Thursday, October 6, 2016

Solving lack of Neo4j's multitenancy with OrientDB graph database

If you have used Neo4j, you may have noticed that it does not support multi-tenant deployments. This limitation may be one the first things you notice when starting to learn and test Neo4j, and has been publicly discussed in several places, among them the following stackoverflow questions: Neo4j Multi-tenancyHow to achieve Multi-Tenancy in Neo4j.

Lack of multitenancy basically means that you can't create different databases inside Neo4j. You can surely store multiple graphs in Neo4j, but they are all part of a single "database". This has some serious consequences, including lack of isolation.

If you are using Neo4j in a client/server mode and you have multiple clients, you cannot have each client (or set of clients) storing and accessing their own isolated data, unless you use some workarounds.

One workaround to achieve multitenancy in Neo4j is to deploy different Neo4j instances on the same machine (running on different ports) and store different graphs in these different Neo4j instances. This can have of course several implications, including:
  • resource utilization: different servers are running on the same machine;
  • increased complexity: you will have to configure each of the instances. If you want to change a configuration option or tune a parameter you will need to do it on all instances.
Another workaround is to have your application taking care of isolation and access control. But again, as you can understand this workaround has some limitations. You should avoid that your clients connect directly to the database otherwise they may query and edit everything, including data they are not supposed to have access to.

OrientDB, on the other side, does support multitenancy in a similar way other traditional databases do, and in the way you may expect it to work.

Once you deploy OrientDB you can create different databases. Each database can store different data / graphs and your clients can have access to one or more databases. As a result your data is kept secure and isolated.

OrientDB Studio is the web application that you can use to interact with OrientDB.

When you launch Studio, you can select the database to connect to:

You can also create a new database:

or import a public database to make some tests and get some familiarity with OrientDB:

Once you login, you will see the database you are connected to in the top-right corner (in the image below, we are connected to the movie database):

You can also export a single database, using the Studio's export feature:

To manage who can connect to a specific database and the user roles, from Studio, you can click on the Security menu:

Admin, reader and writer are three standard users, with roles admin, reader and writer respectively (you can remove these users if you like). In the image above you can see that I have created an additional user my_movie_user with role admin. This user will have access only to the movie database (unless you create a similar user for other databases).

If you prefer to use the Console to connect to OrientDB, you can specify the database you want to connect to, using the CONNECT syntax. The following command will connect to a remote database movie, using the user my_movie_user:

orientdb> CONNECT REMOTE: my_movie_user my_password

If the database does not exist, you can create it with the CREATE DATABASE syntax. You can create users with the CREATE USER syntax.

The above are just a few examples: OrientDB supports, in fact, a full set of SQL commands to manage database and users, among them:

All trademarks are the property of their respective owners.

No comments:

Post a Comment