SYSTEM, METHOD AND COMPUTING APPARATUS TO ISOLATE A
DATABASE IN A DATABASE SYSTEM
TECHNICAL FIELD
[0001] The present invention relates to isolation of a database in a database
system, and more particularly it relates to a system, a method and a computing
apparatus to isolate a database in a database system.
BACKGROUND
[0002] The advent of cloud-based conlputing architectures has opened new
possibilities for the rapid and scalable deployn~ent of virtual Web stores, nledia
outlets, and other on-line sites or services. Generally speaking, cloud computing
involves delivery of computing as a sellrice rather than a product, whereby shared
resources (software, storage resources, etc.) are provided to computing devices as
a service. The resources are shared over a network, which is typically the internet.
In a cloud computing system, there is a plurality of physical computing machines
generally known as nodes. These nodes are connected with each other, either via a
high speed local area network or via a high speed bus connection to form a cloud
computing infrastructure. The operator of the cloud conlputing infrastructure
provides services to many users such as user computing devices connected to the
cloud computing infrastructure via internet. A user or custorncr can request the
instantiation of a node or set of nodes from those resources from a central server
or management system to perform intended services or applications. Usually, each
service includes several processes running on different nodes and each node may
have multi-core processors ror simultaneously running nlultiple processes.
[0003] The comnputing cloud infrastructure 10 provides a Viltt~alized Cloud
Platrorm (VCP) environment to mn user binaries. Hardware resource like
processors, memory and database will be shared across different users. However,
one user should not be allowed to access to the network resources of the other
users. In pa~ticular,o ne user should be allowed to only access seivice data of the
user but not allowed to access service data of any other user. As such, it requires
database isolation mechanism that allows a user A access to only service
information belonging to the user A, and in the meantime hiding the information
of other users from the user A.
[0004] In this context, there is a need for solutions to isolate the data both at the
application level and the database level.
SUMMARY
[0005] The object of the present invention is to provide a system, method and
computing apparatus to isolate a database in a database system.
[0006] According to first aspect of the invention, there is provided a system to
isolate a database in a database system. The system comprises: a computing
apparatus, configured to perform the following upon receipt of input commands
from an operating user. Fetching, a user identifier and a set of user parameters of
each current user in the database system from a default user table; and fetching, a
group identifier of each current user from a group table in a main database.
Creating, a user table for storing all the fetched user identifiess, all tlie fetched
group identifiers and the user parameters of tlie current users; then, fetching, tlie
user identifier and the group identifier fiom the user table corresponding to a user
name input by the operating user upon login in to the system; thereafter, creating,
a plurality of service tables respectively from a plurality of predetermined tables
stored in an application database in the main database; inserting, into each of the
created service tables, a user column which stores owner user identifiers
corresponding to each of the stored user identifiers and a group colunin which
stores owner group identifier corresponding to each of the stored group
identifiers; determining, the operating user at run time and fetching at least one
row corresponding to the operating user from each of the created service tables
according to the owner user identifier and the owner group identifier of tlie
operating user; creating, a view for each of the created se~viceta bles based on the
fetched at least one row of the operating user and one of the input commands; and
finally, presenting to the operating user, the created views containing service data
originally stored in the tables of the application database.
[0007] In one embodiment of the invention, the default user table and the main
database are stored in the database system.
[0008] In another embodiment of the invention, the computing apparatus is
connected to at least one application node in a cloud computing infrastructure, and
the at least one application node reports service data to the computing apparatus.
[0009] In one aspect of the invention, the application database comprises tlie
predetermined tables containing service data reported by processes iunning on the
at least one application node in the cloud computing infrastructure.
[0010] In another aspect of the invention, the computing apparatus is further
configured to store, update and maintain the configuration information of all the
processes and services running on the at least one application node in the cloud
computing infrastructure.
[0011] In further embodinlent of the invention, one of the input commands froln
the operating user is a select query command.
[0012] In one embodiment of the invention, the set of user parameters comprise at
least user name, user login name and user password of the current users in the
database system.
[0013] In another embodiment of the invention, the computing apparatus is
further configured to maintain, in tlie default user table, info~mation of all the
current users in the database system.
[0014] In another embodiment of the invention, the computi~lg apparatus is
fi~rtlierc onfigured to update the created service tables according to new service
data reported by the at least one application node.
[0015] According to one aspect of the invention, there is provided a method to
isolate a database in a database system. The method comprises: fetching, a user
identifier and a set of user parameters of each eunent user in tlie database system
from a default user table; fetching, a group identifier of each current user from a
group table in a main database; creating, a user table for storing all the fetched
yser identifiers, all the fetched group identifiers and the set of user parameters of
the current users; receiving, a user name and a user password fiom an operating
user, when the operating user logs into tlie system; thereafter, fetching one of the
stored user identifiers and one of the stored group identifiers corresponding to tlie
user name input by the operating user; then creating, a plurality of service tables
respectively from a plurality of predetermined tables stored in an application
database in the main database; inserting, into each of the created service tables, a
user colunln wlucli stores owner user identifiers corresponding to each of the
stored user identifiers and a group column which stores owner group identifier
corresponding to each of the stored group identifiers; determining, the operating
user at mn time and fetching at least one row corresponding to the operating user
from each of the created service tables according to the owner user identifier and
tlie owner group identifier of tlie operating user; creating, a view for each of the
created service tables based on the fetched at least one row of the operating user
and one of input commands from tlie operating user and finally, presenting, to the
operating user, the created views containing service data originally stored in the
tables of the application database.
[0016] In another aspect of the invention, the default nser table and the main
database are stored in the database system.
[0017] In further aspect of the invention, the database system is stored in a
computing apparatus.
[0018] In another embodiment of the invention, the method fi~rtlieer comprises:
receiving service data reported by tlie at least one application node connected with
the computing apparatus.
[0019] In further embodiment of the invention, one of the input commands from
the operating user is a select query command.
[0020] In one aspect of the invention, the method further coniprises: updating the
created service tables according to new service data reported by the at least one
application node.
[0021] According to fi~rthear spect of the invention, there is provided a computing
apparatus to isolate a database system. The computing apparatus comprises: a
management process module configured to perforni tlie following. Fetching, a
user identifier and a set of user parameters of each c~urrentu ser in the database
system from a default user table; fetching a group identifier of each current user
fiom a group table in a main database; creating, a user table for storing all the
fetched user identifiers, all the fetched soup identifiers and the related user
parameters of the current users; fetching one of the stored user identifiers and one
of the stored group identifiers corresponding to a user name input by an operating
user; creating, a plurality of service tables respectively from a plurality of
predetermined tables stored in an application database in the main database;
inserting, into each of the created service tables, a user column which stores
owner user identifiers corresponding to each of the stored user identifiers and a
group column which stores owner group identifier corresponding to each of the
stored group identifiers; determining, the operating user at run time and fetching
at least one row corresponding to the operating user from each of the created
sewice tables according to the owner user identifier and the owner group
identifier of the operating use; creating, a view for each of the created service
tables based on the fetched at least one row of the operating user and one of the
input commands; and finally, displaying, to the operating user, the created views
containing service data originally stored in the predetermined tables of the
application database.
