You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Bellan Saravanan <sa...@hotmail.com> on 2011/12/29 11:16:12 UTC

multi tenant authorization

We are working on a multi tenant application and are considering Shiro and I need some advice. Let me explain a bit about the application.
The major entities in the application are,
- Customer/Tenant- Product- Deal   + source tenant   + target tenant
These are the following roles in the application,
- Administrator- User
The above roles are 'Customer' specific in that they only apply to the Objects owned by the 'Customer'.
There is also a role 'Super Admin' who can manage data for any customer.
1. 
To limit each customers users to their own data, I'm thinking I would need to create multiple 'Administrator' roles like 'Administrator_Cust_A', 'Administrator_Cust_B' so that I can assign permission strings like the following to those roles,
<customer>:<entity>:<action>:<instance>

Cust_A:Product:manage:*  (Assign the permission to 'Administrator_Cust_A' role)

Cust_B:Product:manage:*  (Assign the permission to 'Administrator_Cust_B' role)
and I can assign '*:*' to the 'Super Admin' role.

Is there a better way to manage this without creating these multiple 'Administrator' roles?

2.
There can also be 'Deals' between 2 customers for which the 'source' can edit the deal and the 'target' can only view the deal. If 'Customer A' is the source and 'Customer B' is the target of a deal, then I can have permissions like,
Assign the following permission to 'Administrator_Cust_A' role
- Cust_A:Deal:manage:*
and assign the following permissions to 'Administrator_Cust_B' role
- Cust_B:Deal:manage:*- Cust_A:Deal:view:<dealId>

Please let me know of any suggestions.
Thanks,

RE: multi tenant authorization

Posted by Marcus Bond <ma...@marcusbond.me.uk>.
I think you need to put the tenant level data access down at the dao level
in your application and your shiro Realm would use those daos such that the
current tenant is not known or cared about by Shiro. In this case you would
not need Administrator Cust A, Administrator Cust B.. to Shiro you would
load a user and obtain their roles but this data unbeknown to Shiro happens
to be tenant specific since the db queries are tenant specific (tenant
separation controlled by some other means).

 

What I really mean above is that having tenant data independence controlled
by the security level is less preferable IMO to constructing your data
access queries such that it would never be possible for one tenant to be
able to access the data belonging to another tenant.

 

Marcus.

 

From: Bellan Saravanan [mailto:sarbx@hotmail.com] 
Sent: 29 December 2011 10:16
To: user@shiro.apache.org
Subject: multi tenant authorization

 

We are working on a multi tenant application and are considering Shiro and I
need some advice. Let me explain a bit about the application.

 

The major entities in the application are,

 

- Customer/Tenant

- Product

- Deal

   + source tenant

   + target tenant

 

These are the following roles in the application,

 

- Administrator

- User

 

The above roles are 'Customer' specific in that they only apply to the
Objects owned by the 'Customer'.

 

There is also a role 'Super Admin' who can manage data for any customer.

 

1. 

 

To limit each customers users to their own data, I'm thinking I would need
to create multiple 'Administrator' roles like 'Administrator_Cust_A',
'Administrator_Cust_B' so that I can assign permission strings like the
following to those roles,

 

<customer>:<entity>:<action>:<instance>

 

 

Cust_A:Product:manage:*  (Assign the permission to 'Administrator_Cust_A'
role)

 

 

Cust_B:Product:manage:*  (Assign the permission to 'Administrator_Cust_B'
role)

 

and I can assign '*:*' to the 'Super Admin' role.

 

 

Is there a better way to manage this without creating these multiple
'Administrator' roles?

 

 

2.

 

There can also be 'Deals' between 2 customers for which the 'source' can
edit the deal and the 'target' can only view the deal. If 'Customer A' is
the source and 'Customer B' is the target of a deal, then I can have
permissions like,

 

Assign the following permission to 'Administrator_Cust_A' role

 

- Cust_A:Deal:manage:*

 

and assign the following permissions to 'Administrator_Cust_B' role

 

- Cust_B:Deal:manage:*

- Cust_A:Deal:view:<dealId>

 

 

Please let me know of any suggestions.

 

Thanks,

Re: multi tenant authorization

Posted by jeffp <je...@gmail.com>.
Consider keeping your roles "clean" and use the Permission model to grant
access to specific Customer instances.

You can follow a permission model something like this:
permissiveEntity:permission
customer_12345:edit,view

Use this in conjunction with the doGetAuthorizationInfo in an extended
AuthorizingRealm and return permissions in a List<String>: (e.g.
customer_12345:edit,view ).  You'll need to keep an application level
persistent mapping of User to Entity access.

I used this technique combined with Roles recently in a similar type
application very successfully to tightly control access to anything I
wanted.  Within code I could check for permission with something like below
as well as use the Shiro Taglibs where appropriate. 

if ( SecurityUtils.getSubject().isPermitted(permissiveEntity+":edit"))

Good luck!

--
View this message in context: http://shiro-user.582556.n2.nabble.com/multi-tenant-authorization-tp7135267p7142133.html
Sent from the Shiro User mailing list archive at Nabble.com.