You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@syncope.apache.org by Francesco Chicchiriccò <il...@apache.org> on 2015/07/17 14:46:46 UTC
Multi-tenancy: implementation in progress
Hi all,
as you might have seen, I am working on SYNCOPE-652 for implementing
multi-tenancy [1].
The idea is to set the "domain" property in Spring Security's
SecurityContext - so that such information it is available throughout
the whole system, after authentication - based on the value for the new
"X-Syncope-Domain" HTTP header (when missing, "Master" is assumed).
Such header is also included in all HTTP responses.
The domain name is then used as OpenJPA slice identifier in order to
read and write data from / to a specific slice: this allows physical
separation for different domains' data.
The implementation work is going quite straightforward, but I've spent
the last three days struggling with slices - see this thread on
OpenJPA's users@ [2].
At the moment, in a separate feature branch [3] I have all unit tests
succeeding, but still few problems with integration tests.
I'll keep you posted.
Regards.
[1]
https://cwiki.apache.org/confluence/display/SYNCOPE/%5BDISCUSS%5D+Domains
[2] http://markmail.org/message/g44f4zlpou34uvke
[3]
https://git-wip-us.apache.org/repos/asf?p=syncope.git;a=shortlog;h=refs/heads/SYNCOPE-652
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC
http://people.apache.org/~ilgrosso/
Re: Multi-tenancy: implementation in progress
Posted by Fabio Martelli <fa...@gmail.com>.
Il 13/08/2015 17:29, Francesco Chicchiriccò ha scritto:
> Hi all,
> I am happy to announce that the implementation of this topic was
> successfully completed.
>
> Integration test environment now features two domains ("Master", e.g.
> the domain we've been having so far, and "Two"); specific tests for
> the second domain were also added.
>
> Please take a look and play around.
> Regards.
Great work!
I hope to check soon this new feature together with any objects and
realms by working to handle them on the new administration console.
Regards,
F.
>
> On 10/08/2015 11:12, Francesco Chicchiriccò wrote:
>> On 07/08/2015 12:43, Francesco Chicchiriccò wrote:
>>> A quick update on this topic.
>>>
>>> After not getting any single response from OpenJPA community [2],
>>
>> This is not correct: Mark Struberg - which is now OpenJPA PMC member,
>> via IRC on #openjpa, was the one that headed me away of slices and
>> suggested to empower JPA persistence units (e.g. EntityManagerFactory
>> instances).
>>
>>> and having considered that a slice-based implementation would have
>>> bound Syncope to non-standard OpenJPA features, I have preferred to
>>> rollback and change design.
>>>
>>> Instead of mapping domains to OpenJPA slices, now domains are mapped
>>> to EntityManagerFactory instances, since each domain is considered a
>>> separated JPA persistence unit.
>>> Physical separation of tables for different domains and support for
>>> heterogeneous domains (domain A on MySQL, domain B on Oracle, ...)
>>> are still available.
>>>
>>> This new approach required some hook at Spring level [4] which
>>> dynamically "injects" the domain into @Transactional annotations,
>>> depending on the requesting user.
>>>
>>> The feature branch [3] now has all tests passing, even though some
>>> refinements are still in progress.
>>>
>>> I'll keep you posted.
>>> Regards.
>>>
>>> On 17/07/2015 14:46, Francesco Chicchiriccò wrote:
>>>> Hi all,
>>>> as you might have seen, I am working on SYNCOPE-652 for
>>>> implementing multi-tenancy [1].
>>>>
>>>> The idea is to set the "domain" property in Spring Security's
>>>> SecurityContext - so that such information it is available
>>>> throughout the whole system, after authentication - based on the
>>>> value for the new "X-Syncope-Domain" HTTP header (when missing,
>>>> "Master" is assumed).
>>>> Such header is also included in all HTTP responses.
>>>>
>>>> The domain name is then used as OpenJPA slice identifier in order
>>>> to read and write data from / to a specific slice: this allows
>>>> physical separation for different domains' data.
>>>>
>>>> The implementation work is going quite straightforward, but I've
>>>> spent the last three days struggling with slices - see this thread
>>>> on OpenJPA's users@ [2].
>>>>
>>>> At the moment, in a separate feature branch [3] I have all unit
>>>> tests succeeding, but still few problems with integration tests.
>>>>
>>>> I'll keep you posted.
>>>> Regards.
