简体繁体 English

多租户物理隔离

[英]Multi-Tenant physical isolation

原文 2015-05-12 08:41:06 7 1 c#/ asp.net-mvc/ iis-7.5/ impersonation/ multi-tenant

We have a multi-tenant Asp.Net MVC 4 web application with each tenant having its own repository of files (a folder in the file-system). 我们有一个多租户Asp.Net MVC 4 Web应用程序，每个租户都有自己的文件存储库（文件系统中的文件夹）。 We took the shared database, shared schema approach and we identify tenants by their subdomain. 我们采用了共享数据库，共享架构方法，并通过子域来识别租户。

What is the best way to ensure that a tenant can only access his repository folder and no other folder in the file-system? 确保租户只能访问其存储库文件夹而不能访问文件系统中其他文件夹的最佳方法是什么？ we check it in the application business logic, but what if we make a mistake...? 我们会在应用程序业务逻辑中检查它，但是如果我们犯错了怎么办...？

When running the application, all tenants run under the same user (which is defined in IIS application pool). 运行应用程序时，所有租户都在同一用户（在IIS应用程序池中定义）下运行。

Do we need to serve each tenant as a separate user - using impersonation? 我们是否需要使用模拟服务将每个租户作为单独的用户使用？ do we need to impersonate each time a request is made to the server - in order to fill it? 我们是否需要在每次向服务器发出请求时都冒充他人-为了满足请求？

I've heard this has performance drawbacks and is not the prefered way, but what is? 我听说这存在性能缺陷，不是首选方法，但是什么呢？

We also have a windows service which fills requests in the background (for all tenants), sent to it through MSMQ. 我们还有一个Windows服务，该服务在后台（针对所有租户）填充通过MSMQ发送给它的请求。 Does this service also needs to change its identity every time it gets a request? 每次收到请求时，此服务是否还需要更改其身份？

Edit: In addition, we need a type of isolation which if someone uploads a file infected with a virus - it will affect only this tenant's files, and not every tenant on the server. 编辑：此外，我们需要一种隔离类型，如果有人上载感染了病毒的文件，它将仅影响该租户的文件，而不会影响服务器上的每个租户。 We use ant-virus software, but we need this separation also in case the antivirus software will not identify the virus. 我们使用反病毒软件，但是如果防病毒软件无法识别病毒，也需要进行这种分离。

Thank you 谢谢

1 个解决方案

all tenants run under the same user 所有租户都在同一用户下运行

If each tenant has a separate IIS Web App and identity (whether app pool or "normal" user), then you can use NTFS access control. 如果每个租户都有一个单独的IIS Web应用程序和标识（无论是应用程序池还是“普通”用户），则可以使用NTFS访问控制。

These does not depend on having all users having a local or domain user accounts on the web servers to allow impersonation (and this NTFS access control). 这些不依赖于使所有用户在Web服务器上具有本地或域用户帐户来允许模拟（以及此NTFS访问控制）。

However it will add memory overhead on the servers of course – each tenant will have their own worker process. 但是，这当然会增加服务器的内存开销–每个租户将拥有自己的工作进程。

[…]MSMQ. [...] MSMQ。 Does this service also needs to change its identity every time it gets a request? 每次收到请求时，此服务是否还需要更改其身份？

I'm not sure you can do impersonation based on MSMQ messages, I would expect this not to work (MSMQ messages do not carry the necessary identity information). 我不确定您可以基于MSMQ消息进行模拟，但我希望这样做不起作用（MSMQ消息没有携带必要的身份信息）。

Anything shared is going to need to be implemented to check all access: depending on the nature of the processing this may be more difficult (eg. if client requests can be something of the order "get information from the file" for an arbitrary file: the service would need to do the access checks ¹ ). 任何共享的东西都需要实现以检查所有访问权限：根据处理的性质，这可能会更加困难（例如，如果客户端请求可能是任意文件“从文件中获取信息”的某种顺序：服务将需要进行访问检查¹ ）。

¹ There are Win32 functions that will do the heavy lifting. ¹有Win32函数可以完成繁重的工作。