User in tenant A see data from tenant B

I have tenant_id in most of my entities.
I have 2 different users in 2 different tenants, they both can read all the data from CustomerEntity.
The customers are splitted into the 2 different entities.

public class CustomerEntity extends StandardEntity implements HasTenant{
     @Column(name = "TENANT_ID")
     protected String tenantId;

public class ExtUser extends User implements HasTenant {

    @Column(name = "TENANT_ID")
    protected String tenantId;

As far as I remember. I dont need to explicitly mention the tenant constraints in the data source.



tenant restrictions will be applied automatically

This is exactly my problem. it is not. All users see all tenants data.

Why do you need the ExtUser class here? The MultiTenancy addon already has class for it. From the addon GitHub:

Please note that Group, User, UserSessionEntity standard CUBA entities already extended in the component to have tenant id.

It is TenantUser. So remove your ExtUser and this should resolve your problem.

I dont have TenantUser in my project. cant import it
Update I have updated to version 1.2.0 now I have it. I how it is compatible with my platform

Sorry, I didn’t understand you last message. Please explain in more details what is the problem.

I have updated the tenant version to: com.haulmont.addon.sdbmt:sdbmt-global:1.2.0
And now I use TenantUSer, when saving a new User I get the exception bellow, The problem is that the platform was not creating the field TENANT_ID in tables SEC_USER and SEC_GROUP .
Isn’t that part of the plugin? or I need to create the fields myself. I mean to create an sql script for adding the fields

javax.persistence.PersistenceException: Exception [EclipseLink-4002] (Eclipse Persistence Services - 2.6.2.cuba24): org.eclipse.persistence.exceptions.DatabaseException
Internal Exception: com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Unknown column 'TENANT_ID' in 'field list'
Error Code: 1054
	bind => [608859871b61424794c7dff348347f93, true, false, 2019-02-25 16:24:42.181, test_admin, null, null, null, null, null, null, null, admin, admin, null, Administrator, c53642a2e868f919ce66cbbc6b8a9dc4c8ba7702, null, null, null, null, 2019-02-25 16:24:42.181, null, 1, 64c896ef199bbdc8a37593aaf887aede, cubasdbmt$TenantUser]

Did you run the “Update database” task in studio after you included the addon? Update scripts are inside the addon. You need to apply them.

Sure I did run update database (and create database). All up-to-date, no changes. (Im using Mysql BTW).
Please lets try to sort this one out before the end of the day… I have to work during the night and now the project is totally down.


It seems that the addon doesn’t contain update scripts. Studio should handle such cases, but for this addon there is a bug in a Studio as well: Studio doesn’t generate a full set of database scripts. For now, you can add one database script manually.
After you include the addon, click the Generate DB scripts button. Studio will generate scripts for the CUBASDBMT_TENANT entity, but will not generate scripts for updating SEC_USER and SEC_GROUP.

In the “Database scripts” window click the New update script button and create a script with the following content:

-- begin SEC_GROUP
alter table SEC_GROUP add column TENANT_ID varchar(255) ^
alter table SEC_GROUP add column DTYPE varchar(100) ^
update SEC_GROUP set DTYPE = 'cubasdbmt$TenantGroup' where DTYPE is null ^
-- end SEC_GROUP
-- begin SEC_USER
alter table SEC_USER add column TENANT_ID varchar(255) ^
alter table SEC_USER add column DTYPE varchar(100) ^
update SEC_USER set DTYPE = 'cubasdbmt$TenantUser' where DTYPE is null ^
-- end SEC_USER

Click the Update database button.

After down all of what you suggested.
Removing ExtUser and switching to TenantUser, Still, a user in tenant A can see tenant B.
Just to see that we are on the same page, when I create data source, Im not adding where clause on teanant because im assuming this is what exactly the plugin does. it is intercepting all queries and add where clouse on entitles that implements HasTenant.

So I assume that a data source like the following should have teant restriction:


What else can be done in order to get tenant constraints working. Im not talking only about users, all entities implementing HasTenant.

Add another database script that creates required default security role: (1.4 KB)
I’ve created an issue to support all databases out of the box.
Also, I’ve found another issue: if users are changed using the substitution mechanism, permissions are not compiled. You need to explicitly logout and login.

@gorbunkov I have run your script manually and made sure that all applied correctly.
Still, user from Tenant A see data from tenant B.

And you login as user A not using the substitution mechanism, but using the regular login window?
If so then please provide a small demo project which reproduces an issue and give us a sequence of steps how to reproduce it.

After 6 months that the plugin is not working, I think its time for me to read the source code and understand where is the places the app triggers the “extra” where clause and understand the mechanism, maybe this way ill understand what is going on…
I have spent weeks just on this plugin in order to make it work. I can’t wait anymore.
Can you please point me to the place in the source where the “where TENANT_ID=?” comes to action?