0

Using "single database multi-schema" strategy of multitenancy I want to make purely isolated connections to database for each tenant.

I thought to reach it in small phases :

  1. Phase 1 : Created multiple schema in a database and per request based on the tenant identifier performed the datasource switching. Internally I had separate schema for each tenant, and based on the tenant identifier I was executing the sql queries on a particular schema.
getConnection(tenantIdentifier){
    set search_path to "tenantIdentifier"; 
    execute sql queries;
}
  1. Phase 2 : Earlier the connection was created by superuser, basically it was not purely isolated as the user has the permission to access different schema. So I want to create a credential based approach to make the connection purely isolated for which I need to create users with login credentials with granted permissions to access a particular schema only.

To address this either :

  1. Approach 1: I can create a map of tenant and user, using which I can create database connection for each request .

Con - For each request if we want to create a datasource using the user credentials it will take more time to access the DB, hence the next approach.

  1. Approach 2 : I can create an in-memory map of datasources created from using the tenant and user credentials. Everytime a new user comes we can create the datasource object once and keep it in memory for future requests.

Con : With the increase in number of tenants the in-memory list will also increase.

Is there any better solution than this to have a connection for each tenant or any improvement in approach ? Any guidance will help me.

Improve this question
5
  • What goals you want to accomplish? Just run multiple databases or multiple servers/instances for hard isolation. The latter gives you the most isolation for compute resources and security. Security isolation is relatively straightforward on what's in/out (it's more than just superuser/admin). Resource isolation is a whole different beast where 1 noisy neighbor can ruin everybody's day. Finally, your approach 2 is really a latency optimization of approach 1. Suggest updating your post to clearly state your goals and constraints. Commented Nov 14, 2023 at 22:31
  • Thanks @SQLmojoe, to go with 2nd approach for its advantages. Then, there can be x1000s of DataSource objects residing in-memory . Is there any recommended way to manage the objects efficiently, as there can be other challenges like configuring the datasource with different properties (multitenancy strategy, naming strategy, MultiTenantConnectionProviderImpl, TenantIdentifierResolverImpl) and LocalContainerEntityManagerFactoryBean to be associated with each datasource object ? Commented Nov 16, 2023 at 17:25
  • It will be great if someone can share how to create the beans (datasource, entitymanagerfactory and transaction manager) and how spring will determine which beans are associated together for a particular tenant/datasource . Commented Nov 16, 2023 at 17:47
  • I wasn't advocating for #2; just calling out that it's a latency optimization for #1. If you're using a database that supports schemas as in the object hierarchy is something like database.schema.table, database.schema.view, etc... and you have access controls at the schema level, let the database do its job. AFAIK, PostgreSQL supports both so let PG do the work; it is not easy to roll your own correctly/safely. Each tenant has its own schema and their role (user) is granted access to only their own schema. This does nothing for resource isolation hence the earlier question about your goals. Commented Nov 22, 2023 at 17:59
  • Okay. So my goal is to access data using a connection which has access to only one schema, so how to manage the connections (datasource objects) per schema? If I create connection using the username and password on http request it will take more hence my approach #2. If there is any better way please suggest. Commented Nov 23, 2023 at 18:16
Related questions
146
How to create a multi-tenant database with shared table structures?
1
PostgreSQL using search_path for multi tenancy
1
Role-based permission in multi-tenant application
Load 3 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.