New to Cuba / Issue with Multitenancy

I’m new to Cuba and am excited to use it on a project. A short description of the project:

• multitenant chiropractic office application suite
• I’m currently building it all from scratch, but I want access to RAD tools you provide such as BPM and others in order to fulfill feature requests faster (very small team)

I installed everything, have it running, and seems to be working.

The documentation is a little sparse though… so when I ran into an issue with multitenancy, I couldn’t figure it out on my own.

Every tenant get’s the default role, which works. However, I can’t modify that default role in order to allow various screens and other permissions… Am I doing something wrong? I have users/admins in that group but none of them can see anything. Do I have to make a role for each tenant? What if it’s the same one? I’d rather not duplicate all that? Whereas I’d like to simply set the default tenant role to be that of a tenant user, i.e., see the application menu, etc.

Sorry if this is a dumb question, but the documentation really is quite limited.

Hi James,

Every tenant is treated as a completely separated organization, tenants should not see each other’s data. Role entity in CUBA supports multitenancy, therefore, I’d recommend creating roles for every tenant from scratch.

Duplication is not an issue here, you always can create a SQL script to simplify role creation as well as for batch update if needed.

Funny thing, today we published an article in the blog about multitenancy that shows some alternatives.

May I ask you, why did you decide to use multi-tenant architecture?

We chose multi-tenant because it’s cheaper than single tenant… and then we need to segregate the data based on the tenant. I do like that tenant’s cannot see eachother data, that is expected. I was just hoping I could control the permissions of the default-tenant role. I.e., so that anyone in that role could access their tenant’s specific data and see their screens. If I have to make custom roles for each, then it just makes the process of creating new tenant’s more difficult, and we expect to make many tenant’s.

Can you point me in the right direction for simplifying the creation of new roles/permissions for a new tenant? Perhaps extend a class of sorts and add it as the default for everything?

I should also say that I’m not 100% up to speed on best practices for managing multiple single tenant instances. I.e., a new client signs up and we spin up a new server instance just for them? Managing code updates across all instances, etc. Any info on that would also be greatly appreciated as it pertains to Cuba.

I see in the multitenant demo the author creates a few system level classes ExtFilterEntity, ExtRole, ExtUserRole. Is this necessary?

Actually, I am running the multitenancy demo and it’s default-tenant-role is editable, but in my new applicaiton it’s not? I’m clearly missing something here?

Hi,

Just give me some time, I’ll prepare a small PoC and explanation for you.

Hi James,

Actually, I am running the multitenancy demo and it’s default-tenant-role is editable, but in my new applicaiton it’s not? I’m clearly missing something here?

Most probably this is not you who missing something, but us who didn’t update the MT demo application to the latest version of CUBA :).

Let me make it clear - in CUBA 7.2 we have introduced slightly different way to define your security configuration. The default-tenant-role is a predefined role as well as the tenant-admin-role. These two roles are implemented to make sure that all system attributes and screens are accessible by the end-users. So, you don’t need to change these, but mix them up with user roles defined by yourself. In other words, just make sure that your MT users have some of these roles in their list of assigned roles.

Let me know if this is what you need and feel free to ping in case of any other questions.

P.S. I’ve just created a ticket to provide better documentation for the security part.

Regards,
Aleksey

Hi James,

Please find the PoC attached. It is a slightly modified demo application, I’ve updated it to the latest version of CUBA. I had to dig a bit deeper into the code than I expected, sorry for the delay with the answer.

You don’t need extended system-level classes ExtFilterEntity, ExtRole, ExtUserRole anymore because it is all defined in CUBA core.

In the application, you can find a shared User role then can be assigned to users that belong to any tenant. This role is editable and this is one of the ways to give the same privilege set to users in all tenants.

I also gave full-system-access role to tenant admins, so they can edit shared data and their tenant-specific data.

In this application, there are two users:walmart_user and costco_user that don’t have any privileges, but they share the same User role, so you can play with it and see how it works.

As Aleksey mentioned, now we can define some system-level roles at the code level, therefore you cannot edit them. But feel free to create your own roles (tenant-specific or shared) and assign them to tenant users.

Hope it will help! Happy to assist if you have any more questions.

singledb-multitenancy.zip (315.3 KB)

@belyaev

Hi Andrey,
I stumbled upon this topic because I encounter a similar issue.

I checked the example and I’m afraid to say you are cheating good sir! At least for what I’m trying to achieve.

I want to to create a role at global admin level that then tenant admins can assign to users in their tenant.

In the example, the User role is actually created by the walmart_admin role (entity inspector, see screenshot). this means it does not show up in the role browser when the costco_admin logs in because of the tenant_id. This means the role must have been assigned by the global admin user and not a tenant admin.

In this case the user_role relation is created through migration scripts, that explains how the relation were created and the tenant_ids are “cheated in”.

image1671×245 18.1 KB

After digging a bit and reading the docs again, i found the reason for not seeing the admin defined role in any of the tenant admin users, from the docs:

Every time a tenant user reads tenant-specific data, the system adds where condition on TENANT_ID to JPQL query in order to read the data of the current tenant only. Data with no TENANT_ID or with different TENANT_ID will be omitted.

