Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Multitenant Mystery - Only Rockers in the Building

Multitenant Mystery - Only Rockers in the Building

Multitenancy is one of the pillars of modern SaaS solutions. Cloud native technologies provide scalability, resilience and cost efficiency. But we also need to ensure the proper level of isolation, security and data control among tenants. This talk will show how to do that in Java and Spring.

Every bean has a secret. To uncover the truth, we must dive into the mysterious world of multitenancy in Spring Boot. The plot thickens as a precious guitar goes missing from a residential building housing only rockers. But something doesn’t quite add up - why is there a deafening silence?

Join us on a thrilling journey as we explore the intricacies of multitenant applications. Together, we’ll embark on a detective mission to uncover what really happened to the stolen guitar. As we investigate, we’ll reveal the secrets of storing data safely and securely, configuring authentication and authorization, and enabling observability - all using Java, Hibernate, Keycloak, and Spring.

Put on your detective hat and join us in solving this mystery. We need your expertise to interrogate tenants, analyze facility staff routines, and review surveillance footage. With your help, we will solve the case and bring music back to the building. Get ready to unravel the plot and learn how to implement multitenancy in modern Java applications.

Will you join us on this thrilling adventure?

Thomas Vitale

May 19, 2023
Tweet

More Decks by Thomas Vitale

Other Decks in Technology

Transcript

  1. Thomas Vitale
    Spring I/O
    May 19th, 2023
    Multitenant Mystery
    Only Rockers in the Building
    @vitalethomas

    View full-size slide

  2. Systematic
    • Software Engineer and Cloud
    Architect.

    • Author of “Cloud Native Spring
    in Action” (Manning).

    • OSS contributor (Java, Spring,
    Cloud Native Technologies)
    Thomas Vitale
    thomasvitale.com @vitalethomas

    View full-size slide

  3. Multitenancy
    @vitalethomas

    View full-size slide

  4. Multitenancy
    “…an architecture in which a single running
    instance of an application simultaneously
    serves multiple clients (tenants).

    This is highly common in SaaS solutions.”

    (Hibernate User Guide)
    @vitalethomas

    View full-size slide

  5. Why
    @vitalethomas

    View full-size slide

  6. 1. Tenant
    @vitalethomas

    View full-size slide

  7. Tenant
    Identifying the tenant
    Tenant Resolver
    Resolve tenant from
    HTTP request, AMQP
    message, JWT…
    1
    Tenant Content
    Store the tenant and
    make it available to the
    current process
    2
    Tenant Interceptor
    Intercept incoming
    request, resolve tenant,
    and store in context.
    3
    @vitalethomas

    View full-size slide

  8. 2. Data Isolation
    @vitalethomas

    View full-size slide

  9. Data Isolation
    Multitenant data management
    Partitioned Data
    ‣Tenant as a
    discriminator (column)


    ‣Add discriminator to
    each SQL statement
    Separate Schema
    ‣Schema per tenant


    ‣No altered SQL


    ‣Add tenant to
    connection
    Separate Database
    ‣Database per tenant


    ‣No altered SQL


    ‣Separate connection
    pools
    @vitalethomas

    View full-size slide

  10. Testcontainers
    Testing with external dependencies
    OCI containers
    Run external
    dependencies as


    OCI containers, also at
    development time
    Data Layer Tests
    Ensure environment
    parity by testing the data
    layer with the real
    database
    Integration Tests
    Use containers for
    databases, message
    queues, and web servers
    @vitalethomas

    View full-size slide

  11. Schema and data management
    Flyway: Version control for your database
    SQL Migrations


    Schema changes
    Java Migrations


    Data changes
    V1 Init schema
    V2 Add column
    V3 Create table
    V4 Add constraint
    time
    @vitalethomas

    View full-size slide

  12. 3. Observability
    @vitalethomas

    View full-size slide

  13. Multitenant Observability
    Observation contexts for tenants
    Logs
    Include tenant
    information in each log
    message
    Metrics
    Monitor overall
    application as we add
    more tenants
    Traces
    Identify traces


    belonging to


    each tenant
    @vitalethomas

    View full-size slide

  14. Spring Observability
    Production-grade features
    Spring Boot Actuator
    ‣Health (liveness and readiness)


    ‣Metrics (Prometheus, OpenMetrics)


    ‣Flyway, Thread Dumps, Heap Dumps
    Micrometer
    ‣Uni
    fi
    ed Observation API


    ‣Instrumentation for metrics and traces


    ‣OpenZipkin, OpenTelemetry
    @vitalethomas

    View full-size slide

  15. 4. Gateway
    @vitalethomas

    View full-size slide

  16. Multitenant Gateway
    @vitalethomas
    https://dukes.rock
    https://beans.rock
    GATEWAY SERVICE
    X-TenantId=dukes
    X-TenantId=beans
    Tenant propagation

    View full-size slide

  17. Spring Cloud Gateway
    @vitalethomas

    View full-size slide

  18. 5. Security
    @vitalethomas

    View full-size slide

  19. Multitenant Security
    Authenticating and authorizing tenants
    Authentication
    Each tenant
    authenticates via a
    separate Identity
    Provider
    Authorization
    The JWT signature is
    veri
    fi
    ed with a separate
    issuer for each tenant
    Dynamic Tenants
    Adding new tenants
    doesn’t require changing
    the application
    @vitalethomas

    View full-size slide

  20. Multitenant Authentication
    @vitalethomas
    https://dukes.rock
    https://beans.rock
    GATEWAY
    Dukes IdP
    Separate identity providers
    Beans IdP
    Delegate AuthN

    View full-size slide

  21. Spring Security - OAuth2 Client
    Dynamic tenant management
    spring:
    security:
    oauth2:
    client:
    registration:
    keycloak:
    client-id: edge-service
    client-secret: polar-keycloak-secret
    scope: openid
    provider:
    keycloak:
    issuer-uri: http://localhost:8080/realms/PolarBookshop
    @vitalethomas
    @Bean
    ReactiveClientRegistrationRepository

    View full-size slide

  22. Multitenant Authorization
    @vitalethomas
    JWT (Dukes)
    JWT (Beans)
    SERVICE
    Dukes IdP
    JWT veri
    fi
    cation per tenant
    Beans IdP
    Verify signature

    View full-size slide

  23. Spring Security - OAuth2 Resource Server
    Dynamic tenant management
    spring:
    security:
    oauth2:
    resourceserver:
    jwt:
    issuer-uri: http://localhost:8080/realms/PolarBookshop
    @vitalethomas
    @Bean
    AuthenticationManagerResolver

    View full-size slide

  24. What about the guitar?
    @vitalethomas

    View full-size slide

  25. Data Isolation
    @vitalethomas

    View full-size slide

  26. Next Steps
    @vitalethomas

    View full-size slide

  27. Resources
    • Presentation source code

    • How to integrate Hibernates Multitenant feature with Spring Data JPA in a
    Spring Boot application

    • Multitenancy in Hibernate

    • Multitenancy OAuth2 with Spring Security

    • Context Propagation with Project Reactor 3

    • Creating a custom Spring Cloud Gateway Filter

    • Multitenancy with Spring Data JDBC
    @vitalethomas

    View full-size slide

  28. Thomas Vitale
    Spring I/O
    May 19th, 2023
    Multitenant Mystery
    Only Rockers in the Building
    @vitalethomas

    View full-size slide