cancel
Showing results for 
Search instead for 
Did you mean: 

How to have CAP Multi-tenant Data Isolation without any Tenant accounts

Vishwanth
Advisor
Advisor
0 Kudos
198

Background

Hi! My team is trying to create an CAP application for an existing service. We want to use the functionality of the Multi-tenant data isolation to create tenant specific containers in Hana DB. Moreover, we want to use a single XSUAA instance with single Bearer token to access said containers directly. However, we do not want to create Subaccounts or want to expose the CAP application to the users.


Desired Flow
Onboarding:

  1. Users subscribe to existing service

  2. Service triggers subscription to this CAP Application, where cap `tenantId` is set as a combination of user `tenantId` and `instanceId`

  3. Subscription creates HDI Containers linked to the cap `tenantId`

    Using POST http://endpoint/-/cds/deployment/subscribe

During normal runtime:

Some of the requests from users will be passed to the CAP application to be processed in their specific container and authentication is done using the same XSUAA internal bearer token from service


Steps Taken

  • Subscribing using custom `tenantId`

    • Outcome: Success - Containers are also created without any issues

    • Problem: Unable to access these containers as XSUAA is unable to authenticate

  • Using the same Bearer token generated by Provider Account to access tenant container

    • Outcome: Failure

    • Problem: Token used by service manager to get context for Provider account, resulting in all requests to be accessing the same container, the mtx information container

  • Creating Subaccount and subscribing to CAP app using created Subaccount `tenantId` only

    • Outcome: Success - Can access tenant specific container, authentication done using XSUAA shared `clientId` and `clientSecret` but using the Subaccount domain to generate bearer token

    • Problem: Not the desired flow

Can I check if CAP supports this use case? Any help would be appreciated in this matter! Thanks!

View Entire Topic
Vishwanth
Advisor
Advisor
0 Kudos

Solution Found:

Hi! Just an update, we managed to find the solution for this issue. For those seeking to simulate a similar flow can refer to the steps we took below:

  1. Remove SAAS Registry - To hide Cap application and prevent any external subscription

  2. Add the following class from this tutorial [We omitted setting the name and added this in the handler folder]

    This code overrides all get for user info and sets it to the value provided in the header of the requests.

    @Component
    @Order(1)
    public class HeaderBasedUserInfoProvider implements UserInfoProvider {
    
        @Autowired
        HttpServletRequest req; // accesses current HTTP request
    
        @Override
        public UserInfo get() {
            if (RequestContextHolder.getRequestAttributes() != null) {
                // only within request thread req is available
                return UserInfo.create()
                    .setTenant(req.getHeader("custom-tenant-header"))
                    .setName(req.getHeader("custom-username-header"));
            }
            return UserInfo.create();
        }
    }
  3. Bind the existing XSUAA service to cap application through `manifest` files

  4. Deploy to CF [We used `cf create-service-push`]

Hope this helps!