Open Closed

How to manage permissions when the multitenancy is true or false? #2890

User avatar
0
uyarbtrlp created
  • ABP Framework version: v5.1.1
  • UI type: MVC
  • DB provider: EF Core
  • Module Template (MVC): yes
  • Separated Deployment & Databases Scenario (MVC): yes
  • Steps to reproduce the issue:"

Hello Abp,

We are currently using the module template with UI. We want to use the module template, when the multitenancy is true or false. Our module should be runnable according to the multitenancy option. We want to integrate the both way.

In PermissionDefinitionProvider, we set our permissions like in the documentation. We have the permissions that are only for the tenant and also for the both side. While we are running the module with multitenancy = false, tenant side permissions is not granted. But we want to use these permissions because we don't need the multitenancy. This is the case.

Here is my question: Does the Abp handle this situation or should we put our logic into the PermissionDefinitionProvider (like if the multitenancy is false, we define new permission groups which are only MultiTenancySides.Host. But in this way, we need to duplicate the permissions.)

Thanks.

Go to accepted answer
5 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    You don't have to worry, the framework will take care of enabling/disabling multi-tenancy.

    Permission grants are independent of the Host and Tenant.

  • User Avatar
    0
    uyarbtrlp created

    When I disable the multitenancy, I want to grant the permissions which are for the tenant. For example,

    var odmsUserInterfacePermission = odmsPermissionGroup.AddPermission(
                name: OdmsPermissions.UI.UIPermission,
                displayName: L("Permission:UI"), // localization string
                multiTenancySide: MultiTenancySides.Tenant, // set multi-tenancy side
                isEnabled: true // by default is activated
            ).RequireFeatures(OdmsFeatures.ApplicationBaseFeature);

    As you can see, this permission is only for the tenant. But in our case, we want to grant this permission while seeding the users like in the code below.

    private async Task GrantPermissionToRole(string permissionName, string roleName)
        {

            await PermissionManager.SetAsync(permissionName, RolePermissionValueProvider.ProviderName, roleName, true);
        }

    In the database, I can see the permission which are marked as MultiTenancySides.Both or MultiTenancySides.Host. After that, the exception is thrown:

    The permission named 'Odms.UI' has multitenancy side 'Tenant' which is not compatible with the current multitenancy side 'Host'. See the inner exception for details.
---> System.ApplicationException: The permission named 'Odms.UI' has multitenancy side 'Tenant' which is not compatible with the current multitenancy side 'Host'
   at Volo.Abp.PermissionManagement.PermissionManager.SetAsync(String permissionName, String providerName, String providerKey, Boolean isGranted)
   at Siemens.Abp.Personas.PlatformIdentityDataSeeder.GrantPermissionToRole(String permissionName, String roleName, Nullable`1 tenantId)
   at Siemens.Abp.Personas.PlatformIdentityDataSeeder.SeedModelAdminAsync(String adminUserName, String adminEmail, String adminPassword, Nullable`1 tenantId)
   at Castle.DynamicProxy.AsyncInterceptorBase.ProceedAsynchronous[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo)
   at Volo.Abp.Castle.DynamicProxy.CastleAbpMethodInvocationAdapterWithReturnValue`1.ProceedAsync()
   at Volo.Abp.Uow.UnitOfWorkInterceptor.InterceptAsync(IAbpMethodInvocation invocation)
   at Volo.Abp.Castle.DynamicProxy.CastleAsyncAbpInterceptorAdapter`1.InterceptAsync[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo, Func`3 proceed)
   at Siemens.Abp.Personas.PlatformIdentityDataSeedContributor.SeedAsync(DataSeedContext context)
   at Castle.DynamicProxy.AsyncInterceptorBase.ProceedAsynchronous(IInvocation invocation, IInvocationProceedInfo proceedInfo)
   at Volo.Abp.Castle.DynamicProxy.CastleAbpMethodInvocationAdapter.ProceedAsync()
   at Volo.Abp.Uow.UnitOfWorkInterceptor.InterceptAsync(IAbpMethodInvocation invocation)
   at Volo.Abp.Castle.DynamicProxy.CastleAsyncAbpInterceptorAdapter`1.InterceptAsync(IInvocation invocation, IInvocationProceedInfo proceedInfo, Func`3 proceed)
   at Volo.Abp.Data.DataSeeder.SeedAsync(DataSeedContext context)
   at Castle.DynamicProxy.AsyncInterceptorBase.ProceedAsynchronous(IInvocation invocation, IInvocationProceedInfo proceedInfo)
   at Volo.Abp.Castle.DynamicProxy.CastleAbpMethodInvocationAdapter.ProceedAsync()
   at Volo.Abp.Uow.UnitOfWorkInterceptor.InterceptAsync(IAbpMethodInvocation invocation)
   at Volo.Abp.Castle.DynamicProxy.CastleAsyncAbpInterceptorAdapter`1.InterceptAsync(IInvocation invocation, IInvocationProceedInfo proceedInfo, Func`3 proceed)
   at Siemens.Abp.Personas.AbpPersonasModule.SeedAsync(IServiceScope scope, AbpPersonasModuleOptions options, Nullable`1 forcedTenantId)
   at Siemens.Abp.Personas.AbpPersonasModule.<>c__DisplayClass1_0.<<OnApplicationInitialization>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at Nito.AsyncEx.Synchronous.TaskExtensions.WaitAndUnwrapException(Task task)
   at Nito.AsyncEx.AsyncContext.<>c__DisplayClass15_0.<Run>b__0(Task t)
   at System.Threading.Tasks.ContinuationTaskFromTask.InnerInvoke()
   at System.Threading.Tasks.Task.<>c.<.cctor>b__272_0(Object obj)
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state)
--- End of stack trace from previous location ---
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread)
--- End of stack trace from previous location ---
   at Nito.AsyncEx.Synchronous.TaskExtensions.WaitAndUnwrapException(Task task)
   at Nito.AsyncEx.AsyncContext.Run(Func`1 action)
   at Volo.Abp.Threading.AsyncHelper.RunSync(Func`1 action)
   at Siemens.Abp.Personas.AbpPersonasModule.OnApplicationInitialization(ApplicationInitializationContext context)
   at Volo.Abp.Modularity.AbpModule.OnApplicationInitializationAsync(ApplicationInitializationContext context)
   at Volo.Abp.Modularity.OnApplicationInitializationModuleLifecycleContributor.InitializeAsync(ApplicationInitializationContext context, IAbpModule module)
   at Volo.Abp.Modularity.ModuleManager.InitializeModulesAsync(ApplicationInitializationContext context)
   --- End of inner exception stack trace ---
   at Volo.Abp.Modularity.ModuleManager.InitializeModulesAsync(ApplicationInitializationContext context)
   at Volo.Abp.AbpApplicationBase.InitializeModulesAsync()
   at Volo.Abp.AbpApplicationWithExternalServiceProvider.InitializeAsync(IServiceProvider serviceProvider)
   at Microsoft.AspNetCore.Builder.AbpApplicationBuilderExtensions.InitializeApplicationAsync(IApplicationBuilder app)
   at Siemens.Odms.Program.Main(String[] args) in C:\Users\z0048kcm\siemens.odms\host\Siemens.Odms.IdentityServer\Program.cs:line 40