Any suggestions on how to create predefined roles and share them with tenant admins? I don’t expect tenant to understand security details regarding the implementation.

predefined roles
Predefined roles are shared with tenants. I had a rather animated discussion regarding predefined role definitions here → Design time roles - wildcards and packages - #14 от пользователя tom.monnier - CUBA.Platform.

In the backend I implemented my solution as shown in that topic for permissions on the entities.But I don’t have metadata information in the back-end about possible screens and menustructure. Thats why I created a dedicated screen just to determine all the screens and menu items based on the entity permissions and assign them to a db stored role. If I would have access to the metadata in the backend, it would have been a predefined role in the first place.

@AlexBudarov replied in that topic regarding possible future enhancements, but that is not implemented today

Hi,
I think that this can be implemented as an optional assistance in the role editing UI. It would simplify setting up role permissions in runtime role editor and in Studio’s role designer.

Sorry for the long post, but it I try to be as precise as possible.

Hi Tom,

Well, it looks like there might be a flaw in defining tenant-agnostic run-time roles, but design-time ones do the job as you noticed. Regarding the Screen/Menu metadata inaccessibility - it was done on purpose in order to separate CUBA application blocks.

As you probably understand, that we haven’t had the case with runtime screen permission assignment in mind. Our model was that a design-time role should be changed in IDE as soon as the new screen is created and applied after redeploy.

So In order to achieve your goal, you have the following options:

1. Customize our design-time roles further
2. Override roles definition screen to include the tenant field into roles or set TenantProvider.NO_TENANT` default value to the role.
3. Override the bean HasTenantAdditionalCriteriaProvider and change the predicate string

You can choose any of these, but I’d personally start with 2

Hi @belyaev
thank you for the suggestions.

option 2 is perfect for me. In fact my roles are created through migration scripts so this should work fine.

I didnn’t find this in the documentation before. There is something mentioned about it in the appendix but even when knowing this it is still not very clear.

I think it could be added to the section on Common and Tenant-Specific Data.

So far so good, however it doesn,t work for me. I debugged deep in the catacombs of cuba and eclipselink and think I found a bug. I created a new ticket for this Bug in multitenancy queries ? tenant_id = "no_tenant" is applied incorrectly - CUBA.Platform

This ticket is for business entities, but I reproduced it for the role entity.

Hi Tom,

Thanks for the detailed response. We’ll have a look at the bug and get back to you.

Meanwhile don’t hesitate creating a pull request if you able to fix the issue by yourself earlier than we do it.

In your example, walmart_user can’t see Stores in browse screen. rows count (3) is displayed but there’s no data in the table. I am facing same issue with my local project (version: 7.2.13). Create screen opens but is empty.

I even removed User role, created and added a separate walmart-user-role, but of no use. As per this one and my own project, no matter what the permissions (menu, other screens for edit, entity) are, tenant user faces these issues. Only adding full-system-access works but obviously that’s undesired. I am really stuck.

I don’t know the walmart example, but can you check the tenant ids for the records?

If you have a project setup that i can just checkout with git I’m willing to have a look

Here is the test git project: GitHub - smunir/cuba-testers

if you login using tenant alpha/alpha, you would see that there’s no data in Store browser and alpha can’t see any fields in Create screen.

Hey Tom, could you manage to check the project?

I just don’t get it guys. Please think of tenants as completely separate databases. If we’d use another multi-tenant approach like “DB-per-tenant” it would have been easier to explain.

@smunir I’ve opened your application and created two tenants. You haven’t added your data and setup, so I can only guess which roles the user ‘alpha’ has. My setup is in the pictures below. Both store admins can create and edit only their stores. Could you elaborate a bit more on your requirements, please?

image1093×569 37.8 KB

image1235×569 57.6 KB

image1421×750 77.8 KB

image1421×750 80.7 KB

image1421×750 64.4 KB

image1421×750 64.7 KB

just for the sake of clarifying since this thread is quite old and has been reused for different issues.

I never had an issue with multitenancy in general. Users can see the data IN their tenant. The issue I reported some time ago is about seeing data with the “no_tenant” tenant_id and that really is a bug.

I just proposed to check @smunir problem since I was watching this thread. But we would indeed need more information (with other words the data) to help there.

@smunir you state:

alpha can’t see any fields in Create screen.

visibility of fields is only related to security and is in no way related to multitenancy. Multitenancy works at row level. In fact, visibillity is not even related to db tables. So I expect you to run into a security issue that would be there without using the multitenancy plugin.

Thanks @belyaev and @tom.monnier for elaborative response. My bad data wasn’t included in the project, I thought embedded data is saved in project file.

You are right, this was security issue. This suggestion compelled me to look into security config and it solved the issue.

So I expect you to run into a security issue that would be there without using the multitenancy plugin.

I needed to allow Store attributes to alpha-role. My assumption was that allowing entity was enough. Being new to the platform, I hadn’t created another role and creating+using tenant role, I correlated security issues with multi tenant plugin. Thanks once again.