[0022] In yet another embodiment of the invention, the computing apparatus
fin-ther comprises: a network interface, connected with at least one application
nude, and configured for receiving service data from the at least one application
node.
[0023] In another aspect of the invention, the default user table and the main
database are stored in the database system, and the database system is stored in
the conlputing apparatus.
[0024] In yet allother embodiment of the invention, the management process
module is configured to display the created view in the main database to the
operating user via an external displaying device.
BRIEF DESCRIPTION OF DRAWINGS
[0025] Other features, objects and advantages of the present invention will be
apparent by reading the following detailed description of non-limiting exemplary
embodiments with reference to appended drawings.
[0026] Figure 1 illustrates a conventional cloud computing system.
[0027] Figure 2 is a schematic diagram illustrating an exemplary logical stluctulre
of the services and their respective processes lunning on mnltiple nodes in the
computing cloud infrastructure.
[0028] Figure 3 is a schematic diagram illustrating a systeni of computing cloud
infrastructure according to an exemplaly embodiment.
[0029] Figure 4 is schematic diagram illustrating fi~nctional elements of an
administration node according to an exemplary embodiment.
[0030] Figure 5 is a schematic diagram illustratirig functional elements of an
application node according to an exemplary embodiment.
[0031] Figure 6 is a schematic diagram illustrating an exe~npla~hyie rarchical
structure of processes of services in the computing cloud infrastructure.
[0032] Figure 7 is a schematic diagram illustrating interaction of the functional
elements in the management process module of the administration node according
to an exempla~ye mbodiment.
[0033] Figure 8 is a schematic diagram illustrating relationship between
functional elements in the process of isolating a database in a database system
according to an exemplary embodiment.
[0034] Figure 9 is a schematic diagram illustrating relationship between
functional elements in the management process module and exemplary function
call/script according to an exemplary embodiment.
[0035] Figure 10 is a schematic flowchart illustrating method of isolating database
in tlie database system according to an exeniplary embodiment.
LO0361 Figme 11 is a schematic diagram illustrating functional elements of a
computing apparatus to isolate database according to an exemplary embodiment.
DETAILED DESCRIPTIONS OF EXEMPLARY EMBODIMENTS
[0037] In order to address the problems or challenges of isolating a database in a
database system, the present invention proposes a method, a computing apparatus
and a system to isolate the database.
LO0381 Figure 1 illustrates a conventional computing cloud system. In a
computing cloud system there are a plurality of physical conlputing machines N1,
N2, .., Nx logically connected to each other and referred as nodes N1, N2, , Nx in
the present disclosure. These nodes N1, N2, , Nx are col~nected with each other
either via high speed local area network or via high speed bus connections to form
a cloud cor~~p~ttiinngfr astructure 10. The operator of the cloud computing
infsastructure 10 provides services to many users such as user computing devices
U1, U2 connected to the cloud computing infiastr[icture 10 via internet 11.
Generally, each selvicc may include plurality of processes running in any of the
nodes N1, N2, , Nx, and each node may have multi core processors for rumling
multiple processes simt~ltaneously.
[0039] Figure 2 illustrates exemplaly logical stl~~cturoef the services and their
respective processes running on multiple nodes in the cloud colnputing
infrastmcture 10. In a cloud computing infrastructure there is provided a logical
node GI, which represents a group of services that is to be provided to a particular
user or a pa~ticular set of users. The said node GI, is colnprised of multiple
clusters of sel-vices C1, C2, .., Cn. Further, under cluster C1 there are multiple
service objects S1, S2, S3 and sitnilarly, under the cluster C2, there are multiple
service objects S4, S5. Further down the hierarchal structure there are provided set
of processes PI, P2 and P3 under the sewice S1 to enable the basic computational
functions of the service S1. Similarly, processes P4 and P5 fi~llctions for the
service S2; processes P6, P7, P8 under the service S3; processes P9, P10, P I 1
under the service S4; and processes P12, PI3 under the service S5.
[0040] In practice, tlie cloud computing ir~frastructure10 includes several groups
respectively including several clusters; under each cluster, tliere are several
services; and tliere are a large number of processes running simultaneously for
each service resulting in complicated structure of the cloud computing
infrastructure 10. Referring to Figure 2, due to system scalability and load
balancing of the cloud computing infrastructure 10, its operator may determine to
distribute processes of each services across the nodes NI, N2, .., Nx. The example
shown in Figure 2 starts from tlie logical node GI, which may represent a group
of business functions that may be provided to a particular user or a pal-ticular set
of users. Here, for instance, tlie user may refer to the one using the user computing
device U 1.
[0041] Under GI, tliere nlay be multiple clusters of services and the clusters being
represented by C1, C2. Under the cluster C1, there may be multiple service
objects further down tlie hierarchical stl~~cturseu ch as services S1, S2, S3.
Similarly, under the cluster C2, tliere may be multiple sewice objects fi~rther
down the hierarchical structure such as services S4, S5.
[0042] Figure 3 illustrates a cloud comnputing, infrastructure 30 accordilig to tlie
present invention. The cloud computing irfrastructure 30 includes at least one
administration node 4 and a plurality of application nodes (Nl, ..., Nx). The
plurality of application nodes (Nl, ..., Nx) and the adrninistration node 4 are
connected with each other logically via local area network, via Internet or via high
speed bus links. In order to balance the load of the administration node, there can
be more than one adniinistration node configured to be operative in the cloud
computing infiastmcture 30.
[0043] Figure 4 illustrates the functional elements of the administration node 4
according to an exemplary embodiment of the present invention. Referring to
Figure 4, the administration node 4 includes a processor 41, a memory unit 44.
Further, there is provided an operating system 42 i~inningo n the processor 41 in
the memory unit 44. A cloud platform administration layer 43 is also provided,
which runs on top of the operating systeni 42. The cloud platform administration
layer 43 includes a communication layer process (CLP) entity 432, which is
configured to' enable commnnication of tlie administration node with other
application nodes (Nl, ..., Nx) and other administration node 4 (if any) in the
cloud computing infrastructure 30. Further, the cloud platform adlninistration
layer 43 is also configured to adapt at least a management process module 431 to
manage or monitor other application nodes (Nl, ..., Nx) in the cloud computing
infrastmctt~re3 0. Additionally, the administration node 4 also includes a network
interface 45 conn~lunicatively connected to tlie CLP 432.
[0044] The management process module 431 is provided with a configuration
database for storing, updating and maintaining all configuration information of
each process in each service and configuration information of each service in the
cloud computing infrastructure 30. The said configuration database can be in form
of software instances or software entities respectively responsible for managing
clusters of processes, logging events, laising alarms, nionitoring essential process
of each application node, storing and updating static configuration of each
application node in the cloud computing infrastructure 30. For example, the
management process module 431 may include an operation-administrationnlonitoring
process (OAMP) entity 71 (shown in figure 7) responsiblc for storing,
updating and maintaining all configuration information of each process in each
service and configuration information of each service in the cloud computing
infrastructure 30. Also, the ~nanagenlent process niodule 431 includes other
software entities respectively responsible for receiving input commands from
users regarding storing, managing and updating configurations of "Groups",
configurations of "Clusters" under each "Gro~ip", configurations of "Services"
under cacll "Cluster"; and fmally configurations of "Processes" under each
"Service". The CLP entity 432 is configured to provide communication
functionalities for other processes in the administration node 4 to communicate
with application nodes (Nl, .., Nx). For instance, the CLP entity 432 includes
routing tables related to application nodes (NI, .., Nx), forward domain name
resolution mapping tables of application nodes (NI, .., Nx), and networking
protocol stack software.
