spring-cloud-dataflow icon indicating copy to clipboard operation
spring-cloud-dataflow copied to clipboard

Published 20 hours ago verified publisher icon spring-cloud

Multi tenant integration

Open klopfdreh opened this issue 4 years ago • 5 comments

Problem description: In our case we need to get a specific reduced view (per tenant) of all displayed items like Applications / Streams / Tasks / Schedules / Audit Records / etc. because we want to use the Spring Cloud Data Flow Server in a central position and not all users should have access (view/edit) to all "Items".

Scenario description:

Imagine there are a two users of two departments

  1. User A of department A
  2. User B of department B

If user A logs in he/she should only see Applications / Tasks / etc. of department A. If user B logs in he/she should only see Applications / Tasks / etc. of department B.

Also the API should only let you execute tasks that belongs to the corresponding department of that user.

Solution description:

Note: I didn't look into the database structure / scope implementation in depth yet, so I am sorry if any of the following ideas might not be suitable.

One way I could imagine to implement this could be to use OAuth2 scopes that can identify which department a user belongs to. For example if the user A has the scope "ou:depa" and the user B has the scope "ou:depb" this could be used to reduce the view correspondingly. This scopes would also be used to check the rights when a task is executed.

It would also be nice to a have the possibility to define a super scope that can see all items.

In the database I would suggest to create a table that holds a mapping of unique id (of a task for example) to a scope. The ui could filter the views regarding if there is a mapping to a scope present in that table.

When multi tenant is active the tenant could be displayed when you click on the user right next to the settings wheel were you configure the "Theme" and "Results". The scope could be displayed right at the top of the "Log out" button as "Tenant: ou:depa".

klopfdreh avatar Sep 14 '21 05:09 klopfdreh

Hi, @klopfdreh. Any reason why the existing OAuth-driven RBAC policies help drive the isolation that you're looking for? I have seens folks relying on LDAP groups (separated by teams or view vs. CUD-only, etc.), and have had that group mapping with the SCDF roles.

Perhaps this might be all you need.

sabbyanandan avatar Sep 20 '21 22:09 sabbyanandan

Of course, if you see any optimizations or feature enhancements to the RBAC policies, we can collaborate to bring it to the desired shape.

cc: @ilayaperumalg @jvalkeal

sabbyanandan avatar Sep 20 '21 22:09 sabbyanandan

This should not be a technical restriction of access to endpoints or kubernetes resources, if a user is logged in he/she should only see a subset of entries in all views depending on OAuth-Roles he/she belongs to. Can you explain how this could be solved with RBAC. Maybe I don't get how to do so with it.

klopfdreh avatar Sep 21 '21 06:09 klopfdreh

We don't have any plans to create fine grained visibility/actionability of streams/tasks based on departments or other such entities. I would recommend deploying multiple instances of scdf, one for each department. I can understand the need, but I do not feel the team has the bandwidth now to implement such a feature. I will leave it in the general backlog however should such a time come.

markpollack avatar Sep 29 '22 18:09 markpollack

Hey @markpollack - Yes that is what we ended with. We created a Helm chart to deploy multiple instances.

Thanks for keeping it in backlog. 👍

klopfdreh avatar Sep 29 '22 18:09 klopfdreh