jesus/Vapora
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Vapora/docs/adrs/0025-multi-tenancy.html

525 lines
22 KiB
HTML
Raw Normal View History

chore: extend doc: adr, tutorials, operations, etc
2026-01-12 03:32:47 +00:00
<!DOCTYPE HTML>
<html lang="en" class="light sidebar-visible" dir="ltr">
<head>
<!-- Book generated using mdBook -->
<meta charset="UTF-8">
<title>0025: Multi-Tenancy - VAPORA Platform Documentation</title>
<!-- Custom HTML head -->
<meta name="description" content="Comprehensive documentation for VAPORA, an intelligent development orchestration platform built entirely in Rust.">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="theme-color" content="#ffffff">
<link rel="icon" href="../favicon.svg">
<link rel="shortcut icon" href="../favicon.png">
<link rel="stylesheet" href="../css/variables.css">
<link rel="stylesheet" href="../css/general.css">
<link rel="stylesheet" href="../css/chrome.css">
<link rel="stylesheet" href="../css/print.css" media="print">
<!-- Fonts -->
<link rel="stylesheet" href="../FontAwesome/css/font-awesome.css">
<link rel="stylesheet" href="../fonts/fonts.css">
<!-- Highlight.js Stylesheets -->
<link rel="stylesheet" id="highlight-css" href="../highlight.css">
<link rel="stylesheet" id="tomorrow-night-css" href="../tomorrow-night.css">
<link rel="stylesheet" id="ayu-highlight-css" href="../ayu-highlight.css">
<!-- Custom theme stylesheets -->
<!-- Provide site root and default themes to javascript -->
<script>
const path_to_root = "../";
const default_light_theme = "light";
const default_dark_theme = "dark";
</script>
<!-- Start loading toc.js asap -->
<script src="../toc.js"></script>
</head>
<body>
<div id="mdbook-help-container">
<div id="mdbook-help-popup">
<h2 class="mdbook-help-title">Keyboard shortcuts</h2>
<div>
<p>Press <kbd></kbd> or <kbd></kbd> to navigate between chapters</p>
<p>Press <kbd>S</kbd> or <kbd>/</kbd> to search in the book</p>
<p>Press <kbd>?</kbd> to show this help</p>
<p>Press <kbd>Esc</kbd> to hide this help</p>
</div>
</div>
</div>
<div id="body-container">
<!-- Work around some values being stored in localStorage wrapped in quotes -->
<script>
try {
let theme = localStorage.getItem('mdbook-theme');
let sidebar = localStorage.getItem('mdbook-sidebar');
if (theme.startsWith('"') && theme.endsWith('"')) {
localStorage.setItem('mdbook-theme', theme.slice(1, theme.length - 1));
}
if (sidebar.startsWith('"') && sidebar.endsWith('"')) {
localStorage.setItem('mdbook-sidebar', sidebar.slice(1, sidebar.length - 1));
}
} catch (e) { }
</script>
<!-- Set the theme before any content is loaded, prevents flash -->
<script>
const default_theme = window.matchMedia("(prefers-color-scheme: dark)").matches ? default_dark_theme : default_light_theme;
let theme;
try { theme = localStorage.getItem('mdbook-theme'); } catch(e) { }
if (theme === null || theme === undefined) { theme = default_theme; }
const html = document.documentElement;
html.classList.remove('light')
html.classList.add(theme);
html.classList.add("js");
</script>
<input type="checkbox" id="sidebar-toggle-anchor" class="hidden">
<!-- Hide / unhide sidebar before it is displayed -->
<script>
let sidebar = null;
const sidebar_toggle = document.getElementById("sidebar-toggle-anchor");
if (document.body.clientWidth >= 1080) {
try { sidebar = localStorage.getItem('mdbook-sidebar'); } catch(e) { }
sidebar = sidebar || 'visible';
} else {
sidebar = 'hidden';
}
sidebar_toggle.checked = sidebar === 'visible';
html.classList.remove('sidebar-visible');
html.classList.add("sidebar-" + sidebar);
</script>
<nav id="sidebar" class="sidebar" aria-label="Table of contents">
<!-- populated by js -->
<mdbook-sidebar-scrollbox class="sidebar-scrollbox"></mdbook-sidebar-scrollbox>
<noscript>
<iframe class="sidebar-iframe-outer" src="../toc.html"></iframe>
</noscript>
<div id="sidebar-resize-handle" class="sidebar-resize-handle">
