将单个或多个mysql用户用于具有多租户架构的SaaS PHP / mysql应用程序
[英]Use single or mulitple mysql users for SaaS PHP/mysql application with multi-tenant architecture
问题描述
We are building a multiuser app that has one database per customer. 
我们正在构建一个多用户应用程序,每个客户都有一个数据库。 All customer database structures are identical. 所有客户数据库结构都相同。 Right now we are generating a new mysql user (per client) that only has privileges to work on its own database. 现在我们正在生成一个新的mysql用户(每个客户端),它只有在自己的数据库上工作的权限。
eg mysql user1 has rights on dbase1.* (database1.alltables), mysql user2 has rights on dbase2.*. 例如,mysql user1拥有dbase1。*(database1.alltables)的权限,mysql user2拥有dbase2的权限。*。
We are now noticing that this is already a pain to get dumped to another server as backup (we don't use replication but try to dump files once in a while but the information_schema dbase cannot be dropped & recreated from an sql file it seems. 我们现在注意到,作为备份转储到另一台服务器已经很痛苦了(我们不使用复制但是偶尔会尝试转储文件,但是无法从sql文件中删除和重新创建information_schema dbase。
Anyway, we are wondering if it would be better to just use 1 user that can access all client databases? 无论如何,我们想知道是否只使用一个可以访问所有客户端数据库的用户会更好吗? This is more insecure right? 这更不安全吧? Or can it be used in a rather secure way? 或者它可以以相当安全的方式使用? It would be better to manage for sure. 管理肯定会更好。
What are your thoughts? 你怎么看?
2 个解决方案
解决方案1
3 已采纳 2010-07-11 23:01:39
您可能想要做的是,在创建MySQL用户时,还将该用户创建的记录存储在其他位置(在DB之外),然后有一个脚本将用户及其权限还原到DB中。记录你已创建。
解决方案2
0 2018-08-23 17:47:25
This somewhat depends on your requirements (especially related to restoring a client from backup), but I am using a single database/schema for all of my tenants with no potential for a tenant seeing another tenant's data. 这在某种程度上取决于您的要求(特别是与从备份恢复客户端有关),但我为所有租户使用单个数据库/架构,租户无法看到另一个租户的数据。
- Create a mysql user per tenant (sounds like you already have this) 为每个租户创建一个mysql用户(听起来你已经有了这个)
- Add a tenant_id column (VARCHAR) to all tables 将tenant_id列(VARCHAR)添加到所有表
- Use a trigger to automatically put the current mysql user into the tenant_id column on INSERT 使用触发器自动将当前的mysql用户放入INSERT的tenant_id列
- Create a view for each table that only shows rows where tenant_id = current_mysql_user (don't include the tenant_id in these views) 为每个表创建一个视图,该视图仅显示tenant_id = current_mysql_user(在这些视图中不包含tenant_id)的行
- Only give access to these views to the tenant mysql users 只允许访问租户mysql用户访问这些视图
- Determine which tenant is connecting (possibly by URL) to determine which mysql user you should use to connect to the database. 确定哪个租户正在连接(可能通过URL)以确定您应该使用哪个mysql用户连接到数据库。
Since your application would be connecting to the database using a tenant-specific user that only has access to rows where tenant_id = their user, data will be segmented by tenant. 由于您的应用程序将使用特定于租户的用户连接到数据库,该用户只能访问tenant_id =其用户的行,因此数据将由租户进行分段。
I was able to use this technique to convert a large single-tenant application to multi-tenant in a weekend with very few changes. 我能够使用这种技术在周末将大型单租户应用程序转换为多租户,只需很少的更改。 I documented the full solution in my blog: https://opensource.io/it/mysql-multi-tenant/ 我在博客中记录了完整的解决方案: https : //opensource.io/it/mysql-multi-tenant/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.