Replication of resource type and schema metadata for multi-tenant identity cloud services
阅读说明:本技术 用于多租户身份云服务的资源类型和模式元数据的复制 (Replication of resource type and schema metadata for multi-tenant identity cloud services ) 是由 胥潇潇 V·R·米达姆 史光宇 S·K·斯利尼瓦桑 于 2019-10-15 设计创作,主要内容包括:实施例操作具有第一数据中心的多租户云系统。在第一数据中心处,实施例对第一客户端进行认证并存储与第一客户端对应的资源,第一数据中心与第二数据中心通信,第二数据中心被配置为对第一客户端进行认证并复制资源。响应于将第一数据中心处的全局资源升级到新版本,实施例生成清单文件,该清单文件包括响应于升级而修改或添加的全局资源类型和模式的列表。实施例还基于清单文件来升级全局资源,并将升级后的全局资源写入到第一全局数据库,并生成与升级后的全局资源对应的更改事件消息。(Embodiments operate a multi-tenant cloud system having a first datacenter. Embodiments authenticate a first client and store resources corresponding to the first client at a first data center, the first data center in communication with a second data center configured to authenticate the first client and replicate the resources. In response to upgrading a global resource at a first data center to a new version, embodiments generate a manifest file that includes a list of global resource types and patterns that are modified or added in response to the upgrade. Embodiments also upgrade global resources based on the manifest file, write the upgraded global resources to the first global database, and generate a change event message corresponding to the upgraded global resources.)
1. A method of operating a multi-tenant cloud system, the method comprising:
authenticating, at a first data center, a first client and storing a resource corresponding to the first client, the first data center in communication with a second data center configured to authenticate the first client and replicate the resource;
in response to upgrading a global resource at a first data center to a new version, generating a manifest file that includes a list of global resource types and patterns that are modified or added in response to the upgrading;
at a first data center, upgrading global resources based on the manifest file, writing the upgraded global resources into a first global database, and generating change event messages corresponding to the upgraded global resources;
pushing the change event message to a second data center;
comparing, at a second data center, a current version to the new version;
at a second data center, applying the change event message to a second global database when the current version is not newer than the new version;
at a second data center, ignoring the change event message when the current version is as new as or newer than the new version; and
at the second data center, the non-replicated service is altered to load the global resource from the binary distribution instead of the second global database.
2. The method of claim 1, the first data center pushing the change event message to the second data center via a REST API call.
3. The method of claim 1, wherein the change event message is written to one or more first fragmentation queues of a first data center.
4. The method of claim 2, wherein all change event messages associated with the first tenant are written to the same sharded queue.
5. The method of claim 2, wherein the change event message is written to one or more second fragmentation queues of a second data center.
6. The method of claim 1, further comprising:
at the second data center, at the replication service, the global resources are loaded from the second global database and the corresponding cache is flushed.
7. The method of claim 1, wherein the first data center and the second data center and the plurality of additional data centers form an island, the method further comprising:
when one of the island data centers is upgraded, the one of the island data centers is designated as a primary data center and all other data centers are designated as replica data centers.
8. The method of claim 1, wherein upgrading the resource at the first data center includes adding a new resource type and schema.
9. A non-transitory computer-readable medium storing instructions that, when executed by at least one processor of a plurality of processors, cause the processor to operate a multi-tenant cloud system, the operations comprising:
authenticating, at a first data center, a first client and storing a resource corresponding to the first client, the first data center in communication with a second data center configured to authenticate the first client and replicate the resource;
in response to upgrading a global resource at a first data center to a new version, generating a manifest file that includes a list of global resource types and patterns that are modified or added in response to the upgrading;
at a first data center, upgrading global resources based on the manifest file, writing the upgraded global resources into a first global database, and generating change event messages corresponding to the upgraded global resources;
pushing the change event message to a second data center;
comparing, at a second data center, a current version to the new version;
at a second data center, applying the change event message to a second global database when the current version is not newer than the new version;
at a second data center, ignoring the change event message when the current version is as new as or newer than the new version; and
at the second data center, the non-replicated service is altered to load the global resource from the binary distribution instead of the second global database.
10. The non-transitory computer-readable medium of claim 9, the first data center to push the change event message to the second data center via a REST API call.
11. The non-transitory computer-readable medium of claim 9, wherein the change event message is written to one or more first sharded queues of a first data center.
12. The non-transitory computer readable medium of claim 10, wherein all change event messages associated with the first tenant are written to the same sharded queue.
13. The non-transitory computer-readable medium of claim 10, wherein the change event message is written to one or more second fragmentation queues of a second datacenter.
14. The non-transitory computer-readable medium of claim 9, the operations further comprising:
at the second data center, at the replication service, the global resources are loaded from the second global database and the corresponding cache is flushed.