<div class="sidebar-resize-indicator"></div>
</div>
</nav>
<div id="page-wrapper" class="page-wrapper">
<div class="page">
<div id="menu-bar-hover-placeholder"></div>
<div id="menu-bar" class="menu-bar sticky">
<div class="left-buttons">
<label id="sidebar-toggle" class="icon-button" for="sidebar-toggle-anchor" title="Toggle Table of Contents" aria-label="Toggle Table of Contents" aria-controls="sidebar">
<i class="fa fa-bars"></i>
</label>
<button id="theme-toggle" class="icon-button" type="button" title="Change theme" aria-label="Change theme" aria-haspopup="true" aria-expanded="false" aria-controls="theme-list">
<i class="fa fa-paint-brush"></i>
</button>
<ul id="theme-list" class="theme-popup" aria-label="Themes" role="menu">
<li role="none"><button role="menuitem" class="theme" id="default_theme">Auto</button></li>
<li role="none"><button role="menuitem" class="theme" id="light">Light</button></li>
<li role="none"><button role="menuitem" class="theme" id="rust">Rust</button></li>
<li role="none"><button role="menuitem" class="theme" id="coal">Coal</button></li>
<li role="none"><button role="menuitem" class="theme" id="navy">Navy</button></li>
<li role="none"><button role="menuitem" class="theme" id="ayu">Ayu</button></li>
</ul>
<button id="search-toggle" class="icon-button" type="button" title="Search (`/`)" aria-label="Toggle Searchbar" aria-expanded="false" aria-keyshortcuts="/ s" aria-controls="searchbar">
<i class="fa fa-search"></i>
</button>
</div>
<h1 class="menu-title">VAPORA Platform Documentation</h1>
<div class="right-buttons">
<a href="../print.html" title="Print this book" aria-label="Print this book">
<i id="print-button" class="fa fa-print"></i>
</a>
<a href="https://github.com/vapora-platform/vapora" title="Git repository" aria-label="Git repository">
<i id="git-repository-button" class="fa fa-github"></i>
</a>
<a href="https://github.com/vapora-platform/vapora/edit/main/docs/src/../adrs/0025-multi-tenancy.md" title="Suggest an edit" aria-label="Suggest an edit">
<i id="git-edit-button" class="fa fa-edit"></i>
</a>
</div>
</div>
<div id="search-wrapper" class="hidden">
<form id="searchbar-outer" class="searchbar-outer">
<input type="search" id="searchbar" name="searchbar" placeholder="Search this book ..." aria-controls="searchresults-outer" aria-describedby="searchresults-header">
</form>
<div id="searchresults-outer" class="searchresults-outer hidden">
<div id="searchresults-header" class="searchresults-header"></div>
<ul id="searchresults">
</ul>
</div>
</div>
<!-- Apply ARIA attributes after the sidebar and the sidebar toggle button are added to the DOM -->
<script>
document.getElementById('sidebar-toggle').setAttribute('aria-expanded', sidebar === 'visible');
document.getElementById('sidebar').setAttribute('aria-hidden', sidebar !== 'visible');
Array.from(document.querySelectorAll('#sidebar a')).forEach(function(link) {
link.setAttribute('tabIndex', sidebar === 'visible' ? 0 : -1);
});
</script>
<div id="content" class="content">
<main>
<h1 id="adr-025-surrealdb-scope-based-multi-tenancy"><a class="header" href="#adr-025-surrealdb-scope-based-multi-tenancy">ADR-025: SurrealDB Scope-Based Multi-Tenancy</a></h1>
<p><strong>Status</strong>: Accepted | Implemented
<strong>Date</strong>: 2024-11-01
<strong>Deciders</strong>: Security &amp; Architecture Team
<strong>Technical Story</strong>: Implementing defense-in-depth tenant isolation with database scopes</p>
<hr />
<h2 id="decision"><a class="header" href="#decision">Decision</a></h2>
<p>Implementar <strong>multi-tenancy via SurrealDB scopes + tenant_id fields</strong> para defense-in-depth isolation.</p>
<hr />
<h2 id="rationale"><a class="header" href="#rationale">Rationale</a></h2>
<ol>
<li><strong>Defense-in-Depth</strong>: Tenants isolated en dos niveles (scopes + queries)</li>
<li><strong>Database-Level</strong>: SurrealDB scopes enforced en DB (no app bugs can leak)</li>
