多租户数据架构-共享架构-安全
[英]Multi-Tenancy Data Architecture - Shared Schema - Security
问题描述
A new project we are starting requires MultiTenancy. 
我们正在启动的新项目需要MultiTenancy。 At storage level this can be done at several ways. 在存储级别,这可以通过几种方法来完成。 (separate Database / separate schemas / Shared schema ) (单独的数据库/单独的模式/共享的模式)
To keep the operational costs down we believe that "Shared Schema - Shared Tables" is the best way to continue. 为了降低运营成本,我们认为“共享模式-共享表”是继续的最佳方法。 So all the tenants will share the same table on the same database/schema schema. 因此,所有租户将在同一数据库/模式架构上共享同一表。
However a constraint is to provide good tenant isolation and security. 但是,一个约束条件是提供良好的租户隔离和安全性。 For this we can use encryption. 为此,我们可以使用加密。 If we are able to provide each tenant with a own keypair, then we provide good security and good isolation. 如果我们能够为每个租户提供一个自己的密钥对,那么我们将提供良好的安全性和良好的隔离性。 Each tenant can only read his own data and we don't have to add a discriminator field at each table as well. 每个租户只能读取自己的数据,我们也不必在每个表上添加一个鉴别符字段。
How can we implement this technically? 我们如何从技术上实现这一目标? If you query your table we will get a lot of data we are not able to decrypt ( data from other tenants ). 如果查询您的表,我们将获得很多我们无法解密的数据(来自其他租户的数据)。 Also in Joins etc it will have higher load due to the other records being in database. 同样在Joins等中,由于其他记录在数据库中,因此具有更高的负载。
I've already read a couple of articles on MSDN and watched some presentations, but they keep it very high level and abstract. 我已经阅读了MSDN上的几篇文章,并观看了一些演示,但是它们保持了很高的层次和抽象。 Any thoughts on this ? 有什么想法吗? Is something like described above possible? 像上面描述的那样可能吗? I thought you could do something on Amazon RDS ? 我以为您可以在Amazon RDS上做点什么? Is it possible to provide some example - eg on github? 是否可以提供一些示例-例如在github上?
1 个解决方案
解决方案1
0 2016-06-04 20:28:36
Based on what you've shared, and with some reading between the lines, I am wary of this approach. 根据您共享的内容,以及各行之间的一些阅读,我对此方法持谨慎态度。 By itself, shared schema is a very reasonable design for multi-tenancy; 就共享租用架构本身而言,它是用于多租户的非常合理的设计。 where I see problems is with the suggested use of encryption. 我发现问题在于建议使用加密。
While PostgreSQL does support encryption, it's done via functions in the pgcrypto module. 尽管PostgreSQL支持加密,但是它是通过pgcrypto模块中的函数完成的。 RDS, as a managed service for PostgreSQL, adds the ability to easily provision encrypted volumes as well, but to a database user/developer, it's going to look pretty much the same. RDS作为PostgreSQL的托管服务,还增加了轻松配置加密卷的功能,但是对于数据库用户/开发人员来说,它看起来几乎一样。
The docs suggest using pgcrypto if you only need to encrypt small subsets of your data that you don't need to filter or join on - but it's not clear how much of the data you are looking to encrypt. 如果您只需要加密不需要过滤或加入的数据的小子集,则文档建议使用pgcrypto-但不清楚要加密的数据量是多少。 If only a handful of columns and don't need to filter on them, this may work. 如果只有少数几列并且不需要对其进行过滤,则可能会起作用。 Otherwise, reconsider - extensive use of the pgcrypto functions will render almost all standard database operations impossibly inefficient. 否则,请重新考虑-广泛使用pgcrypto函数将使几乎所有标准数据库操作都无法实现低效率。 A where clause will require decrypting the column, in turn requiring scanning/decrypting the full table; where子句将要求解密该列,进而需要扫描/解密整个表; there would be zero use of indexes. 索引的使用将为零。 Your performance will slow to a crawl very quickly. 您的表现将很快变得缓慢。
A major consideration you haven't provided is how you are providing access - for example, a web application, where you completely mediate access with a single, trusted account? 您尚未提供的主要考虑因素是您如何提供访问权限-例如,在Web应用程序中,您在其中完全通过一个受信任的帐户来中介访问权限? Or allowing the customers to connect directly to the database? 还是允许客户直接连接到数据库? In the former case, your code would be managing all access anyway, and would always need access to all the keys; 在前一种情况下,您的代码无论如何都将管理所有访问,并且始终需要访问所有密钥。 why incur the overhead? 为什么要产生开销? In the latter case, you'd probably render the database unusable to the customer, because all of the standard query tools would be difficult to use. 在后一种情况下,您可能会使数据库对客户不可用,因为所有标准查询工具都将难以使用。
More broadly, in my experience, a schema-per-tenant approach can offer a good balance between isolation, efficiency, and development overhead. 从更广泛的角度来看,以我的经验,每租户架构方法可以在隔离,效率和开发开销之间提供良好的平衡。 And with judicious use of roles in PostgreSQL, you can enforce reasonable access controls for direct access (you can do the same with rows, though in my view that would require more overhead to administer correctly). 通过在PostgreSQL中明智地使用角色,您可以强制实施合理的访问控制以进行直接访问(您可以对行执行相同的操作,尽管我认为这需要更多的开销才能正确管理)。
Take a look at some of the commonly used application frameworks to learn more: Rails offers the Apartment gem ( https://github.com/influitive/apartment ); 看一下一些常用的应用程序框架以了解更多信息:Rails提供了Apartment gem( https://github.com/influitive/apartment ); Django has the django-tenants library ( http://django-tenants.readthedocs.io/en/latest/ ); Django具有django-tenants库( http://django-tenants.readthedocs.io/en/latest/ ); Hibernate has a pluggable tenant framework (eg, https://docs.jboss.org/hibernate/orm/4.2/devguide/en-US/html/ch16.html ) Hibernate具有可插入的租户框架(例如, https : //docs.jboss.org/hibernate/orm/4.2/devguide/en-US/html/ch16.html )
Hope this helps. 希望这可以帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.