When using access control to restrict read rights on different streams, are there any shorthand way of subscribing to a user to all events the user is allowed to read?
Or do I need to create projections for this purpose, If so, is it possible to easily create a stream pr user filtering on whether the user is allowed to read the event or not?
regards
Vidar
As of now no. Its just per stream based. Even creating a projection would not work that well as you can also revoke rights to a stream at any point in time.
What might work would be to add a bit of metadata to the event when you write it (who you expect to be able to read it). A projection could then use linkTo to put it into a user specific stream that could be read. When resolving events in the user specific stream the security checks would still be performed and if they no longer had access to a given event they would no longer be able to resolve the linkTo.
That said this mechanism would only work well for a reasonably small number of users and would not scale well to a large number of users as it would be causing write amplification (imagine with 100 users writing 100 linkTos).
Cheers,
Greg
Basically I’m trying to figure out how to best implement a multi tenant application, making sure I do what I can to prevent customer from accidentally getting access to other customers data.
For a single tenant application I would probably just subscribe to $all, but doing this would make the application vulnerable to stupid programming errors leading to data leaking between customers.
There are already about 100 customers (and growing) so I’m looking for a solution that’s easy to maintain and administrate.
-Vidar
For tenants the mechanism described above would not be too bad as it would only ever write a single linkTo it would never be one event writing 100 linkTos.
Thank you for responding.
You write: " When resolving events in the user specific stream the security checks would still be performed and if they no longer had access to a given event they would no longer be able to resolve the linkTo. "
My question is, what is the source of the access control of any given event?
I.e: Customer #1 writes events to some stream, and a link is created in the cusomer-1-allevents stream.
A client application connects with credentials only allowed to read the customer-allevents stream
Will this client application be able to resolve the events or do the client also need to be granted permissions on the stream where the event originated?
On a more general note: Are you aware of any writings or blog posts on multi tenant applications with EventStore? Would be nice to hear other peoples experiences and avoid doing their stupid mistakes™ .
-Vidar