<li><strong>Application-Level</strong>: Services validate tenant_id (redundant safety)</li>
<li><strong>Performance</strong>: Scope filtering efficient (pushes down to DB)</li>
</ol>
<hr />
<h2 id="alternatives-considered"><a class="header" href="#alternatives-considered">Alternatives Considered</a></h2>
<h3 id="-application-level-only"><a class="header" href="#-application-level-only">❌ Application-Level Only</a></h3>
<ul>
<li><strong>Pros</strong>: Works with any database</li>
<li><strong>Cons</strong>: Bugs in app code can leak data</li>
</ul>
<h3 id="-database-level-only-hard-partitioning"><a class="header" href="#-database-level-only-hard-partitioning">❌ Database-Level Only (Hard Partitioning)</a></h3>
<ul>
<li><strong>Pros</strong>: Very secure</li>
<li><strong>Cons</strong>: Hard to query across tenants (analytics), complex schema</li>
</ul>
<h3 id="-dual-level-scopes--validation-chosen"><a class="header" href="#-dual-level-scopes--validation-chosen">✅ Dual-Level (Scopes + Validation) (CHOSEN)</a></h3>
<ul>
<li>Both layers + application simplicity</li>
</ul>
<hr />
<h2 id="trade-offs"><a class="header" href="#trade-offs">Trade-offs</a></h2>
<p><strong>Pros</strong>:</p>
<ul>
<li>✅ Tenant data isolated at DB level (SurrealDB scopes)</li>
<li>✅ Application-level checks prevent mistakes</li>
<li>✅ Flexible querying (within tenant)</li>
<li>✅ Analytics possible (aggregate across tenants)</li>
</ul>
<p><strong>Cons</strong>:</p>
<ul>
<li>⚠️ Requires discipline (always filter by tenant_id)</li>
<li>⚠️ Complexity in schema (every model has tenant_id)</li>
<li>⚠️ SurrealDB scope syntax to learn</li>
</ul>
<hr />
<h2 id="implementation"><a class="header" href="#implementation">Implementation</a></h2>
<p><strong>Model Definition with tenant_id</strong>:</p>
<pre><pre class="playground"><code class="language-rust"><span class="boring">#![allow(unused)]
</span><span class="boring">fn main() {
</span>// crates/vapora-shared/src/models.rs
pub struct Project {
pub id: String,
pub tenant_id: String, // ← Mandatory field
pub title: String,
pub description: Option&lt;String&gt;,
pub created_at: DateTime&lt;Utc&gt;,
pub updated_at: DateTime&lt;Utc&gt;,
}
pub struct Task {
pub id: String,
pub tenant_id: String, // ← Mandatory field
pub project_id: String,
pub title: String,
pub status: TaskStatus,
pub created_at: DateTime&lt;Utc&gt;,
}
<span class="boring">}</span></code></pre></pre>
<p><strong>SurrealDB Scope Definition</strong>:</p>
<pre><code class="language-sql">-- Create scope for tenant isolation
DEFINE SCOPE tenant_scope
SESSION 24h
SIGNUP (
CREATE user SET
email = $email,
pass = crypto::argon2::encrypt($pass),
tenant_id = $tenant_id
)
SIGNIN (
SELECT * FROM user
WHERE email = $email AND crypto::argon2::compare(pass, $pass)
);
-- Tenant-scoped table with access control
DEFINE TABLE projects
SCHEMALESS
PERMISSIONS
FOR SELECT WHERE tenant_id = $auth.tenant_id,
FOR CREATE WHERE $input.tenant_id = $auth.tenant_id,
FOR UPDATE WHERE tenant_id = $auth.tenant_id,
FOR DELETE WHERE tenant_id = $auth.tenant_id;
DEFINE TABLE tasks
SCHEMALESS
PERMISSIONS
FOR SELECT WHERE tenant_id = $auth.tenant_id,
FOR CREATE WHERE $input.tenant_id = $auth.tenant_id,
FOR UPDATE WHERE tenant_id = $auth.tenant_id,
FOR DELETE WHERE tenant_id = $auth.tenant_id;
</code></pre>
<p><strong>Service-Level Validation</strong>:</p>
<pre><pre class="playground"><code class="language-rust"><span class="boring">#![allow(unused)]
</span><span class="boring">fn main() {
</span>// crates/vapora-backend/src/services/project_service.rs
impl ProjectService {
pub async fn get_project(
&amp;self,
tenant_id: &amp;str,
project_id: &amp;str,
) -&gt; Result&lt;Project&gt; {
// 1. Query with tenant_id filter (database-level isolation)
let project = self.db
.query(
"SELECT * FROM projects \
WHERE id = $1 AND tenant_id = $2"
)
.bind((project_id, tenant_id))
.await?