[0045] Figure 5 is a schematic diagram illustrating hnctiotlal elements of the
application node N1 according to an exenlplaly enibodiment of the present
invention. Referring to Figure 5, the application node N1 is configured to adapt a
processor N1-1, an operating system N1-2 running on the processor N1-l in a
memoiy unit NI-7, and a cloud platform thin layer N1-3 running on top of the
operating system NI-2. Also, there is provided a user binary NI-4 or user
applications (NI-5, N1-6) running on top of the cloud platform thin layer Nl-3. In
the present disclosure, the user binary or the user application running in an
, application node is the process of a service in the cloud computing infrastructure
30. Tlie other application nodes have similar functional elements as disclosed
above in respect of the application node NI.
[0046] Further, the cloud platform thin layer NI-3 includes a network monitorillg
process (NMP) entity N1-31 responsible for monitoring and managing processes
and a collununication layer process (CLP) entity NI-32 responsible for
communications with other application nodes and administration node in the
cloud computing infrastlucture 30. The NMP entity NI-31 includes sonware
instance or software entities respectively responsible for managing and
monitoring processes running on top of the cloud platfornl thin layer N1-3. The
user binary NI-4 may be software provided by the third palty software provider;
and the user applicatioli is software which can be configured in each application
node. Additionally, the application node N1 includes a network interface NI-8
comniunicatively connected to the CLP entity N1-32.
[0047] The CLP entity N1-32 is configured to provide communication
filnctionalities for other processes in the application node N1 to communicate
with adrilinistration node 4 and other application nodes (Nl, .., Nx). For instance,
the CLP entity N1-32 may include routing tables related to the administration
node 4 and the application riodes (Nl, .., Nx), forward domain name resolution
mapping tables associated to the administration node 4 and the application nodes
(N2, .., Nx), and networking protocol stack software. The management process
module 431 of the administration node 4 rnonitors the NMP entity N1-31 in each
application node present in the cloud computing infrastructure 30.
[0048] Figure 6 is a schematic diagram illustrating an exemplaly hierarchical
strocture of processes of services in a cloud computing infrastl~~ck~Freo.r
instance, each cluster under Group 1 (with a group name of "CellOS") belongs to
a telecommunication service provider as a user in the cloud corllputing
infrastl-uck~re3 0. For the simplicity of illustration, there are only two clusters
shown in Figure 6 such as "Cluster 1" (assigned with a closter name of "CellOS")
and "Cluster2" (assigned with a cluster name of "Voda"). Also, the detailed
elements in the hierarchical structure of "Cluster 2" are not shown in Figure 6; but
the logical stmcklre of "Cluster2" is similar to that of the "Clusterl":
[0049] Referring to Figure 6, under the "Clusterl" (assigned with the cluster name
of "CellOS"), there are currently three services such as "Servicel", "Service2",
"Sel-vice3" which respectively have their sewice names of "SON", "BA" and
"Probe". Here "SON", "BA" and "Probe" represent different business services that
the user "CellOS" subscribes to. The second user such as "Voda" may subscribe to
different sets of services from those subscribed by the first user "CellOS".
[0050] At the insta~lce shown in Figure 6, there are 3 currently
belonging to "Service 1" such as "Processl", "Process2", "ProcesB" which
respectively are named with "admOOOl", "adtn0002" and "adn10003" in the cloud
computing infrastructure 30. Similarly, there are 3 processes currently belonging
to "Service 2" such as "Processl", "Process2", "Process3" which respectively are
named with "admOOOl", "adm0002" and "adn10003". Likewise, there are 4
processes belonging to "Service 3" such as "Processl ", "Process2", "Process3"
and "Process4" which respectively are named with "admOOOI", "adm0002",
"adm0003" and "adm0004".
[0051] It should be noted that not all process objects belonging to the same
setvice object are running in the same application node N1. For example,
"Processl", "Process2", "Process3" belonging to "Service2" may be running on
different application nodes (Nl, , Nx). In some cases, the process objects
belonging to the same service object may be running on different application
nodes (Nl, .., Nx) at different geographic locations for load balancing. Also, all
process objects and even service objects are assigned wit11 Internet addresses and
port numbers. Here, eveiy process object is an instance of sei-vice to which it
belongs.
[0052] According to a preferred embodiment of the invention, the "isolation
database" concept is implemented in the cloud computing infrastructure disclosed
above.
[0053] Figure 7 is a schematic diagram illustrating interaction of the functional
elements in the management process module of the administration node 4
according to an exemplary emboditnent of the present invention. The functional
elements shown in Figure 7 are configured in the management process lnodule
431 for implementing the "isolation database" concept in a cloud comnputing
infrastructure.
[0054] As mentioned previously, the management process module 43 1 includes
an operation-administration-monitoring process (OAMP) entity 71 responsible for
storing, updating and maintaining all configuration information of each process in
each service and configuration information of each service in the cotnputing cloud
infrastructure 30. Also, the management process module 43 1 includes a database
such as a database 72. Further, tlie database 72 includes a default user table 73 and
a main database 74. The default user table 73 is configured to store infornlation of
all current users of the main database 74. The database 72 in the management
process module 431 is a default database in the cotnputing cloud im5astmcture 30.
For example, in the database 72, there can be a few default databases which are
created at the time of installation of database 72, and are separated frotn the main
database 74.
[0055] In the database system of the main database 74, there are two ways used to
represent the same information stored in the said database 74. The first way is a
table and the second way is view. A user-table 741 is created in the main database
74, wl~ich is different from the default user table 73 in the database 72. The
user-table 741 is a table configured to store the user infortnation. A "user_tableU
441 is a view to represent such user information in the user-table 741.
Additionally, the "user_tableU view 441 and a "set-vice_table" view 442 is output
to a computing device 75 accessed or directly operated by the user. Thereby, the
user will see the service data presented on tlie "service_table" view 442. Here, the
output process of data of views are transmitted througll Internet to be shown on
tlie cotnputing device 75.
[0056] In the tnanagement process tnodule 431, the i~istallatioti process of the
administration node 4 rimy trigger tlie aforementioned scripts for creating the user
table, creating the service table, creating "user-table" view and then creating
"set-vice_table" view. However, the scripts may also be executed separately frotn
tlie instant of installing the administration node 4 in the computing cloud
infrastructure 30.
[0057] Users other than the root user cannot directly access the default user table
73 and another user table such as the user-table 741 is created in the main
database 74 in the present invention. The user - table 741 will be configured to
store the user information of the current user in the cloud computing infrastructure
30. Each user is configured as a part of a specific group in the cloud computing
infrastructure 30. Here, "group table" 744 is another table created in the main
database 74, and the "group table" 744 is configured to store group information of
the cul~eatu ser. In the main database 74, there is an application database 743
configured to store information of processes running in the cloud computing
infsastructure 30. In the cloud coniputillg infrastructure 30, both the default user
table 73 and the application database 743 are only accessible to the root user but
not to the other operating user. As such, in the present invention, a set
predetermined table in application database 743 will be used to create
service - table 742 inside the main database 74 for achieving database level
isolation.
100581 In order to present information to users in the cloud computing
infsast~ucture3 0, in the present invention, the "service- t able" view will be created
from the sei-vicetable 742. Here, the service-table 742 includes multiple service
tables fsom respective predetelmined table in the application database 743. The
"service_table" view is configured to represent the data residing in the
service - table 742. Both the "service_table" view and the service-table 742 are
part of the main database 74. Similarly, the "user_table" view is generated from
the user-table 741 in order to provide user information to be inserted in the
service - table 742 for presenting the service data stored in the service-table 742 to
the operating users. By using the aforementioned database level isolation,
generating "service_table" view from the service table(s) and inserting user
infornlation in the "service_table" through the "usertable" view created from the
user - table 741, the application level isolation may be achieved in the present
invention.
[0059] In the cloud computing infsastructure 30, the OAMP entity 71 is
configured to update service data reported by different processes running on the
application nodes NI-Nx and other nodes such as remote nodes connected to the
conlputing cloud infrastructure 30.
[0060] Figure 8 illustrates tlie relationship between fi~nctional elenients in the
process of isolating a database in a database system according to an exemplary
embodiment of the present invention. Steps S81 to S85 is performed by the
processor 41 of the administration node 4 according to scripts stored in the
menlory unit 44. As mentioned previously, tlie management process module 43 1
is co~nmunicativelyc onnected to the memory unit 44.
[0061] Referring to Figure 8, in the step S81, the user-table 741 is created from
the default user table 73 of the database 72. For example, a fi~nction" CREATE
TABLE USER" lnay be used to generate the user-table 741 in the main database
74 based on the default user table 73. An exemplary script of the fi~nction
"CREATE TABLE USER" will be explained in accordance with Figure 9. The
user - table 741 contains at least "user-id" and other user parameters in the default
user table 73 and at least "group id" from a group table 744. For example, the
parameter of "user id" and "grou~p-id" for all users stored in the default user table
73 and group table 744 will be stored in tlie user-table 741. Also, when the
user-table 741 is created automatically using "CREATE TABLE USER", the
process of creating the user-table 741 requires "user-id" and "group-id" as a
primary key and also other parameters such as "user - name", "login - name",
"usergassword". Here, the "login-nanle" is the unique key.
[0062] In step S82, parameters of current user are retrieved from the user-table
741. The parameters of the current user include "username", "login-name" and
"usergassword". These retrieved parameters are used to insert an owner column
in the serviceetatable 742 later on. For example, a function "CURRENTUSER"
may be used to return the parameters of the culrent user of the main database 74.
The same function "CURRENTUSER" is used in fetching data from the service
tables of the application database 743. The information of all current user such as
"user - id" and "group_idMo riginally are stored in the default user table 73 and
group table 744 and only accessible by the root user. By using the function
"CURRENTUSER" to fetch data from the user-table 741 created in the step S82,
the operating users other than the root user can access parameters belonging to
them. An exemplary script of the function "CURRENTUSER" will be explained
in accordance with Figure 9.
[OO63] In step S83, the sewice-table 742 is created from the tables
stored in the application database 743. There are various predetermined tables
stored in the application database 743. The said service-table 742 is created from
theses predetermined tables. For example, a function "CREATE TABLE
SERVICES" is used to create the required service-table 742 fro111 the application
database 743. An exenlplary script of the function "CREATE TABLE
SERVICES" will be explained in accordance with Figure 9.
[0064] In step S84, a user column and a group column is inserted in to the created
service - table 742. The user column stores the owner user identifiers
corresponding to stored user identifiers and the group column stores the owner
group identifiers corresponding to stored group identifiers. For example, a script
of "CREATE TRIGGER" is used to insert addition column called "owner" into all
created tables (in the servicetable 742), atid this "owner" colunni will be the key
for user to perfonn "row mapping" in the se~vicetable7 42. An exemplary script
of the finiction "CREATE TRIGGER" will be explained in accordance with
Figure 9. Furtlier, the operating user is determined and the row corresponding to
the determined operating user is fetched from the created service-table 742.
[0065] In step S85, service data of the seivice-table 742 is presented to the
current user by generating a view 80. For example, a fi~nction "CREATE VIEW
SERVICE-TABLE" may be used to present the view 80 containing requested
service data stored in the service-table 742. An exemplaly script of the function
"CREATE VIEW SERVICE-TAE3LE" will be explained in accordance with
Figure 9. Tlie view created in step S85 is displayed to the operating user.
[0066] Figure 9 is a schematic diagram illustrating relationship between the
functional elements in the management process module and exemplary fi~nction
calllscript according to an exemplary embodiment. The following steps S91 to
S95 are explained in accordance with exemplary scripts.
[0067] In the operation of the default database sudh as the database 72, there are
fixed number of columns in the default user table 73, and the default user table 73
should not be modified by any operating user other than the root user. Usually, the
root user is the administrator of the database 72. Tlie default user table 73 can
only be accessed by the root user of the database 72. Users other than the root user
can only access data of the main database 74 tlnough accessing the view 80 of all
tables of the main database 74 in the virtualized cloud computing infrastl~~cture
30. The default user table 73 is configured to keep the information of the different
operating users of the computing cloud infiastl~~ctu3re0 .
LO0681 In order to allow current users other than the root user to access the data in
the main database 74 indirectly, the user-table 741 is firstly generated based on
the default user table 73 and the group table 744 of tlie database 72. The current
users other the root user are still blocked fiom directly accessing to the default
database and modifying the default database. The users other than the roqt user
can be only allowed to access data of the main database 74 though accessing the
view 80 of tables of main database 74. The schema for the usectable 741 is
similar to that shown in Table I. The function call of "CREATE TABLE USER"
will create a table named as "user" based on the default user table 73. The creation
of the user-table 741 will use following text fields shown in Table I. In this
example, the "user - id" is the primary key, other fields of "user - name",
"login name", "usergassword" are for user authentication. The "login_nameU
will be unique key in the user-table 741.
[0069] In step S91, the processor 41 of tlie administration node 4 will execute the
function "CREATE TABLE USER'' to create the user-table 741 from default user
table 73 and group table 744 of the database 72. The fi~nction" CREATE TABLE
USER" requires "usecid" and "group_idV as prima~y key and also other
paranieters such as "username", "login_name", "usergassword". Here, the
"login-name" will be the unique key. It should be noted that the main database 74
creation and user creation script is separately executed. An exemplary Schema for
the user-table 741 in the main database 74 is showti in Table I below.
