与租户特定角色ASP.NET多租户应用程序 [英] ASP.NET Multi tenant application with tenant specific roles
问题描述
我们有一个多租户ASP.NET应用程序。到目前为止,租户已经相互隔离的,但现在我们有一个管理多个租户,并希望能够管理他们与一个单一的用户帐户的所有住户机构。我试图找出为实现这个目标,希望没有太多的变化,我们利用现有技术的最佳途径。
We have a multi-tenant ASP.NET application. So far tenants have been isolated from each other, however now we have Agencies that manage multiple tenants and want to be able to manage all their tenants with a single user account. I'm trying to figure out the best way to accomplish that, hopefully without much change to the existing technologies that we are using.
相关技术细节:
- AspNetSqlMembershipProvider为成员资格和角色
- C#4.0(即将4.5)
- 表单验证
- 双方ASPX和MVC(V3)页
- 假设100以上的租户,因此任何解决方案需要支持
我相信要求非常类似于SQL Server的安全模式。我们有一组其重新present所有可以登录到系统的用户登录。用户应该能够被赋予的角色的一个或多个数据库(租户)。例如:用户鲍勃在A公司的管理角色,但只有在B公司的用户角色我们也有我公司的员工,允许我们访问任何租客系统管理员的角色,以及专门的管理权限,如创建/删除房客等等。
I believe the requirements are very similar to the security model for SQL Server. We have one set of logins which represent all the users that can login to the system. Users should be able to be given roles to one or more databases (tenants). Example: User Bob has admin role in company A, but only user role in company B. We also have a "sysadmin" role for my company's employees which allow us access to any tenant as well as specialized administrative privileges such as create/delete tenants, etc.
我已经做了很多的研究,各库,框架等,我还没有发现任何令人信服的证据表明一些其他的库或框架会比我们目前有更好的。所以我想现在只是搞清楚如何使SQL成员资格供应商做我想做的,除非有人能在一个更好的方向指向我。我也不能肯定我所知道的最好的条件在此搜索。
I've done a lot of research into various libraries, frameworks, etc, and I haven't found any convincing evidence that some other library or framework will be better than what we currently have. So I'm currently thinking of just figuring out how to make Sql Membership provider do what I want, unless someone can point me in a better direction. I'm also not sure I know the best terms to search for in this.
我有2个选项我考虑:
- 只有角色屈指可数加入成员资格提供程序和处理的不当前用户在这个房客这个角色会员提供商之外的所有问题。会员供应商将被用来处理对系统的基本访问。
- 添加特定于租户的角色成员提供。我们将不得不(角色#)×(租户#)系统中的总的角色。每一个新的租户将另一个角色集添加到系统中,例如租客:管理,承租人答:用户等会需要一些额外的表来管理的关系,以及可能是一些自定义的code,以确保访问请求从会员正确的特定租户的作用供应商。
要么是这些选项的好?或者我应该在其他地方寻找这种支持?
Are either of these options good? Or should I be looking elsewhere for support for this?
推荐答案
我不认为你要能够鞋拔子多租户到任何开箱角色提供的,所以你还不如继续使用SqlMembershipProvider的(和SqlRoleProvider)。即使是最新的Microsoft.AspNet.Identity仍然呈多对许多用户和角色之间的香草。你真正需要的是一个3列添加到许多对多表的主键,这将ID租客,即:
I don't think you are going to be able to shoehorn multitenancy into any out of the box role provider, so you might as well keep using SqlMembershipProvider (and SqlRoleProvider). Even the newest Microsoft.AspNet.Identity still assumes a vanilla many-to-many between users and roles. What you really need is to add a 3rd column to the primary key of that many-to-many table, which will id your tenant, i.e.:
user: 6
role: 4
tenant: 17
user: 6
role: 9
tenant: 18 (and so on)
...这个,你可以有不同的租约,都使用相同的一组角色名称。
...with this, you are able to have users with different privileges for different tenancies, all using the same set of role names.
如果您使用选项#2去了,那么你的[授权]属性就会爆炸。想象一下:
If you went with option #2, then your [Authorize] attributes would explode. Imagine this:
[Authorize(Roles = "TenantA:Admin", "TenantB:Admin", ...)]
public ActionResult Post(int id, SomeViewModel model) {}
...所有这些属性会在编译时被写入,除非您使用自定义AuthorizeAttribute,你可以做去了。但即使如此,你还剩下每次添加一个租户系统,这不应该是必要的时间建立了一套新的角色。
... all of those attributes would have to be written at compile time unless you went with a custom AuthorizeAttribute, which you could do. But even then you are left creating a new set of roles each time you add a tenant to the system, which should not be necessary.
这篇关于与租户特定角色ASP.NET多租户应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