.take::&lt;Option&lt;Project&gt;&gt;(0)?
.ok_or_else(|| VaporaError::ProjectNotFound(project_id.to_string()))?;
// 2. Verify tenant_id matches (application-level check, redundant)
if project.tenant_id != tenant_id {
return Err(VaporaError::Unauthorized(
"Tenant mismatch".to_string()
));
}
Ok(project)
}
pub async fn create_project(
&amp;self,
tenant_id: &amp;str,
title: &amp;str,
description: &amp;Option&lt;String&gt;,
) -&gt; Result&lt;Project&gt; {
let project = Project {
id: uuid::Uuid::new_v4().to_string(),
tenant_id: tenant_id.to_string(), // ← Always set from authenticated user
title: title.to_string(),
description: description.clone(),
..Default::default()
};
// Database will enforce tenant_id matches auth scope
self.db
.create("projects")
.content(&amp;project)
.await?;
Ok(project)
}
pub async fn list_projects(
&amp;self,
tenant_id: &amp;str,
limit: u32,
) -&gt; Result&lt;Vec&lt;Project&gt;&gt; {
// Always filter by tenant_id
let projects = self.db
.query(
"SELECT * FROM projects \
WHERE tenant_id = $1 \
ORDER BY created_at DESC \
LIMIT $2"
)
.bind((tenant_id, limit))
.await?
.take::&lt;Vec&lt;Project&gt;&gt;(0)?
.unwrap_or_default();
Ok(projects)
}
}
<span class="boring">}</span></code></pre></pre>
<p><strong>Tenant Context Extraction</strong>:</p>
<pre><pre class="playground"><code class="language-rust"><span class="boring">#![allow(unused)]
</span><span class="boring">fn main() {
</span>// crates/vapora-backend/src/auth/middleware.rs
pub struct TenantContext {
pub user_id: String,
pub tenant_id: String,
}
pub fn extract_tenant_context(
request: &amp;Request,
) -&gt; Result&lt;TenantContext&gt; {
// 1. Get JWT token from Authorization header
let token = extract_bearer_token(request)?;
// 2. Decode JWT
let claims = decode_jwt(&amp;token)?;
// 3. Extract tenant_id from claims
let tenant_id = claims.get("tenant_id")
.ok_or(VaporaError::Unauthorized("No tenant".into()))?;
Ok(TenantContext {
user_id: claims.get("sub").unwrap().to_string(),
tenant_id: tenant_id.to_string(),
})
}
<span class="boring">}</span></code></pre></pre>
<p><strong>API Handler with Tenant Validation</strong>:</p>
<pre><pre class="playground"><code class="language-rust"><span class="boring">#![allow(unused)]
</span><span class="boring">fn main() {
</span>pub async fn get_project(
State(app_state): State&lt;AppState&gt;,
Path(project_id): Path&lt;String&gt;,
request: Request,
) -&gt; Result&lt;Json&lt;Project&gt;, ApiError&gt; {
// 1. Extract tenant from JWT
let tenant = extract_tenant_context(&amp;request)?;
// 2. Call service (tenant passed explicitly)
let project = app_state
.project_service
.get_project(&amp;tenant.tenant_id, &amp;project_id)
.await
.map_err(ApiError::from)?;
Ok(Json(project))
}
<span class="boring">}</span></code></pre></pre>
<p><strong>Key Files</strong>:</p>
<ul>
<li><code>/crates/vapora-shared/src/models.rs</code> (models with tenant_id)</li>
<li><code>/crates/vapora-backend/src/services/</code> (tenant validation in queries)</li>
<li><code>/crates/vapora-backend/src/auth/</code> (tenant context extraction)</li>
</ul>
<hr />
<h2 id="verification"><a class="header" href="#verification">Verification</a></h2>
<pre><code class="language-bash"># Test tenant isolation (can't access other tenant's data)
cargo test -p vapora-backend test_tenant_isolation
# Test service enforces tenant_id
cargo test -p vapora-backend test_service_tenant_check