Table I Exemplary Schema for "user_tableU in "main database"
CREATE TABLE USER (
user-id int(5) NOT NULL,
username varchar(50) CHARACTER SET armscii8 NOT NULL,
login name varchar(30) NOT NULL,
usergassword varcl1ar(50) NOT NULL,
PRIMARY KEY (userid)
UNIQUE KEY login-name (login-name),
);
[0070] The user-table 741 is configured to store all relevant user parameters local
to the application database 743 in the virtualized cloud computing infrastructure
30. The default user table 73 of the database 72 (is., the default database) is
configured to store the "user-name" and "usergassword" of tlie current user in
tile database 72. The user-table 741 is created from the default user table 73 by
using the "CREATE TABLE USER". The user-table 741 is a separate user table
maintained at a database level to keep the other information in the same database
and also access the same database at graphical user interface (GUI). For example,
a function shown in Table I is used to provide a user identifier and group
identifier (i.e,, "user-id") of the current user of the main database 74. The fields in
this user-table 741 are: user-id (prima~y key), user-natne, login-name and
usergassword. Here, login-nanie is a unique key with reference to the user-id in
the usertable 741.
[0071] In the computing cloud infiastiucture 30, each user is configured as a part
of a specific group. The group table 744 is another table in the main database 74
of the present disclosure. An exemplaly schema for the group table 744 in the
main database 74 is shown in Table I below.
Table I1 Exemplary Schema for "group table" in "main database"
CREATE TABLE gsoup (
group-id smallint(5) NOT NULL,
group-name varchar(30) NOT NULL,
PRIMARY KEY (group-id)
)ENGINE=InnoDB;
[0072] The gronp table 744 is configured to store all relevant user group
parameters which are local to the application database in the vish~alized cloud
computing infrastructure 30. The default user table 73 of the main database 74
keeps the "group_name" and "group-id" of the current user in the main database
74. The group table 744 is a separate user table maintained at database level to
keep the other information in the ssiiie database and also access the same database
at graphical user interface (GUI). For example, a function as shown below can be
used to provide user group identifier (i.e., group-id) of the current user of the
main database 74: The fields in this "group" table are: group-id (primaiy key),
and group-name.
[0073] Then, in step S92, the processor 41 of the administration node 4 executes
the function "CURRENTUSER" to retrieve parameters of users from the
user-table 741. The parameters will be used for the creation of the service table
and "service-table view". An exenlplaly script for the function call of
"CURRENTUSER" is shown in Table I11 below.
Table 111 Exenipla~yS cript of "CURRENTUSER"
DROP FUNCTION IF EXISTS CURRENTUSER;
DELIMITER $$
CREATE FUNCTION CURRENTUSERO
RETURNS INT READS SQL DATA
BEGIN
DECLARE userld INT;
select userid INTO userId FROM user where (user-name
st~bstring_index(user(),'@, 1));
RETURN userId;
END;
$$
DELIMITER ;
[0074] The "user_id" is stored in the default user table 73, but the defanlt user
table 73 is not visible to users other than the root user. The "user _ id" of the
current user of tlie main database 74 is fetched form the user-table 741. In the
present invention, the "CURRENTUSER" script is executed by the processor 41
on tlie main database 74 to provide the "userid" of the curlent user of database
72, where tlie current user of the niain database 74 is the same as the database 72.
Tlie "CURRENTUSER" function can also be used by views of all tables of the
main database 74 so as to show the information of the current user.
[0075] In step S93, the processor 41 of the administration node 4 executes the
function "CREATE TABLE SERVICES" to create service tables from all tables
of the application database 743 (i.e., the main database). In the vi~tt~alizecdlo ud
computing infrastructure 30, a service - table 742 is a general inforlnation table
generated in the main database 74 based on the application database 743. The
service-table 742, also includes multiple tables and each table in the service-table
742 can have an additional colunul to keep the owner's "user-id" (or
"owner-user-id") of that row. In tlus example, the "owneruser_idU will be the
same as the "userid" of the owner. An exerllplary Schema for the sewice-table
742 in the maill database 74 is shown in Table IV below.
Table IV Exemplary Function of "CREATE TABLE SERVICES"
CFUZATE TABLE SERVICES (
selviceid mediumint(7) NOT NULL,
service-name varchar(30) NOT NULL,
service-description varcliar(50) NOT NULL,
owner-user-id smallint(5) DEFAULT NULL,
PRIMARY KEY (service - id),
KEY ownergroup_id (owner-user-id),
CONSTRAINT services_ibfk_l FOREIGN KEY (owner - group-id)
REFERENCES user (user-id)
1;
[0076] The "CREATE TABLE SERVICES" query shown in Table IV is
configured to create tl~c service tables or the sewice-table 742, which is
configured to store certain information about the services for different users. The
fields in this table are: service-id (primary key), service-name,
service-description and owner-user-id. Here, the "owneruser-id" is a foreign
key with reference to the "user-id" in the user-table 741.
[0077] In the present invention, all services data of all users stored in the main
database 74 is stored in one service-table 742, but the service - tables 742, will
not be exposed directly to any current user other than the root user. In the present
invention, a view of the service table will be created for the users other than the
root uscr such that each user can only get thc sclviccs data belonging to the
operating user. For example, a user "voda" can only view the se~viced ata through
the view 80 of the "service table" but cannot view the service data belonging to
another user "cellos".
100781 In step S94, the processor 41 of the administration node 4 executes the
function "CREATE TRIGGER" to insert the user information (i.e., "user id") in
the user column and group information (i.e "group_id") in the group colu~nno f all
the service tables, while inserting a row in each table. It should be noted that these
"user id" and "group-id" of the culrent user is acquired by using the function
"CURRENTUSER" fetched from the usertable 741.
[0079] In order to achieve isolation of sewice data in the service tables, an
exempla~y "CREATE TRIGGER script is shown below in Table IV. The
fi~nctionc all "CREATE TRIGGER" can be used to insert an "owner-11ser-id" in a
column in the service-table 742, while doing the insert operation from a view 80.
The view 80 can be used by the operating user to access the information stored in
service tables.
Table V Exemplary Function of "CREATE TRIGGER"
CREATE TRIGGER before-insertservices
BEFORE INSERT ON services
FOR EACH ROW
SET new.owneruser-id= CURRENTUSER;
[0080] After modification of the service tables by inserting the user-id" of the
operating user in the column storing the "owner-11ser-id", the wrapper view 80
can be created for accessing the service data stored in the service tables for tlie
operating user, An exemplary "CREATE VIEW SERVICE TABLE" query is
shown below in Table IV for creating the wrapper view.
Table VI Exemplary Query of "CREATE VIEW SERVICETABLE"
CREATE VIEW SERVICE-TABLE(
service-id,
I service - description
I sel-vice - name,
AS
select
services.service_id AS service-id,
services.se~vice-name AS sel-vice-name,
set-vices.servicedescription AS sesvice-description
from sel-vices
where
I
/ (se~-vices.owner_user~=id ( select user.user-id from user where (user.user-name I
= substring - index(userO,'@,l))) OR substring-index(use@, 'a, 1) = 'root');
[0081] In step S95, the processor 41 of the administration node 4 will execute the
function "CREATE VIEW SERVICE-TABLE" to create view 80 for the
service-table 742. When there are multiple service tables created in the step S93,
the views of all service table will be created by executing the function "CREATE
VIEW SERVICE - TABLE". It should be noted that execution of the function
"CREATE VIEW SERVICE-TABLE" includes a condition provided in the
"where clause" so as to fetch rows of the operating user. As such, the operating
user will be identified at 111ntime using the fi~nction "CURRENTUSER"
mentioned above. The view for all sel-vice tables are essential building block in
the present invention, since the view is the only visible database entity to the
operating users other than root user.
