Improve Implementation of Tenancy across Framework Services

[weberjm]

The OIH Framework supports multi-tenancy setups, where each user in IAM is assigned a tenant and permissions can be designated as tenant or admin level. However, the extension of tenancy to all framework services is inconsistent. It often relies on tenants being manually added in API calls, while assigning user owners automatically.

In lib/iam-utils, the code:

• checks for tenantAdmin permissions, and user.tenant (also checks for currentContext based on user.memberships, which is deprecated
• also has deprecated user.tenantid, plus current user.tenant (because it is loaded from the account model)

This allows users to view their owned objects and all tenant objects if they are a tenantAdmin. This should be changed to allow that to be modified for users to have specific permissions on all tenant objects

The following table provides an overview of the implementation of tenants at a per-service level:

Module	Tenant in Model	Tenant in Owners	Tenant Filter	Tenant in Create/Update
app-directory	Yes		userhasreadaccess/userhaswriteaccess	appData.tenant = req.user.tenant
attachment-storage-service	NO
audit-log	Not explicit (should be in payload)		Filters based on deprecated currentcontext	not explicit
component-orchestrator	NO
component-repository		Yes
data-hub	Yes
dispatcher-service	Configuration schema		getConfigs() getOneConfig()	if in Model
flow-repository	Yes	Yes	buildQuery() in mongo
governance-service	actedOnBehalfOf		filters on actedOnBehalfOf == tenant
iam	for User, Key, Role		Yes	Checks if Tenant Owns Roles
ils	NO
logic-gateway
meta-data-repository	Yes	Yes	in findByEntityWithPagination(), findByDomainAndEntity(), middleware/permission.js	Yes
rds	Yes	Yes
reports-analytics	NO
scheduler	NO
secret-service	Yes	Yes	userIsOwnerOf(), Also uses deprecated currentcontext	Yes for authClient, only match chedk for secret
snapshots-service		Yes
template-repository		Yes	buildQuery() in mongo
webhooks	NO

Proposal

• Due to the reduced emphasis on users being able to switch between tenants while using the same data, any Model which should be separated by tenant should contain a 'tenant' field. Adding tenants to the 'owners' array should be eliminated.
• Tenant information should be added to the object creation, either directly in the route controller, a helper function like the buildQuery() function found in several services, or via an addition to the iam-utils library. Each Service should remain responsible for its management of data, even related to ownerhsip and tenancy, but our core Services which utilise tenancy for "read" operations should also implement functionality for "write" ops.
  • Alternatively, similar results could be achieved by maintaining the owners array for tenants, with additional code for maintaining the proper state.
• Eliminate the use of the deprecated "currentContext" and "user.tenantId" references.

Open Questions

• As mentioned in previous discussions, some Secrets have to be accessed via the owners array, so that the same credentials can be used across multiple Tenants. This is because some services only allow one Refresh Token per Client ID.

[RobinBrinkmann]

@weberjm will check on current status.