Open jonwhitty opened 2 years ago
Any update here? How much of this can be done with schema design and/or identifier prefixing (examples welcome)? Any where the "really good detailed design ideas" have been posted? Is this getting discussed somewhere else? Thanks!
In our experience, logical multi-tenancy as a solution for isolation is not that compelling and, often times, has significant performance impacts.
If you need fully isolated permission systems, it is highly recommended to run distinct clusters, which is easy to do via tools such as the SpiceDB Operator. This ensures that there is no chance of one system impacting the other, whether from security or performance perspectives.
If you need permission systems to share resources, this implies that you have, in fact, a single permission system, and it is recommended to use prefixes to provide logical identification of the resource types for each "portion" of the permission system. This also typically involves having each team submit their portion of the schema, and having tooling to combine the schema (usually via CI) to produce the final schema that will be used overall.
For this combined use case, we have work coming in the new year that will allow for fine-grained access, to ensure that API calls are restricted to the portion of the overall permission system that is necessary.
In our experience, logical multi-tenancy as a solution for isolation is not that compelling and, often times, has significant performance impacts.
If you need fully isolated permission systems, it is highly recommended to run distinct clusters, which is easy to do via tools such as the SpiceDB Operator. This ensures that there is no chance of one system impacting the other, whether from security or performance perspectives.
If you need permission systems to share resources, this implies that you have, in fact, a single permission system, and it is recommended to use prefixes to provide logical identification of the resource types for each "portion" of the permission system. This also typically involves having each team submit their portion of the schema, and having tooling to combine the schema (usually via CI) to produce the final schema that will be used overall.
For this combined use case, we have work coming in the new year that will allow for fine-grained access, to ensure that API calls are restricted to the portion of the overall permission system that is necessary.
@josephschorr any progress on the "combined use case"?
Our user case is different from above.
We have multiple products, each product designs its own permission, but all products share the same account. Just like a Google account can be used accross all google products, and thoese products share some account information, some of the shared information is stored outside spicedb (such as username, password, avatar...), Some of the shared information is stored within spicedb (such as, role, orgnization structure, user groups, corporation-membership...).
So if we deploy each product into a distinct spicedb, those shared spicedb data need be replicated accross spicedb, this is not easy to maintain the data integrity.
So we want to adopt the "schema combination" method, that is each product design its own schema and then combine all schemas into a united one. To avoid name conflication, a distinct prefix will be enfored to all object defintions. But the difficult for this method is to parse the schema file syntax and correctly prefix the object. So if authzed itself supports such kind of prefixing or schema combination that would be easy.
@josephschorr any progress on the "combined use case"?
Yes, the paid offering of SpiceDB has support for fine-grained authorization tokens: https://authzed.com/docs/spicedb-enterprise/fgam
But the difficult for this method is to parse the schema file syntax and correctly prefix the object.
Presumably you'd have each team name it with a prefix matching the team. SpiceDB supports prefixes (with arbitrary nesting) on definitions ala definition foo/bar/baz { ... }
Summary
The purpose of this issue is to start a discussion around supporting multi-tenant use cases in spicedb. Spicedb today does not support a multi-tenant topology - meaning that there is no representation of independent tenants or any form of tenant isolation mechanisms.
Motivation
The motivation behind this work is to facilitate the administration of and deployment of a spicedb server that can serve more than one tenant at a time and respect/honor common asks from organizations in a multi-tenant architecture. These include but are not limited to:
Use Cases
I have some really good detailed design ideas around these things, but I wanted to start with an open discussion first. We can provide more concrete design details once we've settled on a strategy/plan for the degree of support we want to introduce.