>>>>
>>>> [1]
>>>> https://cwiki.apache.org/confluence/display/SYNCOPE/%5BDISCUSS%5D+Domains
>>>> [2] http://markmail.org/message/g44f4zlpou34uvke
>>>> [3]
>>>> https://git-wip-us.apache.org/repos/asf?p=syncope.git;a=shortlog;h=refs/heads/SYNCOPE-652
>>> [4]
>>> https://git-wip-us.apache.org/repos/asf?p=syncope.git;a=blob;f=core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/spring/DomainTransactionInterceptor.java;hb=9e6f87e5da41ebd5466bf522099d3745b35703a4
>
--
Fabio Martelli
Tirasa - Open Source Excellence
http://www.tirasa.net/
Apache Syncope PMC
http://people.apache.org/~fmartelli/
Re: Multi-tenancy: implementation in progress
Posted by Francesco Chicchiriccò <il...@apache.org>.
Hi all,
I am happy to announce that the implementation of this topic was
successfully completed.
Integration test environment now features two domains ("Master", e.g.
the domain we've been having so far, and "Two"); specific tests for the
second domain were also added.
Please take a look and play around.
Regards.
On 10/08/2015 11:12, Francesco Chicchiriccò wrote:
> On 07/08/2015 12:43, Francesco Chicchiriccò wrote:
>> A quick update on this topic.
>>
>> After not getting any single response from OpenJPA community [2],
>
> This is not correct: Mark Struberg - which is now OpenJPA PMC member,
> via IRC on #openjpa, was the one that headed me away of slices and
> suggested to empower JPA persistence units (e.g. EntityManagerFactory
> instances).
>
>> and having considered that a slice-based implementation would have
>> bound Syncope to non-standard OpenJPA features, I have preferred to
>> rollback and change design.
>>
>> Instead of mapping domains to OpenJPA slices, now domains are mapped
>> to EntityManagerFactory instances, since each domain is considered a
>> separated JPA persistence unit.
>> Physical separation of tables for different domains and support for
>> heterogeneous domains (domain A on MySQL, domain B on Oracle, ...)
>> are still available.
>>
>> This new approach required some hook at Spring level [4] which
>> dynamically "injects" the domain into @Transactional annotations,
>> depending on the requesting user.
>>
>> The feature branch [3] now has all tests passing, even though some
>> refinements are still in progress.
>>
>> I'll keep you posted.
>> Regards.
>>
>> On 17/07/2015 14:46, Francesco Chicchiriccò wrote:
>>> Hi all,
>>> as you might have seen, I am working on SYNCOPE-652 for implementing
>>> multi-tenancy [1].
>>>
>>> The idea is to set the "domain" property in Spring Security's
>>> SecurityContext - so that such information it is available
>>> throughout the whole system, after authentication - based on the
>>> value for the new "X-Syncope-Domain" HTTP header (when missing,
>>> "Master" is assumed).
>>> Such header is also included in all HTTP responses.
>>>
>>> The domain name is then used as OpenJPA slice identifier in order to
>>> read and write data from / to a specific slice: this allows physical
>>> separation for different domains' data.
>>>
>>> The implementation work is going quite straightforward, but I've
>>> spent the last three days struggling with slices - see this thread
>>> on OpenJPA's users@ [2].
>>>
>>> At the moment, in a separate feature branch [3] I have all unit
>>> tests succeeding, but still few problems with integration tests.
>>>
>>> I'll keep you posted.
>>> Regards.
>>>
>>> [1]
>>> https://cwiki.apache.org/confluence/display/SYNCOPE/%5BDISCUSS%5D+Domains
>>> [2] http://markmail.org/message/g44f4zlpou34uvke
>>> [3]
>>> https://git-wip-us.apache.org/repos/asf?p=syncope.git;a=shortlog;h=refs/heads/SYNCOPE-652
>> [4]
>> https://git-wip-us.apache.org/repos/asf?p=syncope.git;a=blob;f=core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/spring/DomainTransactionInterceptor.java;hb=9e6f87e5da41ebd5466bf522099d3745b35703a4
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC
http://people.apache.org/~ilgrosso/
Re: Multi-tenancy: implementation in progress
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 07/08/2015 12:43, Francesco Chicchiriccò wrote:
> A quick update on this topic.
>
> After not getting any single response from OpenJPA community [2],
This is not correct: Mark Struberg - which is now OpenJPA PMC member,
via IRC on #openjpa, was the one that headed me away of slices and
suggested to empower JPA persistence units (e.g. EntityManagerFactory
instances).
> and having considered that a slice-based implementation would have
> bound Syncope to non-standard OpenJPA features, I have preferred to
> rollback and change design.
