EUREKA-631: Cross-tenant query requests for modules that are not entitled across all tenants in the consortium
- Oleksii Kuzminov
This investigation aims to prove which workaround is acceptable so we can choose the best option for the short term. More formal, longer-term solutions are being fleshed out in parallel, but those are out of scope here. For investigation purposes, two applications were chosen:
app-requests-mediated
app-requests-ecs
Problem statement
Modules perform cross-tenant calls using the system module’s user. The system user is used by the sidecar to make a call to another module. The mgr-tenant-entitlement service is responsible for initiating the process of system user creation during the application entitlement for the tenant. The main problem here is that some modules are not entitled to the data tenants and there are no system users for them in target tenants.
Suggestion
Enable backend modules(as a part of the application) for all tenants to trigger a process of system user creation. The main drawback here is the creation of unnecessary capabilities for such tenants and UI application availability. To minimize drawbacks there are 2 options described.
Option 1: Enable applications for all tenants and then disable them
To be able to create system users for all tenants, we can enable all apps for all tenants and then disable some apps for the data or not secure tenants. It was tested on the eureka-edev environment and it works. But the main drawback here is the amount of capabilities for data tenants. System users and capabilities are not deleted during the uninstallation process. After the uninstallation, we can perform cross-tenant requests, but UI capability sets and backend capabilities are still presented in the data tenants. It can affect the rendering of some UI components and show users not working applications. An additional complexity here is that the DevOps team should perform additional operations during the upgrade.
Can’t recommend this option for use.
Option 2: Split the application to the UI and Backend part
To be able to create system users for all tenants, we can split applications and enable only applications that contain backend modules for all tenants. It is a case for app-requests-ecs. In this case, backend modules will be enabled for all tenants and system users will be created for all tenants. Backend capabilities should affect the UI and rendering of UI components. Meanwhile, applications that contain a UI module will entitled to the secure or central tenant. Such kind of diversification can help us avoid bugs related to the capabilities and UI rendering but keep system users in all tenants. It was tested on a eureka-edev environment and looks good. A similar approach was previously used for consortia application.
Can recommend this approach as a short-term solution.