authorizationaccess-controlxacmlabacauthzforce

Dynamic root policyset for multi-tenancy using Authzforce Core


I basically want to use Authzforce in a multi-tenant system.

Right now, I have a single root policy that has a few PolicySetIdReference elements that point to other policy sets (per organization) but I noticed that it tries to resolve every reference element and queries the database (I set up my own version of the MongoDbBasedRefProvider). I am worried that I would needlessly load every other policy for other organizations.

<PolicySet PolicySetId="ROOT" ....>
    <PolicySetIdReference>ID-for-org-1</PolicySetIdReference>
    <PolicySetIdReference>ID-for-org-2</PolicySetIdReference>
</PolicySet>

Am I able to make the root policy provider check some condition(based on org) so that the policies that I check are significantly smaller? In the example above, i only want to retrieve the one for ID-for-org-1


Solution

  • For full multi-tenancy, I recommend to have one PDP instance per tenant, i.e. dispatch the request to a specific PdpEngine instance based on the tenant (org) ID, e.g. via a String-to-PdpEngine map or whatever, just a suggestion.

    If you still want to use the same PDP engine for all tenants (i.e. handling policies for all), make sure you do all these:

    1. Use the first-applicable policy combining algorithm in the ROOT policy (so that the evaluation stops at the first applicable policyset within).
    2. Make sure there is a tenant/org ID attribute present in XACML requests.
    3. Define a XACML Target in each org policyset with a Match (equal) on this tenant/org ID attribute, to make sure the policyset applies (is evaluated) only if the tenant/org-id matches.
    4. Implement and enable a Decision Cache on the PDP.