>
> Instead of mapping domains to OpenJPA slices, now domains are mapped
> to EntityManagerFactory instances, since each domain is considered a
> separated JPA persistence unit.
> Physical separation of tables for different domains and support for
> heterogeneous domains (domain A on MySQL, domain B on Oracle, ...) are
> still available.
>
> This new approach required some hook at Spring level [4] which
> dynamically "injects" the domain into @Transactional annotations,
> depending on the requesting user.
>
> The feature branch [3] now has all tests passing, even though some
> refinements are still in progress.
>
> I'll keep you posted.
> Regards.
>
> On 17/07/2015 14:46, Francesco Chicchiriccò wrote:
>> Hi all,
>> as you might have seen, I am working on SYNCOPE-652 for implementing
>> multi-tenancy [1].
>>
>> The idea is to set the "domain" property in Spring Security's
>> SecurityContext - so that such information it is available throughout
>> the whole system, after authentication - based on the value for the
>> new "X-Syncope-Domain" HTTP header (when missing, "Master" is assumed).
>> Such header is also included in all HTTP responses.
>>
>> The domain name is then used as OpenJPA slice identifier in order to
>> read and write data from / to a specific slice: this allows physical
>> separation for different domains' data.
>>
>> The implementation work is going quite straightforward, but I've
>> spent the last three days struggling with slices - see this thread on
>> OpenJPA's users@ [2].
>>
>> At the moment, in a separate feature branch [3] I have all unit tests
>> succeeding, but still few problems with integration tests.
>>
>> I'll keep you posted.
>> Regards.
>>
>> [1]
>> https://cwiki.apache.org/confluence/display/SYNCOPE/%5BDISCUSS%5D+Domains
>> [2] http://markmail.org/message/g44f4zlpou34uvke
>> [3]
>> https://git-wip-us.apache.org/repos/asf?p=syncope.git;a=shortlog;h=refs/heads/SYNCOPE-652
> [4]
> https://git-wip-us.apache.org/repos/asf?p=syncope.git;a=blob;f=core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/spring/DomainTransactionInterceptor.java;hb=9e6f87e5da41ebd5466bf522099d3745b35703a4
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC
http://people.apache.org/~ilgrosso/
Re: Multi-tenancy: implementation in progress
Posted by Francesco Chicchiriccò <il...@apache.org>.
A quick update on this topic.
After not getting any single response from OpenJPA community [2], and
having considered that a slice-based implementation would have bound
Syncope to non-standard OpenJPA features, I have preferred to rollback
and change design.
Instead of mapping domains to OpenJPA slices, now domains are mapped to
EntityManagerFactory instances, since each domain is considered a
separated JPA persistence unit.
Physical separation of tables for different domains and support for
heterogeneous domains (domain A on MySQL, domain B on Oracle, ...) are
still available.
This new approach required some hook at Spring level [4] which
dynamically "injects" the domain into @Transactional annotations,
depending on the requesting user.
The feature branch [3] now has all tests passing, even though some
refinements are still in progress.
I'll keep you posted.
Regards.
On 17/07/2015 14:46, Francesco Chicchiriccò wrote:
> Hi all,
> as you might have seen, I am working on SYNCOPE-652 for implementing
> multi-tenancy [1].
>
> The idea is to set the "domain" property in Spring Security's
> SecurityContext - so that such information it is available throughout
> the whole system, after authentication - based on the value for the
> new "X-Syncope-Domain" HTTP header (when missing, "Master" is assumed).
> Such header is also included in all HTTP responses.
>
> The domain name is then used as OpenJPA slice identifier in order to
> read and write data from / to a specific slice: this allows physical
> separation for different domains' data.
>
> The implementation work is going quite straightforward, but I've spent
> the last three days struggling with slices - see this thread on
> OpenJPA's users@ [2].
>
> At the moment, in a separate feature branch [3] I have all unit tests
> succeeding, but still few problems with integration tests.
>
> I'll keep you posted.
> Regards.
>
> [1]
> https://cwiki.apache.org/confluence/display/SYNCOPE/%5BDISCUSS%5D+Domains
> [2] http://markmail.org/message/g44f4zlpou34uvke
> [3]
> https://git-wip-us.apache.org/repos/asf?p=syncope.git;a=shortlog;h=refs/heads/SYNCOPE-652
[4]
https://git-wip-us.apache.org/repos/asf?p=syncope.git;a=blob;f=core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/spring/DomainTransactionInterceptor.java;hb=9e6f87e5da41ebd5466bf522099d3745b35703a4
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC
http://people.apache.org/~ilgrosso/