2024 Sep 05 4:43 AM - edited 2024 Sep 05 6:31 AM
Background
Hi! My team is trying to create an CAP application for an existing service. We want to use the functionality of the Multi-tenant data isolation to create tenant specific containers in Hana DB. Moreover, we want to use a single XSUAA instance with single Bearer token to access said containers directly. However, we do not want to create Subaccounts or want to expose the CAP application to the users.
Desired Flow
Onboarding:
Users subscribe to existing service
Service triggers subscription to this CAP Application, where cap `tenantId` is set as a combination of user `tenantId` and `instanceId`
Subscription creates HDI Containers linked to the cap `tenantId`
Using POST http://endpoint/-/cds/deployment/subscribe
During normal runtime:
Some of the requests from users will be passed to the CAP application to be processed in their specific container and authentication is done using the same XSUAA internal bearer token from service
Steps Taken
Subscribing using custom `tenantId`
Outcome: Success - Containers are also created without any issues
Problem: Unable to access these containers as XSUAA is unable to authenticate
Using the same Bearer token generated by Provider Account to access tenant container
Outcome: Failure
Problem: Token used by service manager to get context for Provider account, resulting in all requests to be accessing the same container, the mtx information container
Creating Subaccount and subscribing to CAP app using created Subaccount `tenantId` only
Outcome: Success - Can access tenant specific container, authentication done using XSUAA shared `clientId` and `clientSecret` but using the Subaccount domain to generate bearer token
Problem: Not the desired flow
Can I check if CAP supports this use case? Any help would be appreciated in this matter! Thanks!
Solution Found:
Hi! Just an update, we managed to find the solution for this issue. For those seeking to simulate a similar flow can refer to the steps we took below:
Remove SAAS Registry - To hide Cap application and prevent any external subscription
Add the following class from this tutorial [We omitted setting the name and added this in the handler folder]
This code overrides all get for user info and sets it to the value provided in the header of the requests.
@Component @Order(1) public class HeaderBasedUserInfoProvider implements UserInfoProvider { @Autowired HttpServletRequest req; // accesses current HTTP request @Override public UserInfo get() { if (RequestContextHolder.getRequestAttributes() != null) { // only within request thread req is available return UserInfo.create() .setTenant(req.getHeader("custom-tenant-header")) .setName(req.getHeader("custom-username-header")); } return UserInfo.create(); } }
Bind the existing XSUAA service to cap application through `manifest` files
Deploy to CF [We used `cf create-service-push`]
Hope this helps!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
71 | |
11 | |
10 | |
10 | |
10 | |
8 | |
7 | |
7 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.