    We want to use the tenant permission when the multitenancy is false. It seems we need to define new permission group and put our logic when the multitenancy side is false because it is not handled. I think we need such a logic in the PermissionDefinitionProvider

    if(multitenancy == true) {

var odmsUserInterfacePermission = odmsPermissionGroup.AddPermission(
                name: OdmsPermissions.UI.UIPermission,
                displayName: L("Permission:UI"), // localization string
                multiTenancySide: **MultiTenancySides.Tenant**, // set multi-tenancy side is true
                isEnabled: true // by default is activated
            ).RequireFeatures(OdmsFeatures.ApplicationBaseFeature);

}
else
{

var odmsUserInterfacePermission = odmsPermissionGroup.AddPermission(
                name: OdmsPermissions.UI.UIPermission,
                displayName: L("Permission:UI"), // localization string
                multiTenancySide: **MultiTenancySides.Host**, // set multi-tenancy side is false
                isEnabled: true // by default is activated
            ).RequireFeatures(OdmsFeatures.ApplicationBaseFeature);

}
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Why not ignore multiTenancySide? This way the permission can be used by both HOST and TENANT

  • User Avatar
    0
    uyarbtrlp created

    We have a user which is a master user and responsible for creating tenants when the multitenancy is true. This user is the HOST user. We don't want to grant the tenant specific permissions to this user. If the user has these permissions, it can manage the tenant specific features.

    That's why we don't mark the multitenancy side as MultiTenancySides.Both or we don't ignore the multitenancy. We want that our application is runnable whether the multitenancy is false or true.

    When the multitenancy side is false, we want to grant tenant specific permissions (like creating a new permission group and mark as MultiTenancySides.Host like the comment above) to this master user. Since there isn't the multitenancy side the HOST user behavior will be changed and the HOST user will have these permissions. So, it can manage the features. We can say that we have two different approaches.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    I recommend you use Both but you can try this.

    Please use the same permission name for host and tenant.

    public override void Define(IPermissionDefinitionContext context)
{

    if (context.ServiceProvider.GetRequiredService<AbpMultiTenancyOptions>().IsEnabled)
    {

    }
    else
    {
        
    }   
}
    1
Assignee
User avatar maliming
Labels
Non yet
Made with ❤️ on ABP v8.2.0-preview Updated on March 25, 2024, 15:11