Skip to content
This repository was archived by the owner on Feb 26, 2021. It is now read-only.

Multi tenancy support for the secureCodeBox API #79

Merged
J12934 merged 16 commits into from
Apr 29, 2019
Merged

Multi tenancy support for the secureCodeBox API #79

J12934 merged 16 commits into from
Apr 29, 2019

Conversation

@J12934
Copy link
Member

@J12934 J12934 commented Apr 10, 2019
edited
Loading

This Pull Requests add Multi Tenancy support to the API of the secureCodeBox.

This allows Users to restrict access to ability to see and work on securityTests. This enables Users to scan services located in isolated networks, by restricting the access to Scans to the technical users of the scanner services inside these networks. By restricting the access to the securityTest to the isolated worker it is ensured that no other worker outside this network can "steal" this job.

The easiest way to configure multi tenancy is to create multiple camunda tenants and assign the technical users of the works to the corresponding tenant. To control to which tenant a securityTest should belong you can set the tenant attribute on the securityTest model, when starting a process. Note: You need to be a member of the tenant to start a process as part of the tenant. When the tenant attribute is set to null or is not set at all the process will be started without a tenant.

Open Todos:

  • Add Documentation on how Multi Tenancy works and how to use it
  • Find & Document a way to prevent tenant works to lock jobs without a tenant. (This should already be possible to do, by setting up the authentication correctly)

@rfelber rfelber mentioned this pull request Apr 11, 2019
Closed
2 tasks
J12934 added 5 commits April 23, 2019 19:13
@J12934
Migrated filter to a spring interceptor
e578edf
@J12934
Readded comment explaining the existence of the interceptor
dc98337
@J12934
Removed unused automatic imports
0583243
@J12934
Ensure that workers with a tenant will not work on tenant specific ta…
9717dec 
…sks jobs
@J12934
Added process definition read, read_instance & update_instance permis…
f7fd5cd 
…sions

Due to the enforcement of Camunda permissions the process definition is now mandatory for a user to successfully submit a job result. The other two were added as a precaution.

Note: This is a potential **breaking change** for users not using the `scanner` group provided by default for their scanner user permissions.
The permissions of the default `scanner` group will get updated by default, all others will have to manually expand their scanner groups to match these permissions.
@J12934
Copy link
Member Author

J12934 commented Apr 24, 2019

Due to the enforcement of Camunda permissions the ProcessDefinition READ permission is now mandatory for a user to have to successfully submit a job result. The other two (READ_INSTANCE and UPDATE_INSTANCE) were added as a precaution.

Note: This is a potential breaking change for users not using the scanner group provided by default for their scanner user permissions.
The permissions of the default scanner group will get updated by default, all others will have to manually expand their scanner groups to match these permissions.

@J12934
Copy link
Member Author

J12934 commented Apr 24, 2019
edited
Loading

Was able to solve "the tenant workers are getting non tenant specific work" by expanding out lock job controller. Workers with a tenant will only work on jobs belonging to their tenant while jobs without a tenant will only get handled by workers without a tenant.

So no default tenant required.

@J12934 J12934 changed the title WIP: Multi tenancy support for the secureCodeBox API Multi tenancy support for the secureCodeBox API Apr 29, 2019
@J12934 J12934 merged commit 9e403ea into develop Apr 29, 2019
@J12934 J12934 deleted the feature/multi-tenancy branch July 3, 2019 08:10
@J12934 J12934 mentioned this pull request Jul 3, 2019
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@J12934