Firestore multi-tenancy example needed

[michael griffith]

Looking for any videos or examples that show an easy way to provision and allow multi-tenancy in my firebase/firestore application without having to make a lot of changes to the existing application. 

Any/all replies appreciated.

[John Rodkey]

Hi Michael,

Multi-tenancy is a complex problem that is usually done on a case by case basis.  For example, with Firestore, you could use a single project with a tenant_id in a column for each record that belongs to a client.  In another case, you would separate your tenants into separate projects for data isolation and extra security.  

If your tenant data can live together it is as simple as adding a tenant_id to your existing data and then using where queries to ensure rules.  In addition to this, you could have tenants using Google Cloud Identity which leverages the Firebase JS SDK for login.  You would need to create a screen asking who/which tenant they belong to, load that tenant_config for firebase auth, then proceed from there.

However, to keep data isolated, you may want to have each customer in their own project./

On Mon, Dec 7, 2020 at 11:52 AM michael griffith <michael.gr...@gmail.com> wrote:

Looking for any videos or examples that show an easy way to provision and allow multi-tenancy in my firebase/firestore application without having to make a lot of changes to the existing application. 

Any/all replies appreciated.

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/e280a111-3abf-48ff-b84d-c4e27ce4cdddn%40googlegroups.com.

[michael griffith]

John, 

Thanks for the reply.  I started down the path of using Google IAM to create tenants but the documentation gets a little unclear for me.  It looks like the IAM feature there is to mainly manage tenants at the Firebase console level, not our project level.  What I was hoping for was the firestore to respect the tenant collection and sort of automatically restrict the data in the project queries to data that was created for that tenant.  It looks like I'll have to pass the tenant id to the token and set it on the custom claim in order to make this work?

[Brett Burbidge]

Hi Michael,

I had the exact hope as you. I was hoping that the Firestore Tenant would isolate the data returned from Firestore to that Tenant's ID. This leaves all data isolation logic up to the developer!  I am going to forget the first part of this query somewhere and company x is going to see company y's data... 

return db.collection('jobs').where('tenantId', '==', user.tenantId).where('userId', '==', user.uid).limit(1).get();

I think a better solution would be to authenticate the user from a universal user list (not bound by tenant) if successful then apply the rest the application to restrict to this tenant only:

db.setTenant(user.tenantId); Done on the login control, never to be messed with in lower levels of code. 

Then I can just focus on returning the data without polluting all the code with tenantIds (and probably forgetting some).

return db.collection('jobs').where('userId', '==', user.uid).limit(1).get();

Have you found a firestore solution to this anywhere?

Brett

[wekaso...@gmail.com]

Hi guys, may be some useful info in this thread: https://groups.google.com/u/1/g/firebase-talk/c/14kVJrdKLFI/m/H3p1u1AXBAAJ