[rt-users] Multi-tenant

Tim Cutts tjrc at sanger.ac.uk
Thu Dec 13 10:54:40 EST 2012 

On 13 Dec 2012, at 10:56, Shuvam Misra <shuvam.misra at merceworld.com> wrote:

>> The overall-rights-matrix on only-one-userbase makes it
>> difficult to wall in each of the groups, so they never
>> see or notice one of the others.  It *is* possible, but
>> error-prone, if the 'groups' try to administer their own
>> 'set of queues'.  One wrong click or 'right' and information
>> leaks will happen.  In sigle-tenant-setups this stays
>> impossible and virtual hosts are relatively cheap.
> 
> An application has to be designed to be multi-tenanted from the ground up
> to avoid these dangers. I guess RT is not.

Indeed; there are several places where this is obvious; the principal ones, in my view, being Scrips and Templates.  Both of these allow essentially arbitrary perl code.  RT's access control lists don't apply here - everything essentially happens as the RT::System user, so if a user has the ability to write Mason templates, or to write Scrips, they can automatically access anything in the database, even if the ACLs formally forbid it.

Even if you had the client id column, you'd still have security issues to do with arbitrary perl, since you can always find the appropriate database handle and just do things to the database willy nilly.

In order to make multi-tenant even remotely sensible, you'd have basically completely ban users from making custom scrips and templates.  And then, in my view, re-architect the way things work.  You'd probably need:

a)  Several RT::System style users for the different tenants (or possibly)
b)  Database level permissions using those users

Row-based authentication isn't available in MySQL, so you'd probably have to use something like Oracle, if you wanted it really bullet proof.

Personally, I'd do multi-tenant through virtualisation.  Still only one piece of hardware, but you're keeping the data more effectively segregated.  You could simplify and centralise your configuration through scripts, so you didn't have to configure each tenant by hand.

Tim

-- 
 The Wellcome Trust Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.

More information about the rt-users mailing list