Uploaded image for project: 'Activiti'
  1. Activiti
  2. ACTIVITI-581

Make the activiti-admin application multi-schema multi-tenant aware

    Details

    • Type: Feature
    • Status: Open (View Workflow)
    • Priority: Critical
    • Resolution: Unresolved
    • Affects Version/s: Alfresco Activiti 1.5.2
    • Fix Version/s: None
    • Component/s: Admin
    • Labels:
      None
    • Environment:
      Activiti 1.5.2
    • ACT Numbers:

      00769842, 00789309

    • Sprint:
      Docs Sprint 18

      Description

      Summary
      The current implementation of the activiti-admin application is not multi-schema multi-tenany (MSMT) aware and one cannot isolate the data for seperate tenant administrators, but every person being able to login to activiti-admin could in theory retrieve data for all tenants.

      Steps to reproduce
      1) Setup a vanilla Activiti 1.5.2 instance in MSMT mode:
      a) Set the activiti-app property tenancy.model=isolated
      b) Apply a multi tenancy license
      2) Create an empty tenant database schema "tenant-alfresco" accessible by user "alfresco" with password "alfresco"
      3) Post the related database schema information to Activiti, like in the following example where the tenant database was created in PostgreSql:

      POST http://server:port/activiti-app/api/enterprise/admin/tenants
      

      with basic authentication and admin@app.activiti.com credentials and JSON body

      {
          "name" : "alfresco",
          "configuration" : "tenant.admin.email=admin@alfresco.com\ndatasource.driver=org.postgresql.Driver\ndatasource.url=jdbc:postgresql://server:port/tenant-alfresco\ndatasource.username=alfresco\ndatasource.password=alfresco"
      }
      

      The result will be
      a) A tenant named alfresco is created.
      b) Any future data of this tenant is stored in the database schema tenant-alfresco.
      c) A default tenant administrator user with the user name admin@alfresco.com is created, with the default password admin.
      4) Login as admin@alfresco.com to activiti-app and create some tenant data
      a) Via kickstart model a simple BPMN process, e.g. start event -> user task (assigned to initiator) -> end event
      b) Make this process available via a published app
      c) Start a process via the landing page and complete the user task
      5) Login with user admin/admin to activiti-admin and make sure endpoint is configured with admin@app.activiti.com
      6) Review the "Tasks" tab

      Expected behaviour
      As admin@app.activiti.com is by default setup as tenant manager, one should see the completed task data for the tenant Alfresco.

      Current behaviour
      The "Tasks" tab is not displaying any non default schema tenant related data

      Supporting evidence

      • Reproduced in latest Activiti 1.5.2 release
      • From within activiti-admin, one can indeed create a cluster named "Alfresco Tenant" and for this cluster, one can configure the endpoint to use the related tenant admin credentials, i.e. user admin@alfresco.com with the default password admin. Then the Tasks tab and other tabs for this cluster are showing the tenant relevant data. The downsides here are, that
        1) everyone who is loging in to activiti-admin will see all the clusters and all tenantsĀ“ data
        2) while entering endpoint credentials we are assuming default admin password, but the tenant admin might have changed the password and the person administering with activiti-admin does not know that password
      • Best approach might be, to link activiti-admin to the users table of the activiti-app db schema and create an account for every tenant admin. When they login, they will see only the data relevant for their tenant.

        TestRail: Results

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  jsotiropoulos John Sotiropoulos [X] (Inactive)
                  Reporter:
                  dkoch Dennis Koch
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:

                    TestRail: Cases