi-tenant software as a service (SaaS) platform
CN112487392A (en) * 2020-12-08 2021-03-12 浪潮云信息技术股份公司 Method for realizing authority control of management system by front end
CN112487378A (en) * 2020-12-11 2021-03-12 宝付网络科技(上海)有限公司 Tenant authority management system suitable for big data platform
CN113821531A (en) * 2021-09-28 2021-12-21 山东舜网传媒股份有限公司 Method, system and equipment for separating converged media multi-tenant data

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023231681A1 (en) * 2022-05-31 2023-12-07 京东方科技集团股份有限公司 Account creation method, internet of things multi-tenant system, device, program, and medium
CN115208646A (en) * 2022-07-03 2022-10-18 上海妙一生物科技有限公司 SaaS application authority management method and system
CN115208646B (en) * 2022-07-03 2024-03-26 上海妙一生物科技有限公司 SaaS application authority management method and system
CN115766234A (en) * 2022-11-18 2023-03-07 湖南快乐阳光互动娱乐传媒有限公司 A Redis multi-tenant management method, device and server
CN115834216A (en) * 2022-11-28 2023-03-21 招银云创信息技术有限公司 Application authority control method, control device and storage medium
CN116192434A (en) * 2022-12-06 2023-05-30 浪潮云信息技术股份公司 User management method and system realized by utilizing keyloak
CN117272382A (en) * 2023-09-28 2023-12-22 珠海飞企耀点科技有限公司 Data management method and system based on multi-tenant architecture dynamic data source
CN117272382B (en) * 2023-09-28 2024-03-12 珠海飞企耀点科技有限公司 Data management method and system based on multi-tenant architecture dynamic data source
CN117336075A (en) * 2023-10-18 2024-01-02 西安博达软件股份有限公司 Authorization method, system, equipment and storage medium of SaaS platform
CN117336075B (en) * 2023-10-18 2024-10-11 西安博达软件股份有限公司 Authorization method, system, equipment and storage medium of SaaS platform
CN119210842A (en) * 2024-09-23 2024-12-27 珠海格力电器股份有限公司 A multi-tenant rights management method, device and storage medium
CN119416233A (en) * 2024-10-10 2025-02-11 浪潮云信息技术股份公司 A multi-tenant system permissions protection and vulnerability repair method and system

Similar Documents

Publication Publication Date Title
CN114417300A (en) Multi-tenant user access control system and method
US9848002B2 (en) Allowing first module of computer code to make use of service provided by second module while ensuring security of system
US10650156B2 (en) Environmental security controls to prevent unauthorized access to files, programs, and objects
CN107403106B (en) Database fine-grained access control method based on terminal user
US8239954B2 (en) Access control based on program properties
US11675774B2 (en) Remote policy validation for managing distributed system resources
JP7228751B2 (en) Method and apparatus for authority management, computer equipment and storage medium
US8151365B2 (en) Filtering access to data objects
US20190129765A1 (en) Dynamic rule-based transformation of api calls
US12299106B2 (en) Project-based permission system
CN110968894B (en) Fine granularity access control scheme for game service data
CN113239386A (en) API (application program interface) permission control method and device
WO2013033012A1 (en) Authorization policy for group-centric secure information sharing
CN114168930A (en) A Hive permission control method, apparatus, device and readable storage medium
CN110348234A (en) Pressure access safety strategy implementation method and management method in MILS framework
CN114896584B (en) A Hive data permission control proxy layer method and system
CN116389085A (en) A Method of Interface Authority Authentication
CN116208364A (en) Authorization filtering method, device, equipment and medium based on zero trust gateway
KR102430882B1 (en) Method, apparatus and computer-readable medium for container work load executive control of event stream in cloud
CN119149788A (en) Resource access control method, device, electronic equipment, storage medium and program product
US8640200B1 (en) Authored injections of context that are resolved at authentication time
WO2021136075A1 (en) Product license management method and system
US12348522B2 (en) Extended security scheme for reducing the prevalence of broken object level authorization
CN116192509B (en) Control method, device and equipment of Hive permission and readable storage medium
CN115618367B (en) Authentication method, device and equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination