Open mogosselin opened 8 years ago
Viatrak
commented
8 years ago Hi @mogosselin
We built an open source solution 'django-tenant-users' that tries to address the issue of global users and tenant specific permissions with django-tenant-schemas
https://pypi.python.org/pypi/django-tenant-users
It's at an early version currently and has not been extensively tested. Feedback and bug reports would be welcome!
rodolfomartinez
commented
8 years ago +1
bartmika
commented
8 years ago +1
mogosselin
commented
7 years ago We ended up creating our own solution without using different schemas, which was a bit overkill for our use case. So we extended the User model with an ID that points to the correct company. Each company has a sub domain name. This sub domain name is checked against the current URL in a middleware that validates if the user has access to the current company (subdomain). And that's all there is to it really.
bernardopires
commented
7 years ago Wouldn't it be possible to just put all users in a shared app? You could then associate a tenant to each user and write a middleware that routes to the correct tenant based on the user instead of the domain name.
Viatrak
commented
7 years ago @bernardopires
Whats the point of a global user if it can't access multiple tenants?
On the flip side, if it can access multiple tenants, then the problem becomes that there is only 1 set of "permissions" for that user. Would that set of permissions apply globally to ALL tenants then?
Permissions need to be per-tenant while a user needs to be shared (global to all tennats). Separating authentication from authorization is really the key here and, unfortunately, Django tightly couples those two things.
bernardopires
commented
7 years ago Why would it need to access multiple tenants? The OP said "each users access their specific domain names". To me it sounded like it should only access one, just the auth should be possible from the main domain (presumably the shared app).
Viatrak
commented
7 years ago I agree that if the only goal is to be able to authenticate from the shared domain, then simply making the users app shared and associating a user to a single tenant seems like a fine solution.
If I want a 'super admin' user, we'll need to have a super admin in all of the tenant schemas. If we need to change the permissions, groups, etc., we'll need to do it in all the schemas. etc.
It seems like there are some aspirations to have multi-tenant access from a shared user rather than just shared authentication on the root domain to a single tenant.
Hello,
I was wondering if there was a way already to have the authentication in the 'shared' app, but making each users access their specific domain names? In summary, is there a way to link a user to a specific tenant at the moment (I didn't find anything in the documentation)?
At the moment, I have the auth app in the 'tenant' apps, but I'm not sure it's the best approach for my case. If I want a 'super admin' user, we'll need to have a super admin in all of the tenant schemas. If we need to change the permissions, groups, etc., we'll need to do it in all the schemas. etc.
If a solution doesn't already exists, I was thinking about extending the User model with the 'Profile' feature, adding a 'tenant_id' field to it, and associate the users with it. After that, we'll need to check the access, probably with a middleware.
Anyway, let me know if there's already something for that or if I need to build a custom solution for this case?
Thank you!