milia

Milia is a multi-tenanting gem for hosted Rails 3.1 applications which use devise for user authentication.

Basic concepts

• should be transparent to the main application code
• should be symbiotic with user authentication
• should raise exceptions upon attempted illegal access
• should force tenanting (not allow sloppy access to all tenant records)
• should allow application flexibility upon new tenant sign-up, usage of eula information, etc
• should be as non-invasive (as possible) to Rails code
• row-based tenanting is used
• default_scope is used to enforce tenanting

The author used schema-based tenanting in the past but found it deficient for the following reasons: most DBMS are optimized to handle enormous number of rows but not an enormous number of schema (tables). Schema-based tenancy took a performance hit, was seriously time-consuming to backup and restore, was invasive into the Rails code structure (monkey patching), was complex to implement, and couldn't use Rails migration tools as-is.

Structure

• necessary models: user, tenant
• necessary migrations: user, tenant, tenants_users (join table)

Dependency requirements

• Rails 3.1 or higher
• Devise 1.4.8 or higher

Installation

Either install the gem manually:

  $ gem install milia

Or in the Gemfile:

  gem 'milia'

Getting started

Rails setup

Milia expects a user session, so please set one up

  $ rails g session_migration
      invoke  active_record
      create    db/migrate/20111012060818_add_sessions_table.rb

Devise setup

• See https://github.com/plataformatec/devise for how to set up devise.
• The current version of milia requires that devise use a User model.

Milia setup

migrations

ALL models require a tenanting field, whether they are to be universal or to be tenanted. So make sure the following is added to each migration

db/migrate

  t.references :tenant

Tenanted models will also require indexes for the tenant field:

  add_index :TABLE, :tenant_id

Also create a tenants_users join table:

db/migrate/20111008081639_create_tenants_users.rb

  class CreateTenantsUsers < ActiveRecord::Migration
    def change
      create_table :tenants_users, :id => false  do |t|
        t.references   :tenant
        t.references   :user
      end
      add_index :tenants_users, :tenant_id
      add_index :tenants_users, :user_id
    end
  end

application controller

add the following line AFTER the devise-required filter for authentications:

app/controllers/application_controller.rb

  before_filter :authenticate_tenant!   # authenticate user and setup tenant

# ------------------------------------------------------------------------------
# authenticate_tenant! -- authorization & tenant setup
# -- authenticates user
# -- sets current tenant
# -- sets up app environment for this user
# ------------------------------------------------------------------------------
  def authenticate_tenant!()

    unless authenticate_user!
      email = ( params.nil? || params[:user].nil?  ?  ""  : " as: " + params[:user][:email] )

      flash[:notice] = "cannot sign you in#{email}; check email/password and try again"
      
      return false  # abort the before_filter chain
    end

    # user_signed_in? == true also means current_user returns valid user
    raise SecurityError,"*** invalid sign-in  ***" unless user_signed_in?

    set_current_tenant   # relies on current_user being non-nil
    
    # any application-specific environment set up goes here
    
    true  # allows before filter chain to continue
  end

catch any exceptions with the following (be sure to also add the designated methods!)

  rescue_from ::Milia::Control::MaxTenantExceeded, :with => :max_tenants
  rescue_from ::Milia::Control::InvalidTenantAccess, :with => :invalid_tenant

routes

Add the following line into the devise_for :users block

config/routes.rb

  devise_for :users do
    post  "users" => "milia/registrations#create"
  end

Designate which model determines account

Add the following acts_as_... to designate which model will be used as the key into tenants_users to find the tenant for a given user. Only designate one model in this manner.

app/models/user.rb

  class User < ActiveRecord::Base
    
    acts_as_universal_and_determines_account
  
  end  # class User

Designate which model determines tenant

Add the following acts_as_... to designate which model will be used as the tenant model. It is this id field which designates the tenant for an entire group of users which exist within a single tenanted domain. Only designate one model in this manner.

app/models/tenant.rb

  class Tenant < ActiveRecord::Base
    
    acts_as_universal_and_determines_tenant
    
  end  # class Tenant

Designate universal models

Add the following acts_as_universal to ALL models which are to be universal and remove any superfluous

  belongs_to  :tenant

which the generator might have generated ( acts_as_tenant will specify that ).

app/models/eula.rb

  class Eula < ActiveRecord::Base
    
    acts_as_universal
  
  end  # class Eula

Designate tenanted models

Add the following acts_as_tenant to ALL models which are to be tenanted and remove any superfluous

  belongs_to  :tenant

which the generator might have generated ( acts_as_tenant will specify that ).

