Reputation: 1620
Multi-Tenant physical isolation
We have a multi-tenant Asp.Net MVC 4 web application with each tenant having its own repository of files (a folder in the file-system). We took the shared database, shared schema approach and we identify tenants by their subdomain.
What is the best way to ensure that a tenant can only access his repository folder and no other folder in the file-system? we check it in the application business logic, but what if we make a mistake...?
When running the application, all tenants run under the same user (which is defined in IIS application pool).
Do we need to serve each tenant as a separate user - using impersonation? do we need to impersonate each time a request is made to the server - in order to fill it?
I've heard this has performance drawbacks and is not the prefered way, but what is?
We also have a windows service which fills requests in the background (for all tenants), sent to it through MSMQ. Does this service also needs to change its identity every time it gets a request?
Edit: In addition, we need a type of isolation which if someone uploads a file infected with a virus - it will affect only this tenant's files, and not every tenant on the server. We use ant-virus software, but we need this separation also in case the antivirus software will not identify the virus.
Thank you
Upvotes: 0
Views: 572
Answers (1)
Reputation: 108975
all tenants run under the same user
If each tenant has a separate IIS Web App and identity (whether app pool or "normal" user), then you can use NTFS access control.
These does not depend on having all users having a local or domain user accounts on the web servers to allow impersonation (and this NTFS access control).
However it will add memory overhead on the servers of course – each tenant will have their own worker process.
[…]MSMQ. Does this service also needs to change its identity every time it gets a request?
I'm not sure you can do impersonation based on MSMQ messages, I would expect this not to work (MSMQ messages do not carry the necessary identity information).
Anything shared is going to need to be implemented to check all access: depending on the nature of the processing this may be more difficult (eg. if client requests can be something of the order "get information from the file" for an arbitrary file: the service would need to do the access checks1).
1 There are Win32 functions that will do the heavy lifting.
Upvotes: 1
Related Questions
- Isolation in a Multi-tenant ASP .NET Application
- ASP.NET multi-Tenant Application
- how to implement a Multi-Tenant-Asp.net MVC application?
- IdentityRole in multi-tenant application
- Cross-Domain OWIN Authentication for Multi-Tenanted ASP.NET MVC Application
- How to handle authentication in multi-tenant MVC 5 app
- MVC3 - multi tenant application
- ASP.NET Multi-tenant App on Azure - handling authentication and connection to separate tenant databases
- Multi-tenant website with high security requirements - possible configurations?
- multi-tenant asp.net