本文结构In This Post
一、隔离的三个层次I. Three Isolation Layers
数据层隔离:目录、会话、审计日志必须按租户严格分区,避免查询与备份交叉。Data isolation: directory records, sessions, and audit logs must be partitioned per tenant with no overlap in query or backup paths.
控制层隔离:策略变更、管理员操作、集成配置都要绑定租户上下文,杜绝跨租户误操作。Control-plane isolation: policy updates, admin actions, and integration settings must be tenant-scoped to prevent accidental cross-tenant operations.
执行层隔离:认证与令牌签发链路需带租户边界校验,确保 Token 不可跨租户复用。Execution isolation: authentication and token issuance paths must enforce tenant boundary checks so tokens cannot be reused across tenants.
二、关键控制点II. Critical Controls
1) 租户上下文强制注入1) Mandatory Tenant Context Injection
所有写操作必须显式携带 tenant context,且由服务端校验而非客户端信任。All write operations must carry explicit tenant context enforced server-side, not trusted from client input.
2) 默认拒绝跨租户查询2) Deny Cross-Tenant Queries by Default
任何跨租户读取都应被视为例外操作,需审批与审计。Cross-tenant reads should be treated as exceptional, requiring approval and audit evidence.
三、运维与应急要求III. Ops and Incident Requirements
多租户隔离还取决于运维流程:值班权限需最小化,生产支持访问要临时授权,故障排查日志应脱敏。否则架构隔离会被运维捷径破坏。Isolation also depends on operations: least-privilege on-call access, temporary support grants, and sanitized troubleshooting logs. Without this, architecture isolation is undermined by operational shortcuts.
四、何时需要更强隔离IV. When to Use Stronger Isolation
对金融、政府、关键基础设施客户,通常需要从逻辑隔离升级到更强模型,如专属加密边界、独立运行平面或私有部署。隔离级别应与风险等级匹配。For finance, government, and critical infrastructure, stronger isolation may be required, including dedicated cryptographic boundaries, isolated runtime planes, or private deployment.