[
http://opensource.atlassian.com/projects/hibernate/browse/HHH-6054?page=c...
]
Jason Clawson commented on HHH-6054:
------------------------------------
To Damien's point... We have multitenency support in hibernate implemented using
hibernate filters. We are able to model the exact multitenent requirements Damien has
described. Some of our user permission discriminated data is based on a recursive oracle
CONNECT BY query against a graph.
The only problem with our solution is that EntityManager.find(id) bypasses the filter
because hibernate filters do not get applied to find() operations. I asked about this on
the mailing list and got the reply: "I am not going to change the way/places that
filters are applied. They work exactly as intended" and then referred me to version
4.1 that would feature "discriminator-based multi-tenency". The multitency
solution described here will not work for me, nor Damien and is too simple of a view on
what multi-tenency means.
This is what multi-tenency means to me:
1) Separate 1 customer's data from another
2) Allow some users to see 1 or more customer's data. They might be super admins that
can see all customers, they might be sales people who can see a subset of customers. They
might have a network of hierarchical tenents as Damien described.
3) within a customer, restrict the data that a specific user can see based on their
permissions. This permissions query in my world is a complicated recursive query
4) be able to disable filters (allow all data) for a specific set of queries depending on
need
Our solution using filters solves all of the above cases. We have had to override
EntityManager.find to do a query instead of the simple find operation in order to get the
filter to activate.
Having a domain object protected by the customer filter is as easy as extending the
CustomerDomainObject class. Likewise, being protected by the user permissions filter is
as easy as extending UserProtectedDomainObject. The filters are additive and bound
programmatically at startup.
Support for discriminator-based multi-tenancy
---------------------------------------------
Key: HHH-6054
URL:
http://opensource.atlassian.com/projects/hibernate/browse/HHH-6054
Project: Hibernate Core
Issue Type: New Feature
Components: core
Reporter: Steve Ebersole
Labels: multi-tenancy
Fix For: 4.1.0
Follow up on HHH-5697 to add support for discriminator based set ups.
Considerations:
# What is the design of this in the metadata?
## At minimum we need to know the column to use for discrimination.
## Personally believe this should not be a attribute/property based. Should just name a
column to use.
# We really should discover up front whether a {{SessionFactory}} contains any tenant
data and require tenant identifier to be set in these cases.
## Explicit. The user passes us something saying that the {{SessionFactory}} involves
multi tenancy
## Implied. Checking the connection provider (based on current split there) can indicate
schema-based multi-tenancy. Checking all entities can imply the same for
discriminator-based
## May need a way to allow user to tell us which approach to use. That might be the
explicit option.
# Insert statements need to be altered to include the tenant identifier
# All selects need to be altered to add predicate condition based on tenant identifier.
## Allow switch to say whether this is done as a literal versus done as a JDBC parameter.
This has been requested couple of times in regards filters as well to deal with database
partitions and database query optimizers that need the partition value to be a literal.
All persistence context and second level cache related keys are already handled in the
first phase.
--
This message is automatically generated by JIRA.
For more information on JIRA, see:
http://www.atlassian.com/software/jira