[0082] The query of "CREATE VIEW SERVICE-TABLE" can create the view
80 for the service-table 742. Here, a view contains rows and columns of the
set-vice tables, just like a real table. However, a view docs not storc the data as it is
in the case of a table. A view is rather a presentation wrapperlwrapper view
created over a service tables to depict the data in the desired form. Each field of
view will be mapped to a field in the sel-vice table, and the selection criteria is
provided in the "where" clause sliown in Table IV. Therefore, it only provides the
service data of the current user. In particular, the query of "CREATE VIEW
SERVICETABLE" can create a wrapper view to access the service information
stored in service-table 742, and only allow the operating user to access to the
service information which has "owner - user-id" in the "service table"
corresponding to the operating user's "user-id". Here, when it is determined that
"owner-user-id" is the same as "userid" of a currently login user, the cul.~ently
login user can see all service data of service tables due to tlie service view(s)
created by the query of "CREATE VIEW SERVICE - TABLE".
[0083] When a new user is added to tlie database, the root user of the main
database 74 may use the "insert" statement similar to "CREATE VIEW Service
view" shown in Table V below for inserting the new user in the user-table 741.
Exemplaiy script for inserting new user into the main database 74 is shown below
in Table V.
Table VII Exemplary Statement for inserting user information
INSERT INTO user (user-id, useganie, loginname, user~assword)V ALUES
(1 ,'userl','userl','userl password');
INSERT INTO user (user-id, username, login-name, usergassword) VALUES
(2,'user2','user2','user2password');
[0084] The statement shown in Table VI below siinply grants "select", "insert",
"update" and "delete" operation privileges to the specified user.
Table VIII Exemplary Statement for Granting Privileges to Created Users other
than Root User
GRANT EXECUTE ON FUNCTION CURRENTGROUP TO userl@localhost
IDENTIFIED BY "userlpassword";
GRANT SELECT, INSERT, UPDATE, DELETE ON TABLE seivice-table TO
userl @localhost IDENTIFIED BY "userlpassword";
GRANT EXECUTE ON FUNCTION CURRENTGROUP TO uscrl@localliost
IDENTIFIED BY "userlpassword";
GRANT SELECT, INSERT, UPDATE, DELETE ON TABLE s e ~ ~-i ct aebl e TO
userl@localhost IDENTIFIED BY "userlpassword";
[0085] For example, the exemplary statements can grant privileges to two
different database users, such as userl and used, with their respective passwords.
When the user logs in to the database using "userl " and enters certain infornlation
(such as "userlpassword") in "sei~ice_table"v iew and select the information from
ser-vice-table 742, the information inserted by userl will not be viewed by the
user2 when the user2 logs in to the same database. Similarly, tlie user1 will not be
allowed to view the information selected, inserted, updated or deleted by tlie
user2.
[0086] After, the step S95, other optional steps may be performed. For example, a
user will be allowed perform select, insert, update or delete operation(s) on these
views, but not on the tables of the main database, where the actual data resides.
Therefore, a view can act as a wrapper for the se~~iceJabl7e4 2, so that the data
can only be accessed using views. Furthermore, permission is granted to operating
user group/the desired users by using the fi~nctionalc all as shown in Table VI to
the view 80 only. Therefore, the user can only access the view for all the desired
tables. User access to the application database 743 is still blocked. By doing so,
any user will not be able to access the actual table by any mean. The
aforementioned steps S91-S95 are automated via scripts and executed while
creating a database, but tlie "inserting user infannation" script may be repeated
using another automated script wlienever a new user is created.
[0087] It should be noted that trigger, function, and tables of the main database 74
is created once at the time of database creation. Later on, while a user performs an
insert operation on a view 80, the inserted data will be automatically inserted in
the respective service tables. Meanwhile, when the inserted data is insested in the
sewice-table 742, tlie function "CREATE TRIGGER" will insert the "user_idH
and "group_idn of the operating user in an "owner - user-id" and
"owner - gso~oup-id" field of the inserted row in the updated sewice-table 742. The
"user-id" will be previously returned by the "CURRENTUSER" script.
[0088] Figure 10 is schematic flowchart illustrating nlethod of isolating database
in the computing cloud infsast~uctore according to an exenlpla~y ernbodiment.
The method of "isolating database" in a database application of the virtualized
cloud colllputing infsastructure 30 includes following steps S101-S106.
[0089] In step S101, tlie management process module 431 is configured to fetch
"user - id" and user parameters of each culrent user from the default user table 73
and to fetch "group-id" of each current user fiom the Group table 744 and then
store the "user_idWa nd "group-id" of each current user in tlie user-table 741 of
the main database 74.
[0090] In step S102, the management process nlodule 431 is configured to create
service tables in the main database 74 from the predetermined tables stored in the
application database 743 respectively. It should be noted that all the sewice tables
may be stored in the lllemoly allocation of the sellrice-table 742.
[0091] In step S103, the management process tnodule 431 is configured to acquire
the "user - id" and the "group-id" stored in the usectable 741 for each current
user, and then insert a user colutnn and a group column in eacli table of the
service tables, where the usel column is configured to store "owner_user~id"
co~~espondintgo the "user-id" and the group column is colifigured to store
"owner - group-id" corresponding to "group-id" stored in the user-table 741.
[0092] In step S104, the management process module is configured to identify an
operating user at mntir~ie, fetch rows of tlie operating user from the created
service tables by the operating user's "user-id" and "group-id", and then create a
view 80 of each table in the service tables for the current user by the current user's
"usel' _ id" and "group-id". The managenlent process module will identify the
current user at runtime by using the function "CURRENTUSER" function and
then use "CREATE VIEW SERVICE-TABLE" function to fetch rows of a
current user. For example, after a user logs in to the database system of the
virtualized cloud computing infsastmcture 30, the OAMP entity 71 may use the
authentication parameters of "user_name", "login-name", "usergassword" input
by the user to determine the primary key of "user-id" and "group_idU in the
user - table 741. Such determination of "user-id" and "group-id" uses the
aforementioned function "CURRENTUSER". Then, by fetching rows of the
c~urrent user in the service table through using the primary key "user-id" and
"group-id", the view 80 corresponding to the current user will be created and
presented to the operating user.
[0093] Ln step S105, the nlanagenlent process module 431 is configured to present
the ccrated view (i.e., the view 80) in the main database (i.e., the application
database 743) to the operating user.
[0094] In step Slob, the management process module 431 is configured to receive
a select, a insert, a update or a delete operation fsom the current user on the
created view, and then update the created view according to the received select,
insert, update or delete operation. Thus, the operating user will be able to perform
all select, insert, update and delete operations on these views, but not on the main
tables of the main database (i.e., tables in the application database), where the
actual data resides. When a current user perfolms an insert operation on a view,
the inserted data will be automatically inserted in the respective service table, and
the "user - id" and the "group_idU of the current user will be inserted auton~atically
in an "owner_user_id" and an "owner_group_id" field of the inserted row in the
updated service table.
