Multi-tenant

[gedw99]

I can imagine that sone people may want to use the filter concepts to do multi tenant also.

So an org has certain roles and users. When an org connects we detect the org via sone header ( or otherwise ) and then apply the org filtere on all queries and mutations . It’s a middleware guard that is always applied.

the roles and users are available to that org user over the introspection api too based on org , so that any IDE is multi tenant aware.

I don’t know if the filters conceit would be enough to restrict table access.

[dosco]

We have a concept of namespace you can OptionSetNamespace(string) when creating the core instance or use SetNamespace(string) on the ReqConfig object for a per request setting. Namespaces are a way to group queries in the allow list. Query names are prefixed with the namespace. However it does not apply to configs like the table / role configs.

At the time I couldn't think a good usecase for namespace level filters. You could do what you suggested with a single tabel level { tenant_id: { equals: $tenantID } } filter and set the tenantID variable using ReqConfig

[dosco]

Across databases its better to just have multiple instances of GraphJin core but as I understand you're suggesting this as a way to tenant within a single database correct?

[gedw99]

Yeah I am interested in multi tenant with single db.

It’s to save costs . A team with many services could use the one db and so save money and complexity.

[dosco]

what if we support multiple roles for a single query that way member of org x can be a role when applied it adds in its own filters along with the ones for the other roles

[gedw99]

I don’t understand how that helps a team ?

Let’s say you have 10 orgs using a single db

Each org has their own services. Say service A to D , so 4 services in their middle tier. I guess each on runs graphjin core .

Each org shares roles , users and user to groups mapping . Typically an orgs services like to reuse their roles / users between their services. It’s a reasonably assumption.

Each org would basically be isolated from the other orgs.

That’s what I see as an archi type very often .

mid org 1 outgrows the shared db, they migrate to their own db layer .

[dosco]

I'm taking about the mechaism of achieving what you originally thought about "apply the org filter on all queries and mutations". We could achive this using the role mechanism even without adding multiple roles you could just define a role using a role_query or passing it in with the request and what you originally wanted would happen.

[dosco]

Each org shares roles , users and user to groups mapping . Typically an orgs services like to reuse their roles / users between their services. It’s a reasonably assumption.

yes you would have all that if we had multiple roles so a person A could have the roles "member_of_org_1, viewer, admin" and person B could have the roles ""member_of_org_2, viewer, user"

[gedw99]

Hey @dosco

I got stuck on setup.

I cant connect using cockroach. Hope you don't mind me trying it, even though not officially supported.

heres the issue:

make ex-start
WARN    database ping: failed to connect to `host=localhost:26257 user=root database=defaultdb`: hostname resolving error (lookup localhost:26257: no such host)

REPRO:

makefile:

BIN=$(PWD)/$(REPO_NAME)/graphjin

### DB 

DB_WEB_URL=http://localhost:8080
DB_URL=postgresql://root@localhost:26257/defaultdb?sslmode=disable

db-start:
	# https://www.cockroachlabs.com/docs/stable/install-cockroachdb-mac.html
        brew install cockroachdb/tap/cockroach
	which cockroach

        # start it in insure mode.
	cockroach start-single-node --insecure --store=attrs=ssd,path=$(PWD)/cockroach-data --listen-addr=localhost:36257 --sql-addr=localhost:26257

### EX

EX_NAME=test

EX_ROOT_FSPATH=$(PWD)/example/
EX=$(EX_ROOT_FSPATH)/$(EX_NAME)

ex-print:
	@echo ""
	@echo "EX:    $(EX)"

ex-new:
	cd $(EX_ROOT_FSPATH) && $(BIN) new --db-url=$(DB_URL) $(EX_NAME)
ex-new-del:
	rm -rf $(EX)


EX_CMD=cd $(EX) && $(BIN)
ex-start:
	$(EX_CMD) serve

[gedw99]

Still trying to work it out :)

This golang web admin can connect with that $(DB_URL).

## DB ADMIN

db-gui-dep:
	git clone https://github.com/sosedoff/pgweb
db-gui-build:
	cd pgweb && $(MAKE) build
db-gui-run:
	cd pgweb && ./pgweb --url=$(DB_URL)
	# http://localhost:8081/

make db-gui-run
cd pgweb && ./pgweb --url=postgresql://root@localhost:26257/defaultdb?sslmode=disable
Pgweb v0.14.0 (git: d5e72f92b50972fdf1a88a65b5eab0bcc88c938d) (go: go1.20.1) (build time: 2023-02-24T13:43:11Z) (arch: darwin/amd64)
Connecting to server...
Connected to CockroachDB 22.2.5
Checking database objects...
Starting server...
To view database open http://localhost:8081/ in browser
INFO[0001] http_request                                  duration=5.850878ms duration_ms=5 method=GET path=/ remote_addr=127.0.0.1 status=200
INFO[0001] http_request                                  duration="185.18µs" duration_ms=0 method=GET path=/api/info remote_addr=127.0.0.1 status=200
INFO[0001] http_request                                  duration=1.158072ms duration_ms=1 method=GET path=/api/connection remote_addr=127.0.0.1 status=200
INFO[0001] http_request                                  duration=1.478919ms duration_ms=1 method=GET path=/api/schemas remote_addr=127.0.0.1 status=200
INFO[0003] http_request                                  duration=1.131578336s duration_ms=1131 method=GET path=/api/objects remote_addr=127.0.0.1 status=200