Hey, Im trying to setup multi-tenant setup with shared process engine and I found potential security issue.
Long story short: AFAIU any user can create a deployment for any tenant as long as he has deployment create permission.
So in example:
tenant-1 can deploy a bpmn model for tenant-2 and if name matches, his model will become the latest version of the tenant-2 model imposing the security risk.
Is there a way to mediate this?
My goal is to have all tenants (users connected to groups connected to tenants) able to create deployments only for themselves and not for any other tenent(and not without tenant specified as well).
You can restrict tenant access by usergroup mapping settings via Camunda Admin console. You can map users or group to specific tenant.
Sure I can, but this doesn’t restrict what tenant IDs such user or group can use for deployment. He won’t be able to see deployed definitions, but he can still deploy them, and possibly overwrite the old ones.
You can achieve it by creating a usergroup and assign users to that group. Then map the usergroup to the tenant. You can map the tenant to usergroups. So the users who is part of that group only able to deployment.
Have you checked this? This is what I was able to reproduce:
Create user1 and grant him permission to create deployments.
At this point user1 has no access to any tenants, he is not able to access any resources, definitions, jobs and so on other than shared. But he is still able to deploy definitions for any tenant by specifying any tenant-id he wants. This is an obvious security vulnerability.