[0095] Before t11e step S106, optionally, the management process module 431 will
be configured to granting each operating user with authorization to perform select,
insert, update or delete operation on the created view respectively corresponding
to the user.
LO0961 Both the database level isolation and the application level isolation can be
achieved by the aforementioned method of "database isolation". W~enth e user
logs in using a usernatne/password, the usernanle will be mapped to the owner
colu~lln(o r the column containing "owner_use~idUan d "owner-user-id") and the
corresponding service data in the main database will be shown to the operating
user by presenting the view. The application level database isolation internally
uses the database isolation mechanism only.
[0097] According to an alternate embodiment of the invention, the "isolation
database" concept is implemented in a computer apparatus.
[0098] Accordingly, there is provided a system to isolate a database in a database
system stored in conlputer system. Tlle system cotnprises of a computing
apparatus, configured to perfonn the following upon receipt of input commands
from an operating user, fetching, a user identifier and a set of user parameters of
each current user in the database system from a default user table. Then, the
system is configuretl to fetch a group identifier of each current user from a group
table in a main database. Next, a user table is created for storing all the fetched
user identifiers, all the fetched group identifiers and tl~eu ser parameters of the
current users. Further, the computing apparatus, fetches, the user identifier and the
group identifier from the user table corresponding to a user name input by the
operating user upon login in to the system. Then, a plurality of service tables are
created respectively fro111 a plurality of predeternlined tables stored in an
application database in the main database. Thereafter, a user column which stores
owner user identifiers col~esponding to each of the stored user identifiers and a
gronp column which stores owner group identifier corresponding to each of the
stored group identifiers are inserting, into each of the created service tables.
Further, the operating user is determined at run time and fetching at least one row
corresponding to the operating user from each of the created service tables
according to the owner user identifier and the owner group identifier of the
operating user. A view for each of the created service tables is created based on
the fetched at least oiie row of the operating user and one of the input commands.
Finally, the created views containing service data originally stored in the tables of
the application database are displayed to tlie operating user.
[0099] Accordingly, there is also provided a method to isolate a database in a
database system stored in a computer system. The method comnprises of: fetching,
a user identifier and a set of user parameters of each current user in the database
system from a default user table; fetching a group identifier of each current user
from a group table in a main database; creating, a user table for storing all the
fetched user identifiers, all the fetched group identifiers and the set of user
parameters of tlie current users; receiving, a user name and a user password from
an operating user, wlien tlie operating user logs into tlie system; fetching one of
the stored user identifiers and one of the stored group identifiers corresponding to
the user name input by tlie operating user; creating, a plurality of service tables
respectively from a plurality of predeteimiined tables stored in an application
database in the main database; inserting, into each of the created service tables, a
user column which stores owner user identifiers corresponding to each of the
stored user identifiers and a group column wl~chst ores owner group identifier
corresponding to each of the stored group identifiers; determining, the operating
user at run time and fetching at least one row corresponding to the operating user
from each of the created service tables according to tlie owner user identifier and
the owner group identifier of the operating user; creating, a view for each of the
created service tables based on the fetched at least one row of the operating user
and one of input commands from the operating user; finally, presenting, to the
operating user, the created views containing sewice data originally stored in the
tables of the application database.
[0100] Accordingly, there is provided a computing apparatus to isolate a database
system stored in a computer system. The computing apparatus comprises of: a
management process module configured to perform the following: a computing
apparatus, configured to perform the following upon receipt of input commands
from an operating user: fetching, a user identifier and a set of user parameters of
each current user in the database system from a default user table. Then, the
system is configured to fetch a group identifier of each current user ftom a group
table in a main database. Next, a user table is created for storing all the fetched
user identifiers, all the fetched group identifiers and the user parameters of the
current users. Furtlies, the computing apparatus, fetches, the user identifier and the
group identifier from the user table corresponding to a user name input by the
operating user upon login in to the system. Then, a plurality of service tables are
created respectively from a plurality of predete~mined tables stored in an
application database in the main database. Thereafter, a user column which stores
owner user identifiers corresponding to each of the stored user identifiers and a
group column which stores owner group identifier corresponding to each of the
stored group identifiers are inserting, into each of the created service tables.
Furthel; the operating user is determined at run time and fetching at least one row
corresponding to the operating user fiotn each of the created service tables
according to the owner uscr identifier and the owner group identifier of the
operating user. A view for each of the created service tables is created based on
the fetched at least one row of the operating user and one of the input commands.
Finally, the created views containing service data originally stored in the tables of
the application database are presented to the operating user.
[0101] Figure 11 is a schematic diagram illustrating functional elements of a
computing apparatus to isolate database according to an exemplary embodiment.
Referring to Figure 11, a computing apparatus 110 is adapted to isolate a database
of multi-user/multi-tenant from other userltenant in a database system. The
computing apparatus 110 may include a processor 1 11, an operating system 1 12
r~mnning on top of the processor 110, a n~anagement process module 113, a
database 114, an input interface 115 and an output inferface 116. The database
114 and the management process module 113 may be running on top of the
operating system 112. The input interface 115 and the ontput interface 116 may be
col~nected to the management process module 113 via the processor 11 1 and the
operating system 112. In this embodiment, the management process module 113
may bc configured to receive one or more input commands fioni an operating user
via the input interface 11 5, where the input interface 115 may be a touch panel, a
keyboard, a voice recognition system, arid so fort11. The management process
module 113 in the standalone computing apparatus 110 is connected to the
database 114 which stores datdservice data of multiple current users. The
operating user may be given access to the datdservice data that the operating user
is authorized through the computing apparatus 110.
[0102] Upon receipt user credentials such as username and passwords andlor
other user-related parameters via the input interface 115, the computing apparatus
110 may perform the steps S101-S106 previously described in accordance with
Figure 10, except that the datdservice data is not provided by any application
node and the standalone computing apparatus 110 is not part of any cloud
computing infrastracture or platform. Therefore, the operating user can be
presented with the created view via the output interface 116 such as a display
device.
[0103] The preceding exemplary embodiments of the present invention may be
implemented in software/instmction codes/application logiclinstmction
set/computer program codes (executed by one or more processors), may be fully
implemented in hardware, or implemented in a combination of software and
hardware. For instance, the software (e.g., application logic, an instruction set) is
maintained on any one of various conventional computer-readable media. In the
present disclosure, a "coniputer-readable medium" may be any storage media or
means that call carry, store, communicate, propagate or transport the instr~nctions
for use by or in comiection with an instsuction execution system, apparatus, or
device, such as a computing device shown in Figure 11, a computing cloud
infsastsucture shown in Figure 3. A computer-readable medium may include a
computer-readable storage medium (e.g., a physical device) that may be any
niedia or means that can cassy or store tlie instructions for use by or in connection
with a system, apparatus, or device, such as a computer or a comniunication
device. For instance, the memory unit may inclnde the computer-readable medium
which may include computer program code, wlien executed by the processor unit,
may cause the management process module and the CLP entity in the
administration node, the CLP entity and NMP entity in the application node to
perform procedures/steps illustrated in Figures 7-10.
[0104] By executing tlie methods of isolating database in computing cloud
infrastructure shown in preceding exeniplary etnbodime~its or in a computer
system, it will be more efficient and more secured in implementing "database
isolation" in a multi-tenant or multi-user database system storing service data
belonging to different users. All insertion and updating of configuration data or
service data on the view will be updated to the coi~espondingt able, while the
original table in the default database and the application database will be
protected from unauthorized access.
[0105] Embodimerits of the method of the present invention provide t~sefi~l
solutions to efficiently and effectively isolating database in a computing cloud
infsastructore and also enable secured user access to sel-vices data in the
computing cloud infrastructure.
[0106] The aforenientioned embodiments have been described by way of example
only and modifications are possible within the scope of the claims that follow.
Wli: CLAIM:
1. A system adapted to isolate a database in a database system, comprising:
a computing apparatus (1 lo), configured to perform the following upon
receipt of input connnands fiom an operating user:
fetching, a user identifier and a set of user parameters of each current user
in the database system (72) from a default user table (73);
fetching a group identifier of each current user from a group table (744) in
a main database (74);
creating, a user table for storing all the fetched user identifiers, all the
fetched group identifiers and the user parameters of the current users;
fetching, the user identifier and the group identifier fiom the user table
(741) corresponding to a user name input by the operating user upon login in to
the system;
creating, a plurality of service tables (742) respectively from a plurality of
predetermined tables stored in an application database (743) in the main database
(74);
.inserting, into each of the created service tables (742), a user column
which stores owner user identifiers corresponding to each of the stored user
identifiers and a group column which stores owner group identifier col~esponding
to each of the stored group identifiers;
determining, the operating user at run time and fetching at least one row
col~espondingto the operating user from each of the created service tables (742)
according to the owner user identifier and the owner group identifier of the
operating user;
creating, a view (80) for each of the created service tables (742) based on
the fetched at least one row of the operating user and one of the input commands;
and
presenting to the operating user, the created views (80) containing service
data originally stored in the tables of the application database (743).
2. The system as claimed in claim 1, wherein the default user table (73) and the
main database (74) are stored in the database system (72).
3. The systenl as claimed in claim 1, wherein the computing apparatus (1 10) is
connected to at least one application node (NI-Nx) in a cloud computing
infrastructure 30, and the at least one application node (NI-Nx) report service
data to the computing apparatus (1 10).
4. 'The system as claimed in claim 3, wherein the application database (743)
comprises the predetermined tables containing service data reported by
processes running on the at least one application node (Nl-Nx) in the cloud
computing infrastructure (30).
5. The system as claimed in claim 3, wherein the computing apparatus (1 10) is
further configured to store, update and maintain the configuration infornlation
of all the processes and services running on the at least one application node
(Nl-Nx) in the cloud computing i&astructure (30).
6. The system as claimed in claim 1, wherein said one of the input commands
from the operating user is a select query command.
7. The system as claimed in claim 1, wherein the set of user parameters comprise
at least user name, user login name and user password of the current users in
the database system (72).
8. The system as claimed in claim 3, wherein the computing apparatus (110) is
further configured to maintain, in the default user table (73), information of all
the current users in the database system (72).
9. The system as claimed in claim 3, wherein the computing apparatus (1 10) is
further configured to update the created service tables (742) according to new
service data reported by the at least otle application node (Nl-Nx).
10. A method adapted to isolate a database in a database system (72),
comprising:
fetching, a user identifier and a set of user parameters of each current user
in the database system (72) fiom a default user table (73);
fetching a group identifier of each current user from a group table (744) in
a main database (74);
creating, a user table (741) for storing all the fetched user identifiers, all
the fetched group identifiers and the set of user parameters of the current users;
receiving, a user name and a user password from an operating user, when
the operating user logs into the system; fetching one of the stored user identifiers
and one of the stored group identifiers corresponding to the user name input by
the operating user;
creating, a plurality of service tables (742) respectively from a plurality of
predetermined tables stored in an application database (743) in the main database
(74);
inserting, into each of the created service tables (742), a user column
which stores owner user identifiers corresponding to each of the stored user
identifiers and a group column which stores owner group identifier corresponding
to each of the stored group identifiers;
determining, the operating user at run time and fetching at least one row
corresponding to the operating user fro111 each of the created service tables (742)
according to the owner user identifier and the owner group identifier of the
operating user;
creating, a view (80) for each of the created service tables (742) based on
the fetched at least one row of the operating user and one of input conlmands from
the operating user; and
presenting, to the operating user, the created views (80) containing service
data originally stored in the tables of the application database (743).
11. The metliod as claimed in claitn 10, wherein the default user table (73) and the
main database (74) are stored in the database system (74).
12. The method as claimed in claim 11, wherein the database system (74) is stored
in a computing apparatus (1 10).
13. The method as claimed in claim 12, further comprising:
receiving the service data reported by at least one application node (N1-Nx)
connected with the computing apparatus (1 10).
14. The method as claimed in claim 11, wherein said one of the input commands
from the operating user is a select query cornnland.
15. The method as claimed in clairn 12, further comprising:
updating the created service tables (742) according to new sellrice data
reported by the at least one application node (Nl-Nx).
16. A conlputing apparatus (110) adapted to isolate a database system (72),
comprising:
a mariagement process module (431, 113) configured to perform the
following:
fetching, a user identifier and a set of user parameters of each current user
in the database system (72) from a defa111t user table (73); fetching a group
identifier of each current user from a group table (744) in a main database (74);
creating, a user table (741) for storing all the fetched user identifiers, all the
fetched group identifiers and the related user parameters of the curlent users;
fetching one of the stored user identifiers and one of the stored group
identifiers corresponding to a user name input by an operating user;
creating, a plurality of sewice tables (742) respectively from a plurality of
predetermined tables stored in an application database (743) in the main database
(74); inserting, into each of the created service tables (742), a nser column which
stores owner user identifiers corresponding to each of the stored user identifiers
and a group column which stores owner group identifier corresponding to each of
the stored group identifiers;
determining, the operating nser at run time and fetching at least one row
corresponding to the operating user from each of the created service tables (742)
according to the owner user identifier and the owner group identifier of the
operating user;
creating, a view for each of the created service tables (742) based on the
fetched at least one row of the operating user and one of the input commands; and
presenting to the operating user, the created views (80) containing seivice
data originally stored in the predetern~ined tables of the application database
(743).
17. The computing apparatns as claimed in claim 16, further comprising:
a network interface (45), connected with at least one application node (Nl-
Nx), and configured for receiving service data from the at least one application
node (Nl-Nx).
18. The conlputing apparatus (110) as claimed in claim 16, wherein the default
user table (73)'and the main database (74) are stored in tl~ed atabase system
(72), and the database system (72) is stored in the computing apparatus (1 10).
19. The computing apparatus as claimed in claim 16, wlierein the management
process module (431) is configured to display the created view (80) in the
main database (74) to the operating user via an external displaying device.