Hi All, In the docs it says that multi-tenancy isn...
# talk-kratosc
cool-hospital-37295
01/12/2024, 11:49 AMHi All, In the docs it says that multi-tenancy isn't really supported in Kratos -- However in our application, we use a multi-tenancy model more like GitHub, where user accounts don't belong to a tenant, they have memberships to one or more tenants and and switch between them at-will. Is this model supported with Ory?
w
witty-holiday-65473
01/12/2024, 11:53 AMThat sounds like you would need something along the lines of role based access control. in the github model, a user (authenticated) can be a member of an organization (authorization) but always has access to their own account (authorization). You'd need something along the lines of keto (or any other authz product).
c
cool-hospital-37295
01/12/2024, 11:54 AMSo unlike "true" multi-tenancy where each user exists only in one account -- this model is possible using Kratos + Keto (+etc)
Only difference to GitHub is there is no "own account" -- Organizations are the only context
w
witty-holiday-65473
01/12/2024, 12:09 PMtrue multitenancy is, in fact, completely possible. it just isn't fully fleshed out in the open source repo. there are some "missing pieces" that are left as "exercises for the reader".
witty-holiday-65473
01/12/2024, 12:12 PMbut in the case of a github-esque model (only where "accounts don't belong to a "tenant") where the organization would represent something more along the lines of a "special" kind of account (read: maybe the account is a member of the "github organizations" role) and anyone with an account (read: "member" role) can join another "sub" organzation (read: a unique org that would have "github organizations" as a parent for example).
this would be a case where all "users" are accounts. I'm not 100% certain how github does it as i've not thought about it too deeply). I would imagine it would be at least something along the lines above.
witty-holiday-65473
01/12/2024, 12:15 PMwrt tenancy, you would need to flesh out how ory handles "organizations" and "project" (ids). That logic is sprinkled all over the code (lots and lots of hints in the openapi spec docs - i would read there first to get an idea of what they do)
witty-holiday-65473
01/12/2024, 12:16 PMthe idea is, the "missing link" is the service that handles projects and organizations. but it can be inferred by looking at how kratos, etc uses those two values as discriminators and since the puzzle pieces arent included in the open source offering, cutting out the pieces and painting them yourself.
5 Views