Spring-boot-auth0-discriminator-multitenancy icon indicating copy to clipboard operation
Spring-boot-auth0-discriminator-multitenancy copied to clipboard

Published 20 hours ago verified publisher icon M-Devloo

Implement Admin access to have a overview of all entities while maintaining default closed multi tenancy on all operations

Open M-Devloo opened this issue 4 years ago • 4 comments

Update the Multi tenancy implementation to support JWT scopes like scope:admin. This scope would make it possible to override the multi tenancy part and disable the Hibernate filter as well the interceptor for that particular user with the admin role. This allows the admin to access all the entities and make it possibly to update accordingly.

Use case:

Implement Admin access

Requisites

Admin needs to have scope:admin assigned to him through the JWT token which can be set in Auth0 (easiest for demo) or through an RBAC before it is even possible to disable the hibernate filter & hibernate interceptor for that particular user. When an admin updates the entity, the TenantInterceptor assigns the current user as the tenantId which means that the admin would receive access to the entity. This should not occur when the tenantId != the admin tenantId.

What has to be done

Adjust the TenantServiceAspect to check for the admin scope and disable the filter if the scope is provided. Adjust TenantInterceptor to check if the entity is owned by the admin, if not keep the original tenantId.

When there is no tenantId available (new entity), use the TenantAssistance.resolveCurrentTenantIdentifier() as tenantId. Write tests accordingly to the changes and to verify that the default closed methodology still stands

Thanks to @ivarprudnikov for point it out to improve the issue :-)

M-Devloo avatar Sep 29 '20 12:09 M-Devloo

It seems that the issue needs to be clarified to make it a bit more obvious. Current implementation uses a Hibernate filter and adds Auth0 user id to entities before saving, the same filter checks if the currently logged in user is the owner of the entity before returning results from queries. The problem is that there are no checks against JWT scopes which are being used to express the permissions/roles the user has.

In my case I usually have Spring Security annotations on controller/service methods to authorize the user, ie:

@PreAuthorize("isAuthenticated()")
...
@PreAuthorize("hasAuthority('SCOPE_admin')")
...

Looks like TenantServiceAspect.java needs to somehow check the security context to deduce if the filter applies or not.

Got here through Hacktoberfest website.

ivarprudnikov avatar Sep 30 '20 09:09 ivarprudnikov

Hi @ivarprudnikov, thanks for your input! I will document the feature improvement more in detail. It is indeed a good idea to only verify the scope in the TenantServiceAspect which will automatically enable / disable the hibernate filter.

M-Devloo avatar Sep 30 '20 11:09 M-Devloo

Hi @M-Devloo, How can the administrator manage all tenant data without modifying the tenant ID of the tenant data. Currently, all modified data will reset the tenant ID.

xkzhangsan avatar Jun 01 '22 06:06 xkzhangsan

An optional solution that displays all tenant data when querying, and automatically replaces the tenant ID with the target tenant ID when modifying.

xkzhangsan avatar Jun 01 '22 08:06 xkzhangsan