Step 2: Multi-domain system to provide data encapsulation
Let’s complete the details of step 1 by including the domain tree in the consideration of_.
Domains exist in a tree structure of arbitrary depth. Each domain has a parent domain. And only one domain has no parent - it is master-domain. The master domain is the root for all other domains. It has a special composition of entity types that is different from other domains. The master domain is used to ensure the functioning of the domain tree and a number of centralized system management functions.
Any domain may contain _child domains. Their composition is managed by the administrator of the current domain. When creating a child domain, the administrator allocates a part of licenses of his domain to it, thus quantitative licenses are distributed from the master domain to the whole tree. The master domain itself gets them from the license file. Domain names contain only lowercase Latin letters, numbers, dashes, underscores and dots as delimiters. For example domain.r2 can contain child domains a1.domain.r2, 123.domain.r2, etc. In this case, the administrator of the master domain, if there is a corresponding license option, can set arbitrary names for child domains. Child domains of the master domain belong to the category of first-level domains.
Case: first level domain administrator creates a child _ second level domain_ and gives the administrator of the child domain a login and password in it.
According to steps step 1, administrator A creates a child domain B. A database is created for it in DomainDB. So what credentials should administrator B provide?
For administrator B to be able to do anything in domain B, domain B must authorize him, respectively contain his account. Administrator A cannot access domain B, because he is the administrator of domain A, and is not the administrator of the newly created domain B.
The solution to this problem is served by two independent approaches to choose from:
-
Domain databases are not created from scratch, but are copied from template domain database (TDB) together with its contents. It is enough to create an admin - admin account in the SDDB, as it is customary on the hardware, and the created domain will contain an account with this default login and password. This account can be used to change its password, or a new account can be created and this account can be deleted.
-
Administrator A performs a CRUD request to create an account in the child domain. This is done using the /api/crud/v1/domainuser/create method. In this way, Administrator A can set an arbitrary login and password for Administrator B’s account. Administrator A can also perform other CRUD requests for user accounts in child domains.
Now WS can independently handle requests from administrators of both domains - each administrator manages entities of his domain only (excluding the domainuser case). If each of them, for example, creates another child domain, the domain tree schema and service sequence will be as follows (see fig.)
DC owns information about all domains and their entities and provides access to it to internal system services. This is the primary purpose of this role.
| term | Determination |
|---|---|
|
! |
|
! |
|
! |
|
! |
|
! |
|
! |
|
! |
|
! |
|
! |
|
! |
|
! |
-
What is the root of the domain tree?
-
Which domain can contain child domains?
-
What are the options for creating a user account in a child domain?
-
How you can create a domain google.com?
-
Next Step: Step 3. multi-server system
-
Previous step: Step 1. To get anything working at all