x

【SaaS架构】在单个控制平面上跨多个SaaS产品管理租户

Chinese, Simplified
SEO Title
AWS Manage tenants across multiple SaaS products on a single control plane

Environment: PoC or pilot

Technologies: SaaS

AWS services: Amazon API Gateway; Amazon Cognito; AWS Lambda; AWS Step Functions; Amazon DynamoDB

总结

此模式显示了如何在AWS云中的单个控制平面上跨多个软件即服务(SaaS)产品管理租户生命周期。所提供的参考架构可以帮助组织减少其单个SaaS产品中冗余共享功能的实现,并提供大规模的治理效率。

大型企业可以在不同的业务部门中拥有多个SaaS产品。这些产品通常需要提供给不同订阅级别的外部租户使用。如果没有通用的租户解决方案,IT管理员必须花时间管理跨多个SaaS API的无差别功能,而不是专注于核心产品功能开发。

此模式中提供的公共租户解决方案可以帮助集中管理组织的许多共享SaaS产品功能,包括以下功能:

  • 安全
  • 租户资源调配
  • 租户数据存储
  • 租户通信
  • 产品管理
  • 指标记录和监控

先决条件和限制

先决条件

  • 活跃的AWS帐户
  • 了解Amazon Cognito或第三方身份提供商(IdP)
  • 亚马逊API网关知识
  • AWS Lambda知识
  • 了解Amazon DynamoDB
  • AWS身份和访问管理(IAM)知识
  • AWS步骤功能知识
  • 了解AWS CloudTrail和Amazon CloudWatch
  • Python库和代码知识
  • 了解SaaS API,包括不同类型的用户(组织、租户、管理员和应用程序用户)、订阅模型和租户隔离模型
  • 了解组织的多产品SaaS需求和多租户订阅

局限性

  • 这种模式不包括公共租户解决方案和单个SaaS产品之间的集成。
  • 此模式仅在单个AWS区域部署Amazon Cognito服务。

架构

目标技术堆栈

  • Amazon API网关
  • 亚马逊Cognito
  • AWS CloudTrail
  • 亚马逊CloudWatch

  • Amazon DynamoDB

  • IAM

  • AWS Lambda
  • 亚马逊简单存储服务(Amazon S3)
  • 亚马逊简单通知服务(Amazon SNS)

  • AWS Step functions

目标架构

下图显示了一个示例工作流,用于在AWS云中的单个控制平面上管理多个SaaS产品的租户生命周期。

该图显示了以下工作流:

  1. AWS用户通过调用API网关端点来启动租户配置、产品配置或与管理相关的操作。
  2. 用户通过从Amazon Cognito用户池或其他IdP检索的访问令牌进行身份验证。
  3. 单个供应或管理任务由与API网关API端点集成的Lambda函数运行。
  4. 公共租户解决方案(针对租户、产品和用户)的管理API收集所有必需的输入参数、标头和令牌。然后,管理API调用相关的Lambda函数。
  5. IAM服务验证管理API和Lambda功能的IAM权限。
  6. Lambda函数从DynamoDB和AmazonS3中的目录(针对租户、产品和用户)存储和检索数据。
  7. 验证权限后,将调用AWS步骤功能工作流以执行特定任务。图中的示例显示了租户配置工作流。
  8. 单个AWS步骤功能工作流任务在预定工作流(状态机)中运行。
  9. 运行与每个工作流任务相关的Lambda函数所需的任何基本数据都可以从DynamoDB或AmazonS3中检索。其他AWS资源可能需要使用AWS CloudFormation模板进行配置。
  10. 如果需要,工作流会向特定SaaS产品的AWS帐户发送请求,请求为该产品提供额外的AWS资源。
  11. 当请求成功或失败时,工作流将状态更新作为消息发布到Amazon SNS主题。
  12. Amazon SNS订阅了Step Functions工作流的Amazon SNS主题。
  13. 然后,Amazon SNS将工作流状态更新发送回AWS用户。
  14. 每个AWS服务的操作日志,包括API调用的审计跟踪,都会发送到CloudWatch。可以在CloudWatch中为每个用例配置特定的规则和警报。
  15. 日志存档在AmazonS3存储桶中,用于审计目的。

自动化和规模

此模式使用CloudFormation模板帮助自动部署公共租户解决方案。该模板还可以帮助您快速向上或向下销售相关资源。

有关更多信息,请参阅《AWS CloudFormation用户指南》中的“使用AWS CloudFormations模板”。

 

工具

  • Amazon API网关可帮助您创建、发布、维护、监控和保护任何规模的REST、HTTP和WebSocket API。
  • Amazon Cognito为web和移动应用程序提供身份验证、授权和用户管理。
  • AWS CloudTrail帮助您审计AWS账户的治理、合规性和运营风险。
  • Amazon CloudWatch可帮助您实时监控AWS资源和在AWS上运行的应用程序的指标。
  • AmazonDynamoDB是一个完全管理的NoSQL数据库服务,提供快速、可预测和可扩展的性能。
  • AWS身份和访问管理(IAM)通过控制谁经过身份验证和授权使用AWS资源,帮助您安全地管理对AWS资源的访问。
  • AWS Lambda是一种计算服务,它可以帮助您运行代码,而无需配置或管理服务器。它只在需要时运行您的代码,并自动缩放,因此您只需支付所使用的计算时间。
  • 亚马逊简单存储服务(Amazon S3)是一种基于云的对象存储服务,可帮助您存储、保护和检索任意数量的数据。
  • 亚马逊简单通知服务(Amazon SNS)帮助您协调和管理发布者和客户之间的消息交换,包括web服务器和电子邮件地址。
  • AWS Step Functions是一种无服务器编排服务,可帮助您将AWS Lambda功能和其他AWS服务结合起来,以构建业务关键型应用程序。

