Tuesday, December 22, 2009

Authentication in multi-tenant service

Recently, I implemented authentication service in CollectionSpace. Apart from the multitenancy requirements, it is also expected that the tenants might have their own identity providers (e.g. CalNet, LDAP, Kerberos, etc.). It is also expected that a tenant might use more than one identity provider, e.g. CalNet for users involved with collection management and OpenID for research students perhaps.

Tenant-aware security context

I implemented a JAAS LoginModule in CollectionSpace (see here) that retrieves user's association with tenant(s) during the commit phase of the authentication process. This association is made at the time of provisioning an account for the user in CollectionSpace. During the commit phase, a group named Tenants is created and it contains one or more members each representing a tenant in the system to which user is associated with. I think this approach has the following advantages:
  1. User identifier remains independent of the user's association with a tenant.
  2. Because tenant is modeled as a group, access control permissions/policies could be written with explicit knowledge about the tenant. In other words, the permissions/policies could be tenant-qualified.
I will provide concrete example in subsequent post to explain how this works.

No comments:

Post a Comment