Slide 1

Slide 1 text

Thomas Vitale Jfokus Feb 6th, 2024 Multitenant Mystery Every Bean Has A Secret @vitalethomas

Slide 2

Slide 2 text

Systematic • Software Engineer, CNCF Ambassador, Oracle ACE Pro. • Author of “Cloud Native Spring in Action” (Manning). • OSS contributor (Java, Spring, Cloud Native Technologies) Thomas Vitale thomasvitale.com @vitalethomas

Slide 3

Slide 3 text

Multitenancy @vitalethomas

Slide 4

Slide 4 text

Multitenancy “…an architecture in which a single running instance of an application simultaneously serves multiple clients (tenants). This is highly common in SaaS solutions.” (Hibernate User Guide) @vitalethomas

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

1. Tenant @vitalethomas

Slide 7

Slide 7 text

Tenant Identifying the tenant Tenant Resolution Resolve tenant from HTTP request, AMQP message, JWT… 1 Tenant Content Store the tenant and make it available to the current process 2 Tenant Interceptor Intercept incoming request, resolve tenant, and store in context. 3 @vitalethomas

Slide 8

Slide 8 text

2. Data Isolation @vitalethomas

Slide 9

Slide 9 text

Data Isolation Multitenant data management Partitioned Data ‣Tenant as a discriminator (column) ‣Add discriminator to each SQL statement Separate Schema ‣Schema per tenant ‣No altered SQL ‣Add tenant to connection Separate Database ‣Database per tenant ‣No altered SQL ‣Separate connection pools @vitalethomas

Slide 10

Slide 10 text

Testcontainers Testing with external dependencies OCI containers Run external dependencies as OCI containers, also at development time Data Layer Tests Ensure environment parity by testing the data layer with the real database Integration Tests Use containers for databases, message queues, and web servers @vitalethomas

Slide 11

Slide 11 text

Schema and data management Flyway: Version control for your database SQL Migrations Schema changes Java Migrations Data changes V1 Init schema V2 Add column V3 Create table V4 Add constraint time @vitalethomas

Slide 12

Slide 12 text

3. Observability @vitalethomas

Slide 13

Slide 13 text

Spring Observability Production-grade features Spring Boot Actuator ‣Health (liveness and readiness) ‣Metrics (Prometheus, OpenMetrics) ‣Flyway, Thread Dumps, Heap Dumps Micrometer ‣Uni fi ed Observation API ‣Instrumentation for metrics and traces ‣OpenZipkin, OpenTelemetry @vitalethomas

Slide 14

Slide 14 text

Multitenant Observability Observation contexts for tenants Logs Include tenant information in each log message Metrics Monitor overall application as we add more tenants Traces Identify traces belonging to each tenant @vitalethomas

Slide 15

Slide 15 text

4. Gateway @vitalethomas

Slide 16

Slide 16 text

Multitenant Gateway @vitalethomas https://dukes.rock https://beans.rock GATEWAY SERVICE X-TenantId=dukes X-TenantId=beans Tenant propagation

Slide 17

Slide 17 text

Spring Cloud Gateway @vitalethomas

Slide 18

Slide 18 text

5. Security @vitalethomas

Slide 19

Slide 19 text

Multitenant Security Authenticating and authorizing tenants Authentication Each tenant authenticates via a separate Identity Provider Authorization The JWT signature is veri fi ed with a separate issuer for each tenant Dynamic Tenants Adding new tenants doesn’t require changing the application @vitalethomas

Slide 20

Slide 20 text

Multitenant Authentication @vitalethomas https://dukes.rock https://beans.rock GATEWAY Dukes IdP Separate identity providers Beans IdP Delegate AuthN

Slide 21

Slide 21 text

Spring Security - OAuth2 Client Dynamic tenant management spring: security: oauth2: client: registration: keycloak: client-id: edge-service client-secret: polar-keycloak-secret scope: openid provider: keycloak: issuer-uri: http://localhost:8080/realms/PolarBookshop @vitalethomas @Bean ClientRegistrationRepository

Slide 22

Slide 22 text

Multitenant Authorization @vitalethomas JWT (Dukes) JWT (Beans) SERVICE Dukes IdP JWT veri fi cation per tenant Beans IdP Verify signature

Slide 23

Slide 23 text

Spring Security - OAuth2 Resource Server Dynamic tenant management spring: security: oauth2: resourceserver: jwt: issuer-uri: http://localhost:8080/realms/PolarBookshop @vitalethomas @Bean AuthenticationManagerResolver

Slide 24

Slide 24 text

What about the guitar? @vitalethomas

Slide 25

Slide 25 text

Data Isolation @vitalethomas

Slide 26

Slide 26 text

Bonus: Spring AI @vitalethomas

Slide 27

Slide 27 text

Resources @vitalethomas

Slide 28

Slide 28 text

Resources • Presentation source code • How to integrate Hibernates Multitenant feature with Spring Data JPA in a Spring Boot application • Multitenancy in Hibernate • Multitenancy OAuth2 with Spring Security • Context Propagation with Project Reactor 3 • Creating a custom Spring Cloud Gateway Filter • Multitenancy with Spring Data JDBC @vitalethomas

Slide 29

Slide 29 text

@vitalethomas https://github.com/arconia-io

Slide 30

Slide 30 text

Thomas Vitale Jfokus Feb 6th, 2024 Multitenant Mystery Every Bean Has A Secret @vitalethomas