最佳实践

此模式中的解决方案使用单个控制平面来管理多个租户的入职,并提供对多个SaaS产品的访问。控制平面帮助管理用户管理其他四个特定于功能的平面:

  • Security plane

  • Workflow plane

  • Communication plane

  • Logging and monitoring plane

Epics

Configure the security plane

Task Description Skills required

Establish the requirements for your multi-tenant SaaS platform.

Establish detailed requirements for the following:

  • Tenants

  • Users

  • Roles

  • SaaS products

  • Subscriptions

  • Profile exchanges

 Cloud architect, AWS systems administrator

Set up the Amazon Cognito service.

Follow the instructions in Getting started with Amazon Cognito in the Amazon Cognito Developer Guide.

 Cloud architect

Configure the required IAM policies.

Create the required IAM policies for your use case. Then, map the policies to IAM roles in Amazon Cognito.

For more information, see Managing access using policies and Role-based access control in the Amazon Cognito Developer Guide.

 Cloud administrator, Cloud architect, AWS IAM security

Configure the required API permissions.

Set up API Gateway access permissions by using IAM roles and policies, and Lambda authorizers.

For instructions, see the following sections of the Amazon API Gateway Developer Guide:

 Cloud administrator, Cloud architect

Configure the data plane

Task Description Skills required

Create the required data catalogs.

  1. Create DynamoDB tables to store data for the user catalogs. Make sure that you include user attributes and roles. Also, make sure that you perform data modeling on the catalog tables to maintain the required and optional attributes for each user and role.

  2. Create DynamoDB tables to store data for the product catalogs. Make sure that you model the specific use cases for your SaaS products.

  3. Create DynamoDB tables to store data for the tenant catalogs. Make sure that you set up subscription models for tenants, products and licensing for multi-SaaS subscriptions, and tags.

For more information, see Setting up DynamoDB in the Amazon DynamoDB Developer Guide.

 DBA

Configure the control plane

Task Description Skills required

Create Lambda functions and API Gateway APIs to run required control plane tasks.

Create separate Lambda functions and API Gateway APIs to add, delete, and manage the following:

  • Users

  • Tenants

  • Products

For more information, see Using AWS Lambda with Amazon API Gateway in the AWS Lambda Developer Guide.

 App developer

Configure the workflow plane

Task Description Skills required

Identify the tasks that AWS Step Functions workflows must run.

Identify and document the detailed AWS Step Functions workflow requirements for the following:

  • Users

  • Tenants

  • Products

Important: Make sure that key stakeholders approve the requirements.

 App owner

Create the required AWS Step Functions workflows.

  1. Create the required workflows for users, tenants, and products in AWS Step Functions. For more information, see the AWS Step Functions Developer Guide.

  2. Identify the retry and error handling mechanisms. For more information, see Handling errors, retries, and adding alerting to Step Function State Machines on the AWS Blog.

  3. Implement the workflow steps by using Lambda functions. For instructions, see Creating a Step Functions state machine that uses Lambda in the AWS Step Functions Developer Guide.

  4. Integrate any external services with AWS Step Functions as needed.

  5. Maintain each workflow’s status in a DynamoDB table and communicate each workflow’s status by using Amazon SNS.

 App developer, Build lead

Configure the communication plane

Task Description Skills required

Create Amazon SNS topics.

Create Amazon SNS topics to receive notifications about the following:

  • Workflow statuses

  • Errors

  • Retries

For more information, see Creating an SNS topic in the Amazon SNS Developer Guide.

 App owner, Cloud architect

Subscribe endpoints to each Amazon SNS topic.

To receive messages published to an Amazon SNS topic, you must subscribe an endpoint to each topic.

For more information, see Subscribing to an Amazon SNS topic in the Amazon SNS Developer Guide.

 App developer, Cloud architect

Configure the logging and monitoring plane

Task Description Skills required

Activate logging for each component of the common tenant solution.

Activate logging at the component level for each resource in the common tenant solution that you created.

For instructions, see the following:

Note: You can consolidate logs for each resource into a centralized logging account by using IAM policies. For more information, see Centralized logging and multiple-account security guardrails.

 App developer, AWS systems administrator, Cloud administrator

Provision and deploy the common tenant solution

Task Description Skills required

Create CloudFormation templates.

Automate the deployment and maintenance of the full common tenant solution and all its components by using CloudFormation templates.

For more information, see the AWS CloudFormation User Guide.

 App developer, DevOps engineer, CloudFormation developer

 

原文地址
https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/manage-tenants-across-multiple-saas-products-on-a-single-control-plane.html
本文地址
https://architect.pub

Tags

Article

微信

知识星球

微信公众号

视频号