15. The non-transitory computer-readable medium of claim 9, wherein the first and second data centers and the plurality of additional data centers form an island, the operations further comprising:
when one of the island data centers is upgraded, the one of the island data centers is designated as a primary data center and all other data centers are designated as replica data centers.
16. The non-transitory computer-readable medium of claim 9, wherein upgrading the resource at the first data center includes adding a new resource type and schema.
17. A multi-tenant cloud system datacenter comprising:
a management service adapted to authenticate a first client and store resources corresponding to the first client, the data center in communication with a second data center configured to authenticate the first client and replicate the resources;
a global database coupled with the management service;
wherein the management service is further adapted to: in response to upgrading a global resource at the datacenter to a new version, generating a manifest file including a list of global resource types and patterns modified or added in response to the upgrade, upgrading the global resource based on the manifest file, writing the upgraded global resource to a first global database, and generating a change event message corresponding to the upgraded global resource;
a replication service adapted to push the change event message to a second data center via a REST API call;
wherein, in response to receiving the change event message, the second data center is configured to compare a current version to the new version, apply the change event message to a second global database when the current version is not newer than the new version, ignore the change event message when the current version is as newer as the new version or newer than the new version, and change a non-replicated service to load a global resource from a binary distribution instead of the second global database.
18. The multi-tenant cloud system datacenter of claim 17, further comprising one or more first shard queues, wherein the change event message is written to a first shard queue.
19. The multi-tenant cloud system datacenter of claim 18, wherein all change event messages associated with the first tenant are written to a same shard queue.
20. The multi-tenant cloud system data center of claim 17, wherein the data center and a second data center and a plurality of additional data centers form an island, the management service designating one of the island data centers as a primary data center and all other data centers as replica data centers when the one of the island data centers is upgraded.
Technical Field
One embodiment relates generally to identity management, and more particularly to identity management in cloud systems.
Background
In general, the use of cloud-based applications (e.g., enterprise public cloud applications, third party cloud applications, etc.) is rapidly evolving, with access from a variety of devices (e.g., desktops and mobile devices) and a variety of users (e.g., employees, partners, customers, etc.). The rich diversity and accessibility of cloud-based applications has led to identity management and access security as a central issue. Typical security issues in cloud environments are unauthorized access, account hijacking, malicious insiders, and the like. Thus, there is a need to securely access cloud-based applications or applications located anywhere, regardless of what device type or what user type the application is accessed.
Disclosure of Invention
Drawings
Fig. 1-5 are block diagrams of example embodiments that provide cloud-based identity management.
Fig. 6 is a block diagram providing a system view of an embodiment.
Fig. 6A is a block diagram providing a functional view of an embodiment.
Fig. 7 is a block diagram of an embodiment implementing a cloud gate.
Figure 8 illustrates an example system that implements multiple tenants in one embodiment.
Fig. 9 is a block diagram of a network view of an embodiment.
FIG. 10 is a block diagram of a system architecture view of single sign-on ("SSO") functionality in one embodiment.
FIG. 11 is a message sequence flow for the SSO function in one embodiment.
FIG. 12 illustrates an example of a distributed data grid in one embodiment.
Fig. 13 illustrates a plurality of deployed data centers (designated "DC"), each forming an "area," in accordance with an embodiment of the present invention.
FIG. 14 illustrates a process flow of a duplicate change event/log between a primary IDCS deployment and a duplicate IDCS deployment, according to an embodiment of the invention.
Fig. 15 illustrates a process flow of conflict resolution between a primary IDCS deployment and a replica IDCS deployment, according to an embodiment of the invention.
Fig. 16 is a block diagram that further illustrates details of primary IDCS deployment and replica IDCS deployment, according to an embodiment of the invention.
FIG. 17 is a flow diagram of a conflict resolution responsive to replication according to an embodiment of the invention.
FIG. 18 illustrates a schematic diagram of a replication configuration for a global resource, according to an embodiment.
FIG. 19 illustrates global resource replication and upgrade from a primary region to a replica region, according to an embodiment.
Embodiments operate a multi-tenant cloud system having a first datacenter. Embodiments authenticate a first client and store resources corresponding to the first client at a first data center, the first data center in communication with a second data center configured to authenticate the first client and replicate the resources. In response to upgrading a global resource at a first data center to a new version, embodiments generate a manifest file that includes a list of global resource types and patterns that are modified or added in response to the upgrade. Embodiments also upgrade global resources based on the manifest file, write the upgraded global resources to the first global database, and generate a change event message corresponding to the upgraded global resources. Embodiments push the change event message to a second datacenter, which then compares the current version to the new version and applies the change event message to a second global database when the current version is not newer than the new version, and ignores the change event message and changes the non-replicated service to load the global resource from the binary distribution instead of the second global database when the current version is as new as the new version or newer than the new version.