tenancy isolation in firestore, cloud storage and cloud functions

[Luca Faggianelli]

Hi,

I’m building an enterprise web app, so for security concerns, privacy, etc. my intention is to have isolated data for each customer/organization (that would have multiple users). The app is now structured to support multi tenancy and I use firestore and storage rules to isolate and secure data, in this way it will be compatible in both multi and single tenancy scenarios.

My question is how to implement single tenancy in firebase? Consider that I’m using Firestore as DB, Cloud Storage for file storage, Cloud Functions and Firebase Auth. About Cloud Storage I may use multiple buckets, but what about Firestore and Functions triggered by Firestore? I stumbled upon “Firestore in Datastore mode” that would support tenancy isolation with namespaces, but it doesn’t really isolate data in different DBs with different auth roles. How would you proceed? I’m open to use other GCP services, but I prefer to stick with managed services, that is, avoid hosting a dedicated mongo db per tenant on GCP…

Has anyone implemented such an architecture? I would like to hear your stories!

Luca

[Kato Richardson]

Hi Luca,

The simplest and most secure solution, since it sounds like your tenants won't share auth across orgs, is just to have a separate project per tenant. Keep in mind that there is a limit on the number of free projects you can create in the admin console per account.

☼, Kato

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/3efdbd46-71fe-4727-85e5-18cfb3a7ee2c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Kato Richardson |

Developer Programs Eng |

kato...@google.com |

775-235-8398

[Luca Faggianelli]

Hi Kato, yes I agree with you! The limit on projects number applies also to blaze plan? Currently I don't have a number in mind, but let's say/hope 100s of projects, there would be a limit? All these "tenants projects" can be grouped together, maybe with a tag, category or any metadata using the Firebase Management API? I'm thinking about deployment and general management of the projects... or maybe I can use the same Firebase Hosting for all projects?

Thanks a lot!

Luca

You received this message because you are subscribed to a topic in the Google Groups "Firebase Google Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/firebase-talk/v9GtSE6uQPw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to firebase-tal...@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CADypTEaq_Ut%2B-uPqNe09jCnsnRtFmvJ-AHpYCVucfRA89xR0Kw%40mail.gmail.com.

[Kato Richardson]

Paid projects do have a limit (there's no such thing as infinite scale) but it's never a factor, particularly if you have had a GCP billing account in good standing for any length. Hundreds will be just fine.

The Management API should help, yes. I don't know about any metadata for grouping projects. I think you might need to switch over to the GCP console (Firebase projects are GCP projects, so this is fine) and do something like project labels or orgs.

☼, Kato

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CAATsypczFED7-BjX3Oa-aa749J2bL3XzLEwL21uNGUY0_CEm4Q%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

[Luca Faggianelli]

great, this seems the way to go! thank you Kato.

Luca

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CADypTEbbp9ifM%2BAMbkst9S7pL7RyPv-gEXJYxsx84Gybm4GfPA%40mail.gmail.com.