Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multi-tenant #416

Open
gedw99 opened this issue Feb 4, 2023 · 9 comments
Open

Multi-tenant #416

gedw99 opened this issue Feb 4, 2023 · 9 comments
Labels
enhancement New feature or request

Comments

@gedw99
Copy link

gedw99 commented Feb 4, 2023

I can imagine that sone people may want to use the filter concepts to do multi tenant also.

So an org has certain roles and users. When an org connects we detect the org via sone header ( or otherwise ) and then apply the org filtere on all queries and mutations . It’s a middleware guard that is always applied.

the roles and users are available to that org user over the introspection api too based on org , so that any IDE is multi tenant aware.

I don’t know if the filters conceit would be enough to restrict table access.

@gedw99 gedw99 added the enhancement New feature or request label Feb 4, 2023
@dosco
Copy link
Owner

dosco commented Feb 4, 2023

We have a concept of namespace you can OptionSetNamespace(string) when creating the core instance or use SetNamespace(string) on the ReqConfig object for a per request setting. Namespaces are a way to group queries in the allow list. Query names are prefixed with the namespace. However it does not apply to configs like the table / role configs.

At the time I couldn't think a good usecase for namespace level filters. You could do what you suggested with a single tabel level { tenant_id: { equals: $tenantID } } filter and set the tenantID variable using ReqConfig

@dosco
Copy link
Owner

dosco commented Feb 4, 2023

Across databases its better to just have multiple instances of GraphJin core but as I understand you're suggesting this as a way to tenant within a single database correct?

@gedw99
Copy link
Author

gedw99 commented Feb 5, 2023

Yeah I am interested in multi tenant with single db.

It’s to save costs . A team with many services could use the one db and so save money and complexity.

@dosco
Copy link
Owner

dosco commented Feb 5, 2023 via email

@gedw99
Copy link
Author

gedw99 commented Feb 5, 2023

I don’t understand how that helps a team ?

Let’s say you have 10 orgs using a single db

Each org has their own services. Say service A to D , so 4 services in their middle tier. I guess each on runs graphjin core .

Each org shares roles , users and user to groups mapping . Typically an orgs services like to reuse their roles / users between their services. It’s a reasonably assumption.

Each org would basically be isolated from the other orgs.

That’s what I see as an archi type very often .

mid org 1 outgrows the shared db, they migrate to their own db layer .

@dosco
Copy link
Owner

dosco commented Feb 5, 2023

I'm taking about the mechaism of achieving what you originally thought about "apply the org filter on all queries and mutations". We could achive this using the role mechanism even without adding multiple roles you could just define a role using a role_query or passing it in with the request and what you originally wanted would happen.

@dosco
Copy link
Owner

dosco commented Feb 5, 2023

Each org shares roles , users and user to groups mapping . Typically an orgs services like to reuse their roles / users between their services. It’s a reasonably assumption.

yes you would have all that if we had multiple roles so a person A could have the roles "member_of_org_1, viewer, admin" and person B could have the roles ""member_of_org_2, viewer, user"

@gedw99
Copy link
Author

gedw99 commented Feb 24, 2023

Hey @dosco

I got stuck on setup.

I cant connect using cockroach. Hope you don't mind me trying it, even though not officially supported.

heres the issue:

make ex-start
WARN    database ping: failed to connect to `host=localhost:26257 user=root database=defaultdb`: hostname resolving error (lookup localhost:26257: no such host)

REPRO:

makefile:


BIN=$(PWD)/$(REPO_NAME)/graphjin

### DB 

DB_WEB_URL=http://localhost:8080
DB_URL=postgresql://root@localhost:26257/defaultdb?sslmode=disable

db-start:
	# https://www.cockroachlabs.com/docs/stable/install-cockroachdb-mac.html
        brew install cockroachdb/tap/cockroach
	which cockroach

        # start it in insure mode.
	cockroach start-single-node --insecure --store=attrs=ssd,path=$(PWD)/cockroach-data --listen-addr=localhost:36257 --sql-addr=localhost:26257

### EX

EX_NAME=test

EX_ROOT_FSPATH=$(PWD)/example/
EX=$(EX_ROOT_FSPATH)/$(EX_NAME)

ex-print:
	@echo ""
	@echo "EX:    $(EX)"

ex-new:
	cd $(EX_ROOT_FSPATH) && $(BIN) new --db-url=$(DB_URL) $(EX_NAME)
ex-new-del:
	rm -rf $(EX)


EX_CMD=cd $(EX) && $(BIN)
ex-start:
	$(EX_CMD) serve

@gedw99
Copy link
Author

gedw99 commented Feb 24, 2023

Still trying to work it out :)

This golang web admin can connect with that $(DB_URL).

## DB ADMIN

db-gui-dep:
	git clone https://github.com/sosedoff/pgweb
db-gui-build:
	cd pgweb && $(MAKE) build
db-gui-run:
	cd pgweb && ./pgweb --url=$(DB_URL)
	# http://localhost:8081/
make db-gui-run
cd pgweb && ./pgweb --url=postgresql://root@localhost:26257/defaultdb?sslmode=disable
Pgweb v0.14.0 (git: d5e72f92b50972fdf1a88a65b5eab0bcc88c938d) (go: go1.20.1) (build time: 2023-02-24T13:43:11Z) (arch: darwin/amd64)
Connecting to server...
Connected to CockroachDB 22.2.5
Checking database objects...
Starting server...
To view database open http://localhost:8081/ in browser
INFO[0001] http_request                                  duration=5.850878ms duration_ms=5 method=GET path=/ remote_addr=127.0.0.1 status=200
INFO[0001] http_request                                  duration="185.18µs" duration_ms=0 method=GET path=/api/info remote_addr=127.0.0.1 status=200
INFO[0001] http_request                                  duration=1.158072ms duration_ms=1 method=GET path=/api/connection remote_addr=127.0.0.1 status=200
INFO[0001] http_request                                  duration=1.478919ms duration_ms=1 method=GET path=/api/schemas remote_addr=127.0.0.1 status=200
INFO[0003] http_request                                  duration=1.131578336s duration_ms=1131 method=GET path=/api/objects remote_addr=127.0.0.1 status=200

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants