Open APIs

Expand all | Collapse all

multi-tenancy

  • 1.  multi-tenancy

    Posted Jun 13, 2021 11:23
    hi,

    anyone has idea on how the openapis handle multitenancy?

    i.e. TM700
    /shippingOrder/{id}​


    ------------------------------
    Kelvin
    ------------------------------


  • 2.  RE: multi-tenancy

    TM Forum Member
    Posted Jun 14, 2021 03:18
    Hi Kelvin

    I think that it would be valuable for you to give more concrete details of what you mean by multi-tenancy in this context, that might help community members to assist you better.

    But let's assume that you are referring to some implementation of a logistics system that exposes TMF700 (shipping order) among others. And let's further assume that your implementation is a single-instance cloud-hosted product that supports multiple service providers. This could be multi-tenant, in the sense that each service provider is completely unaware that other service providers use the same instance, and each service provider (+ agencies associated with the service provider) can access only its own data.

    From an API perspective, I don't see any reason why the signature should change due to this implementation. It would be your responsibility to provide a separate endpoint (base url and IP address) for each service provider, and ensure that your authentication and authorization scheme allows only security principals from that service provider to access the end point. Additionally, you could internally segregate the data keyed by the id or name of the service provider (how - depends on your persistence provider). When retrieving or updating data in your internal implementation you'd verify that the data matches the service provider which is currently in context.

    Hope it helps

    ------------------------------
    Jonathan Goldberg
    Amdocs Management Limited
    Any opinions and statements made by me on this forum are purely personal, and do not necessarily reflect the position of the TM Forum or my employer.
    ------------------------------



  • 3.  RE: multi-tenancy

    TM Forum Member
    Posted Jun 14, 2021 05:49
    Hi Kelvin,

    First of all, you can create a multi-tenant structure by defining a separate data source for each tenant (service provider) and without making any changes to the data model. You will need to determine the data source definition according to the technology you are using.
    To give a more concrete example: Let's say you are using Java and hibernate. To develop a multi-tenant system, you can define data sources as you can see at https://docs.jboss.org/hibernate/orm/4.3/devguide/en-US/html/ch16.html.
    You can define your own data sources per tenant (SP) similar to given examples in the link.

    However, if you want to set up a multi-tenant structure based on "single database-single schema" with a tenant id (service provider) without defining separate data sources; You can use the related_party field as the tenant_id (service provider). Almost all main entities have related_party field. Because service provider is also a related party.
    Add SP info to related party list of entities on creation. Filter on read operation etc.

    While securing APIs with OAuth2, you can carry tenant (service provider) information in JWT claims. It will be safer to obtain SP info from user privileges than sending this information from header or query parameters.

    You can use the the related party (service provider information) as the desired tenant identifier in the 3rd "Partitioned (discriminator) data)" option in the Hibernate example. In this 3rd option, I think it would be appropriate to add tenant_id (service_provider_id) to the data model to get more performance queries.

    When you do not use different data sources, tenant control is required in all CRUD operations. For example, in the read operation, tenant information (from privileges of the user logged into the API) should be added to the filters automatically.

    ------------------------------
    Mustafa Yusufoglu
    i2i Systems
    ------------------------------