app/models/post.rb

  class Post < ActiveRecord::Base
    
    acts_as_tenant
  
  end  # class Post

Exceptions raised

  Milia::Control::InvalidTenantAccess
  Milia::Control::MaxTenantExceeded

Tenant pre-processing hooks

Milia expects a tenant pre-processing & setup hook:

  Tenant.create_new_tenant(params)   # see sample code below

where the sign-up params are passed, the new tenant must be validated, created, and then returned. Any other kinds of prepatory processing are permitted here, but should be minimal, and should not involve any tenanted models. At this point in the new account sign-up chain, no tenant has been set up yet (but will be immediately after the new tenant has been created).

app/models/tenant.rb

  def self.create_new_tenant(params)
    
    tenant # Tenant.new(:cname => params[:user][:email], :company => params[:tenant][:company])

    if new_signups_not_permitted?(params)
      
      raise ::Milia::Control::MaxTenantExceeded, "Sorry, new accounts not permitted at this time" 
      
    else 
      tenant.save    # create the tenant
    end
    return tenant
  end

Milia expects a tenant post-processing hook:

  Tenant.tenant_signup(user,tenant,other)   # see sample code below

The purpose here is to do any tenant initialization AFTER devise has validated and created a user. Objects for the user and tenant are passed. It is recommended that only minimal processing be done here ... for example, queueing a background task to do the actual work in setting things up for a new tenant.

app/models/tenant.rb

# ------------------------------------------------------------------------
# tenant_signup -- setup a new tenant in the system
# CALLBACK from devise RegistrationsController (milia override)
# AFTER user creation and current_tenant established
# args:
#   user  -- new user  obj
#   tenant -- new tenant obj
#   other  -- any other parameter string from initial request
# ------------------------------------------------------------------------
  def self.tenant_signup(user, tenant, other = nil)
    StartupJob.queue_startup( tenant, user, other )
  end

Alternate use case: user belongs to multiple tenants

Your application might allow a user to belong to multiple tenants. You will need to provide some type of mechanism to allow the user to choose which account (thus tenant) they wish to access. Once chosen, in your controller, you will need to put:

app/controllers/any_controller.rb

  set_current_tenant( new_tenant_id )

joins might require additional tenanting restrictions

Subordinate join tables will not get the Rails default scope. Theoretically, the default scope on the master table alone should be sufficient in restricting answers to the current_tenant alone .. HOWEVER, it doesn't feel right.

If the master table for the join is a universal table, however, you really MUST use the following workaround, otherwise the database will access data in other tenanted areas even if no records are returned. This is a potential security breach. Further details can be found in various discussions about the behavior of databases such as POSTGRES.

The milia workaround is to add an additional .where( where_restrict_tenants(klass1, klass2,...)) for each of the subordinate models in the join.

usage of where_restrict_tenants

    Comment.joins(stuff).where( where_restrict_tenants(Post, Author) ).all

console

Note that even when running the console ($ rails console) will be run in multi-tenanting mode. You will need to establish a current_user and setup the current_tenant, otherwise most Model DB accesses will fail.

For the author's own application, I have set up a small ruby file which I load when I start the console. This does the following:

    def change_tenant(my_id,my_tenant_id)
      @me = User.find( my_id )
      @w  = Tenant.find( my_tenant_id )
      Tenant.set_current_tenant @w
    end

change_tenant(1,1)   # or whatever is an appropriate starting user, tenant

Cautions

• Milia designates a default_scope for all models (both universal and tenanted). From Rails 3.2 onwards, the last designated default scope overrides any prior scopes and will invalidate multi-tenanting; so DO NOT USE default_scope
• Milia uses Thread.current[:tenant_id] to hold the current tenant for the existing Action request in the application.
• SQL statements executed outside the context of ActiveRecord pose a potential danger; the current milia implementation does not extend to the DB connection level and so cannot enforce tenanting at this point.
• The tenant_id of a universal model will always be forced to nil.
• The tenant_id of a tenanted model will be set to the current_tenant of the current_user upon creation.

Contributing to milia

• Check out the latest master to make sure the feature hasn't been implemented or the bug hasn't been fixed yet
• Check out the issue tracker to make sure someone already hasn't requested it and/or contributed it
• Fork the project
• Start a feature/bugfix branch
• Commit and push until you are happy with your contribution
• Make sure to add tests for it. This is important so I don't break it in a future version unintentionally.
• Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it.

Copyright

Copyright (c) 2011 Daudi Amani. See LICENSE.txt for further details.