# Integration: create projects in two tenants, verify isolation
cargo test -p vapora-backend test_multi_tenant_integration
# Verify database permissions enforced
# (Run manual query as one tenant, try to access another tenant's data)
surreal sql --conn ws://localhost:8000
&gt; USE ns vapora db main;
&gt; CREATE project SET tenant_id = 'other:tenant', title = 'Hacked'; // Should fail
</code></pre>
<p><strong>Expected Output</strong>:</p>
<ul>
<li>Tenant cannot access other tenant's projects</li>
<li>Database permissions block cross-tenant access</li>
<li>Service validation catches tenant mismatches</li>
<li>Only authenticated user's tenant_id usable</li>
</ul>
<hr />
<h2 id="consequences"><a class="header" href="#consequences">Consequences</a></h2>
<h3 id="schema-design"><a class="header" href="#schema-design">Schema Design</a></h3>
<ul>
<li>Every model must have tenant_id field</li>
<li>Queries always include tenant_id filter</li>
<li>Indexes on (tenant_id, id) for performance</li>
</ul>
<h3 id="query-patterns"><a class="header" href="#query-patterns">Query Patterns</a></h3>
<ul>
<li>Services always filter by tenant_id</li>
<li>No queries without WHERE tenant_id = $1</li>
<li>Lint/review to enforce</li>
</ul>
<h3 id="data-isolation"><a class="header" href="#data-isolation">Data Isolation</a></h3>
<ul>
<li>Tenant data completely isolated</li>
<li>No risk of accidental leakage</li>
<li>Safe for multi-tenant SaaS</li>
</ul>
<h3 id="scaling"><a class="header" href="#scaling">Scaling</a></h3>
<ul>
<li>Can shard by tenant_id if needed</li>
<li>Analytics queries group by tenant</li>
<li>Compliance: data export per tenant simple</li>
</ul>
<hr />
<h2 id="references"><a class="header" href="#references">References</a></h2>
<ul>
<li><a href="https://surrealdb.com/docs/surrealql/statements/define/scope">SurrealDB Scopes Documentation</a></li>
<li><code>/crates/vapora-shared/src/models.rs</code> (tenant_id in models)</li>
<li><code>/crates/vapora-backend/src/services/</code> (tenant filtering)</li>
<li>ADR-004 (SurrealDB)</li>
<li>ADR-010 (Cedar Authorization)</li>
</ul>
<hr />
<p><strong>Related ADRs</strong>: ADR-004 (SurrealDB), ADR-010 (Cedar), ADR-020 (Audit Trail)</p>
</main>
<nav class="nav-wrapper" aria-label="Page navigation">
<!-- Mobile navigation buttons -->
<a rel="prev" href="../../adrs/0024-service-architecture.html" class="mobile-nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
<i class="fa fa-angle-left"></i>
</a>
<a rel="next prefetch" href="../../adrs/0026-shared-state.html" class="mobile-nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
<i class="fa fa-angle-right"></i>
</a>
<div style="clear: both"></div>
</nav>
</div>
</div>
<nav class="nav-wide-wrapper" aria-label="Page navigation">
<a rel="prev" href="../../adrs/0024-service-architecture.html" class="nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
<i class="fa fa-angle-left"></i>
</a>
<a rel="next prefetch" href="../../adrs/0026-shared-state.html" class="nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
<i class="fa fa-angle-right"></i>
</a>
</nav>
</div>
<script>
window.playground_copyable = true;
</script>
<script src="../elasticlunr.min.js"></script>
<script src="../mark.min.js"></script>
<script src="../searcher.js"></script>
<script src="../clipboard.min.js"></script>
<script src="../highlight.js"></script>
<script src="../book.js"></script>
<!-- Custom JS scripts -->
</div>
</body>
</html>
Reference in New Issue Copy Permalink