Thomas Vitale Jfokus Feb 6th, 2024 Multitenant Mystery Every Bean Has A Secret @vitalethomas

Systematic • Software Engineer, CNCF Ambassador, Oracle ACE Pro. • Author of “Cloud Native Spring in Action” (Manning). • OSS contributor (Java, Spring, Cloud Native Technologies) Thomas Vitale thomasvitale.com @vitalethomas

Multitenancy @vitalethomas

Multitenancy “…an architecture in which a single running instance of an application simultaneously serves multiple clients (tenants). This is highly common in SaaS solutions.” (Hibernate User Guide) @vitalethomas

No content

1. Tenant @vitalethomas

Tenant Identifying the tenant Tenant Resolution Resolve tenant from HTTP request, AMQP message, JWT… 1 Tenant Content Store the tenant and make it available to the current process 2 Tenant Interceptor Intercept incoming request, resolve tenant, and store in context. 3 @vitalethomas

2. Data Isolation @vitalethomas

Data Isolation Multitenant data management Partitioned Data ‣Tenant as a discriminator (column) ‣Add discriminator to each SQL statement Separate Schema ‣Schema per tenant ‣No altered SQL ‣Add tenant to connection Separate Database ‣Database per tenant ‣No altered SQL ‣Separate connection pools @vitalethomas

Testcontainers Testing with external dependencies OCI containers Run external dependencies as OCI containers, also at development time Data Layer Tests Ensure environment parity by testing the data layer with the real database Integration Tests Use containers for databases, message queues, and web servers @vitalethomas

Schema and data management Flyway: Version control for your database SQL Migrations Schema changes Java Migrations Data changes V1 Init schema V2 Add column V3 Create table V4 Add constraint time @vitalethomas

3. Observability @vitalethomas

Spring Observability Production-grade features Spring Boot Actuator ‣Health (liveness and readiness) ‣Metrics (Prometheus, OpenMetrics) ‣Flyway, Thread Dumps, Heap Dumps Micrometer ‣Uni fi ed Observation API ‣Instrumentation for metrics and traces ‣OpenZipkin, OpenTelemetry @vitalethomas

Multitenant Observability Observation contexts for tenants Logs Include tenant information in each log message Metrics Monitor overall application as we add more tenants Traces Identify traces belonging to each tenant @vitalethomas

4. Gateway @vitalethomas

Multitenant Gateway @vitalethomas https://dukes.rock https://beans.rock GATEWAY SERVICE X-TenantId=dukes X-TenantId=beans Tenant propagation

Spring Cloud Gateway @vitalethomas

5. Security @vitalethomas

Multitenant Security Authenticating and authorizing tenants Authentication Each tenant authenticates via a separate Identity Provider Authorization The JWT signature is veri fi ed with a separate issuer for each tenant Dynamic Tenants Adding new tenants doesn’t require changing the application @vitalethomas

Multitenant Authentication @vitalethomas https://dukes.rock https://beans.rock GATEWAY Dukes IdP Separate identity providers Beans IdP Delegate AuthN

Spring Security - OAuth2 Client Dynamic tenant management spring: security: oauth2: client: registration: keycloak: client-id: edge-service client-secret: polar-keycloak-secret scope: openid provider: keycloak: issuer-uri: http://localhost:8080/realms/PolarBookshop @vitalethomas @Bean ClientRegistrationRepository

Multitenant Authorization @vitalethomas JWT (Dukes) JWT (Beans) SERVICE Dukes IdP JWT veri fi cation per tenant Beans IdP Verify signature

Spring Security - OAuth2 Resource Server Dynamic tenant management spring: security: oauth2: resourceserver: jwt: issuer-uri: http://localhost:8080/realms/PolarBookshop @vitalethomas @Bean AuthenticationManagerResolver

What about the guitar? @vitalethomas

Data Isolation @vitalethomas

Bonus: Spring AI @vitalethomas

Resources @vitalethomas

Resources • Presentation source code • How to integrate Hibernates Multitenant feature with Spring Data JPA in a Spring Boot application • Multitenancy in Hibernate • Multitenancy OAuth2 with Spring Security • Context Propagation with Project Reactor 3 • Creating a custom Spring Cloud Gateway Filter • Multitenancy with Spring Data JDBC @vitalethomas

@vitalethomas https://github.com/arconia-io

Thomas Vitale Jfokus Feb 6th, 2024 Multitenant Mystery Every Bean Has A Secret @vitalethomas