Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Multitenant Mystery: Every Bean Has a Secret

Thomas Vitale
February 06, 2024

Multitenant Mystery: Every Bean Has a Secret

Multitenancy is one of the pillars of modern SaaS solutions. Cloud native technologies provide scalability, resilience, and cost efficiency. But we also need to ensure the proper level of isolation, security, and data control among tenants. This talk will show how to do that in Java and Spring.

Every bean has a secret. To uncover the truth, we must dive into the mysterious world of multitenancy in Spring Boot. The plot thickens as a precious guitar goes missing from a residential building housing only rockers. Something doesn’t quite add up.

Join us on a thrilling journey as we explore the intricacies of multitenant applications. Together, we’ll embark on a detective mission to uncover what really happened to the stolen guitar. As we investigate, we’ll reveal the secrets of storing data safely and securely, configuring authentication and authorization, and enabling observability - all using Java, Hibernate, Keycloak, Micrometer, and Spring.

Put on your detective hat and join us in solving this mystery. We need your expertise to interrogate tenants, analyze facility staff routines, and review surveillance footage. With your help, we will solve the case and bring music back to the building. Get ready to unravel the plot and learn how to implement multitenancy in modern Java applications.

Will you join us on this thrilling adventure?

Thomas Vitale

February 06, 2024
Tweet

More Decks by Thomas Vitale

Other Decks in Technology

Transcript

  1. Thomas Vitale
    Jfokus
    Feb 6th, 2024
    Multitenant Mystery
    Every Bean Has A Secret
    @vitalethomas

    View full-size slide

  2. Systematic
    • Software Engineer, CNCF
    Ambassador, Oracle ACE Pro.

    • Author of “Cloud Native Spring
    in Action” (Manning).

    • OSS contributor (Java, Spring,
    Cloud Native Technologies)
    Thomas Vitale
    thomasvitale.com @vitalethomas

    View full-size slide

  3. Multitenancy
    @vitalethomas

    View full-size slide

  4. Multitenancy
    “…an architecture in which a single running
    instance of an application simultaneously
    serves multiple clients (tenants).

    This is highly common in SaaS solutions.”

    (Hibernate User Guide)
    @vitalethomas

    View full-size slide

  5. 1. Tenant
    @vitalethomas

    View full-size slide

  6. Tenant
    Identifying the tenant
    Tenant Resolution
    Resolve tenant from
    HTTP request, AMQP
    message, JWT…
    1
    Tenant Content
    Store the tenant and
    make it available to the
    current process
    2
    Tenant Interceptor
    Intercept incoming
    request, resolve tenant,
    and store in context.
    3
    @vitalethomas

    View full-size slide

  7. 2. Data Isolation
    @vitalethomas

    View full-size slide

  8. Data Isolation
    Multitenant data management
    Partitioned Data
    ‣Tenant as a
    discriminator (column)
    ‣Add discriminator to
    each SQL statement
    Separate Schema
    ‣Schema per tenant
    ‣No altered SQL
    ‣Add tenant to
    connection
    Separate Database
    ‣Database per tenant
    ‣No altered SQL
    ‣Separate connection
    pools
    @vitalethomas

    View full-size slide

  9. Testcontainers
    Testing with external dependencies
    OCI containers
    Run external
    dependencies as
    OCI containers, also at
    development time
    Data Layer Tests
    Ensure environment
    parity by testing the data
    layer with the real
    database
    Integration Tests
    Use containers for
    databases, message
    queues, and web servers
    @vitalethomas

    View full-size slide

  10. Schema and data management
    Flyway: Version control for your database
    SQL Migrations
    Schema changes
    Java Migrations
    Data changes
    V1 Init schema
    V2 Add column
    V3 Create table
    V4 Add constraint
    time
    @vitalethomas

    View full-size slide

  11. 3. Observability
    @vitalethomas

    View full-size slide

  12. Spring Observability
    Production-grade features
    Spring Boot Actuator
    ‣Health (liveness and readiness)
    ‣Metrics (Prometheus, OpenMetrics)
    ‣Flyway, Thread Dumps, Heap Dumps
    Micrometer
    ‣Uni
    fi
    ed Observation API
    ‣Instrumentation for metrics and traces
    ‣OpenZipkin, OpenTelemetry
    @vitalethomas

    View full-size slide

  13. Multitenant Observability
    Observation contexts for tenants
    Logs
    Include tenant
    information in each log
    message
    Metrics
    Monitor overall
    application as we add
    more tenants
    Traces
    Identify traces
    belonging to
    each tenant
    @vitalethomas

    View full-size slide

  14. 4. Gateway
    @vitalethomas

    View full-size slide

  15. Multitenant Gateway
    @vitalethomas
    https://dukes.rock
    https://beans.rock
    GATEWAY SERVICE
    X-TenantId=dukes
    X-TenantId=beans
    Tenant propagation

    View full-size slide

  16. Spring Cloud Gateway
    @vitalethomas

    View full-size slide

  17. 5. Security
    @vitalethomas

    View full-size slide

  18. Multitenant Security
    Authenticating and authorizing tenants
    Authentication
    Each tenant
    authenticates via a
    separate Identity
    Provider
    Authorization
    The JWT signature is
    veri
    fi
    ed with a separate
    issuer for each tenant
    Dynamic Tenants
    Adding new tenants
    doesn’t require changing
    the application
    @vitalethomas

    View full-size slide

  19. Multitenant Authentication
    @vitalethomas
    https://dukes.rock
    https://beans.rock
    GATEWAY
    Dukes IdP
    Separate identity providers
    Beans IdP
    Delegate AuthN

    View full-size slide

  20. Spring Security - OAuth2 Client
    Dynamic tenant management
    spring:
    security:
    oauth2:
    client:
    registration:
    keycloak:
    client-id: edge-service
    client-secret: polar-keycloak-secret
    scope: openid
    provider:
    keycloak:
    issuer-uri: http://localhost:8080/realms/PolarBookshop
    @vitalethomas
    @Bean
    ClientRegistrationRepository

    View full-size slide

  21. Multitenant Authorization
    @vitalethomas
    JWT (Dukes)
    JWT (Beans)
    SERVICE
    Dukes IdP
    JWT veri
    fi
    cation per tenant
    Beans IdP
    Verify signature

    View full-size slide

  22. Spring Security - OAuth2 Resource Server
    Dynamic tenant management
    spring:
    security:
    oauth2:
    resourceserver:
    jwt:
    issuer-uri: http://localhost:8080/realms/PolarBookshop
    @vitalethomas
    @Bean
    AuthenticationManagerResolver

    View full-size slide

  23. What about the guitar?
    @vitalethomas

    View full-size slide

  24. Data Isolation
    @vitalethomas

    View full-size slide

  25. Bonus: Spring AI
    @vitalethomas

    View full-size slide

  26. Resources
    @vitalethomas

    View full-size slide

  27. Resources
    • Presentation source code

    • How to integrate Hibernates Multitenant feature with Spring Data JPA in a
    Spring Boot application

    • Multitenancy in Hibernate

    • Multitenancy OAuth2 with Spring Security

    • Context Propagation with Project Reactor 3

    • Creating a custom Spring Cloud Gateway Filter

    • Multitenancy with Spring Data JDBC
    @vitalethomas

    View full-size slide

  28. @vitalethomas
    https://github.com/arconia-io

    View full-size slide

  29. Thomas Vitale
    Jfokus
    Feb 6th, 2024
    Multitenant Mystery
    Every Bean Has A Secret
    @vitalethomas

    View full-size slide